Using social authenticaion details to login from built in login system

Question

I have both the laravel built in and social authentication. Suppose if a user logs in using facebook, i store the user details such as fb_id , username , email etc. to the users table which is authenticable from built in login system.This way i can use laravel Auth .

$fb_user = Socialite::driver('facebook')->user(); 
$user = User::firstOrCreate(['fb_id'=>$fb_user->id,'name' => $fb_user->name, 'email' => $fb_user->email]);
Auth::login($user, true);
return redirect('/');

Now, the users table have a user with username and password NULL. Couldn't anybody login with just username from built in login if no password validations are required? OR what is wrong with my concept here?

Answer 1

Couldn't anybody login with just username from built in login if no password validations are required?

Yes Anybody can login.

From the comments:

Solution 1:

Password should be hashed.Assuming empty passwords are allowed, they will hash to something that is not empty (for example, password_hash('',PASSWORD_DEFAULT); returns something like $2y$10$MD7HZwh9oki9U74Ta1/7OuDpYK8UXAFEufgMIeNazKSyv1xRabwqu‌​ ) Therefore there should be no real issue with this method.

Solution 2:

We should have a field to flag the user as being from a separate authentication source. That way if anyone tries to login directly using those details you can ignore rows with that flag when checking credentials

Answer 2

Recently I got this same issue. I recommend this:

When user choose social media to login into your website, create their account in your website using the information you got from the social media site after authentication, logged them into your website. Now as soon as they login, show them a popup to set a password for their account .

Now on, then can use both Laravel built in and social authentication for login.