Log in to Rails app using Facebook SDK

I have built a Rails app where users can login using Facebook. They have an account on the Rails app but do any authentication in it other than creating a session if they have logged into Facebook successfully.

The first part is using the SDK to get the access_token if they have logged in:

FB.getLoginStatus(function (response) {
 if(response.authResponse) {
 $.post('/auth', {access_token: response.authResponse.access_token}, function(response) {
 window.location.href = '/';
 });
 }
});

And then I pass this to my create method in my controller:

def create
 user = User.from_facebook(params[:access_token])
 session[:user_id] = user.id
end

And the model has the following methods:

def self.from_facebook(access_token)
 # get the user from the FB API
 fb_user = get_user(access_token)
 # either return or create a user from the ID
 where(id: fb_user.id).first_or_create do |user|
 user.id = fb_user.id
 user.name = fb_user.name
 end
end
private
def get_user(access_token)
 response = RestClient get "https://graph.facebook.com/me?access_token=#{access_token}"
end

So I basically either return an existing user or create a new user with the user id that comes from using the access token. This should prevent any unauthorized access and only log in the correct user as it means that the user is logged in using the access token to get the user from Facebook.

Are there any flaws in this method? I know I don't handle if the access_token is invalid, etc. I'm more interested in the security aspect of logging the user in by getting there ID from the token, but as this is all done server side, it seems pretty secure. I also don't want to use anything like Omniauth or other gems.

2 Answers 2

Start asking to get answers

Find the answer to your question by asking.

Explore related questions

See similar questions with these tags.