可以安全地信任Facebook Omniauth电子邮件地址吗?
[英]Can Facebook Omniauth email address be securely trusted?
问题描述
I have a traditional Devise user authentication system that simple uses email and password to login. 
我有一个传统的Devise用户身份验证系统,该系统仅使用电子邮件和密码即可登录。 I want to add login with Facebook. 我想添加Facebook登录。 I have this mostly working, but I am curious about the security implications of handling an edge case. 我的工作大部分都在进行,但是我对处理边缘案例的安全性感到好奇。
Let's say this stuff here happens: 假设发生这种情况:
- User is currently unauthenticated, but has an existing account with email "foo@bar.com" 用户当前未经身份验证,但是拥有一个具有电子邮件“ foo@bar.com”的现有帐户
- User clicks "Login with Facebook", authorizes access from Facebook 用户单击“使用Facebook登录”,授权来自Facebook的访问
- Facebook calls back to my server showing email as "foo@bar.com" Facebook回呼我的服务器,显示电子邮件为“ foo@bar.com”
At this point we have a user account with no attached Facebook credentials, and we have a Facebook credential with no attached user, but they both have the same email. 此时,我们有一个用户帐户,没有附加的Facebook凭据,并且我们有一个Facebook凭据,没有附加的用户,但是他们都有相同的电子邮件。
So at this point there are two options: 因此,目前有两种选择:
- Complain at the user that that email address is already in use by another user, and that to add Facebook to their account they must first login (with their password) and associate the Facebook account. 向用户投诉该电子邮件地址已被另一个用户使用,并且要将Facebook添加到他们的帐户,他们必须首先登录(使用密码)并关联Facebook帐户。
- Or simply sign them in to the account that had the same email, and then attach the facebook credential to their account. 或者直接将他们登录到具有相同电子邮件的帐户,然后将facebook凭据附加到他们的帐户。
Option 2 is preferred as it's easier for the user, but it means giving access to an account via Facebook that has never before been linked Facebook. 选项2是首选,因为它对用户来说更容易,但是它意味着通过Facebook授予从未访问过Facebook的帐户的访问权限。 If the email address the server gets from Facebook can be spoofed or altered in any way, this is a huge security issue. 如果可以以任何方式欺骗或更改服务器从Facebook获得的电子邮件地址,这将是一个巨大的安全问题。
But my server trusts that a user is secure for an email, and so does Facebook. 但是我的服务器相信用户可以安全地接收电子邮件,Facebook也是如此。 But can I trust the communication between them? 但是我可以信任他们之间的通信吗?
1 个解决方案
解决方案1
1 已采纳 2013-11-21 02:48:20
You can only link the accounts if the email has been confirmed on both services. 如果两个服务均已确认电子邮件,则只能链接帐户。
On your side, you should be confirming the user's email (using Devise's Confirmable module ). 在您这一边,您应该确认用户的电子邮件(使用Devise的Confirmable模块 )。
On Facebook's side, they should send a verified_email field that confirms that that account's email address has been confirmed. 在Facebook方面,他们应该发送一个verified_email字段,以确认该帐户的电子邮件地址已被确认。 Unfortunately, Facebook only returns a verified field which is affected not only by email but also by SMS confirmation and by entering a valid credit card. 不幸的是,Facebook仅返回一个verified字段 ,该字段不仅受电子邮件影响,而且受SMS确认和输入有效信用卡的影响。
However, it seems that the email will only be returned if it has been confirmed. 但是,似乎只有在确认电子邮件后,才会退回该电子邮件。 See this SO question for more information. 有关更多信息,请参见此SO问题 。 The problem is I can't find the official documentation that confirms this ( this is as close as I could get ), so in the meantime I recommend testing this on your own just to be absolutely sure. 问题是我找不到可以证实这一点的官方文档( 这与我能得到的非常接近 ),因此与此同时,我建议您自己进行测试,以确保绝对正确。 If you do find the right documentation, don't forget to add a comment here. 如果您找到正确的文档,请不要忘记在此处添加评论。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.