Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
D
D
deOnore2018-08-10 00:11:49
OAuth
deOnore, 2018-08-10 00:11:49

Authentication basic and with Oauth - linking profiles, recovery and why is it so on the Toaster?

Please help me complete the puzzle in my head. Thanks in advance for any substantive comments.
Authentication

  1. Registration — Email+Password
  2. An email with an activation link.
  3. Account activation - the ability to enter the site.
  4. Recovery - via Email a link with a key to change the Password, it also gives access to the site, but is reset when used.
  5. Remember me  - save the hash and its lifetime in Cookies and in the database, if the cookie hash = database + has not yet expired, let it go to the site.
  6. From  CSRF  - for each form we create a unique token - we compare the incoming token with the token tied to the current session + form
  7. reCAPTCHA - from  guessing passwords and bots  - or you also need to write to the IP logs + count. attempts and ban?

--
OAuth
Receive from FB/Google — Name, Email, provider_id, soc_id, access_token
Save to database
Update data in profile if it has changed.
We also bind to an existing one if it was created earlier by regular registration or through other OAuth.
Questions:
  1. When and where and how to use access_token other than getting user data
  2. Whether to update the data, what or all except E-mail? E-mail update only if there is no base?
  3. Why force to link social. profiles to an account, and not do it automatically?
    Or entering a password for linking simply means that the user "understands" that having access to  FB or Google account, you can log in without knowing the password

--
Implementation on the Toaster
When logging in via FB - it does not take mail, via Google - we substitute it in the E-mail field.
When recovering the password, you need to change it, then use the new one to go to the page and enter.
Questions:
  1. Reasons not to give the user immediate access to the site (for the duration of the current session), has he already proven his “rights”?
  2. FB - is there an option when mail received via Oauth will not be confirmed?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

0 answer(s)
Similar questions
S
s0lar2013-06-27 17:34:20
Almost a web client for twitter? 1Reply
D
Dmitry2021-10-10 18:57:19
How to run inlicit for swagger? 0Reply
V
Vitaly Stolyarov2016-03-01 18:59:48
How to organize authorization through many social networks? 1Reply
M
moskrc2018-08-22 12:41:50
How to implement SSO (single sign-on) in Django + Vuejs? 1Reply
M
Matvey Pravosudov2014-01-11 19:41:45
How to connect via WebDAV to Yandex.Disk via OAuth? 0Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question