Facebook Omniauth电子邮件地址可以安全地信任吗？ [英] Can Facebook Omniauth email address be securely trusted?

问题描述

我有一个传统的Devise用户认证系统，简单的使用电子邮件和密码进行登录。我想添加与Facebook的登录。我有这个工作，但我很好奇处理边缘案件的安全隐患。

让我们说这个东西在这里发生：

1. 用户目前未经身份验证，但拥有现有帐户，电子邮件为foo@bar.com


2. 用户点击使用Facebook登录，授权从Facebook访问


3. Facebook回叫我的服务器显示电子邮件为foo@bar.com

在这一点上，我们有一个没有附加Facebook凭据的用户帐户，我们拥有没有附加用户的Facebook凭据，但都有相同的电子邮件。

所以现在有两个选择：

1. 向用户投诉该电子邮件地址已被其他用户使用，并且要将Facebook添加到他们的帐户，他们必须首先登录（使用他们的密码）并关联Facebook帐户。


2. 或者只是登录到具有相同电子邮件的帐户， d然后将Facebook凭据附加到他们的帐户。

选项2是首选，因为用户更容易，但它意味着访问一个从未与Facebook挂钩的Facebook帐户。如果服务器从Facebook获取的电子邮件地址可能会被欺骗或以任何方式进行更改，这是一个巨大的安全问题。

但是我的服务器相信用户是安全的一封电子邮件，Facebook也是这样。但我可以相信他们之间的沟通吗？

解决方案

如果电子邮件已经在两个服务上确认，您只能链接帐户。

在您身边，您应该确认用户的电子邮件（使用 Devise的可确认模块）。

在Facebook的身边，他们应该发送一个 verify_email 字段，确认该帐户的电子邮件地址已被确认。不幸的是，Facebook只返回一个 code>字段，不仅受电子邮件影响，还可以通过短信确认和输入有效的信用卡。

然而，似乎电邮只有在确认后才会退回。请参阅此SO问题了解更多信息。问题是我找不到确认这一点的官方文档（这是一样的密切因为我可以得到），所以在此期间，我建议你自己测试这个只是为了绝对肯定。如果您找到正确的文档，不要忘了在这里添加评论。

I have a traditional Devise user authentication system that simple uses email and password to login. I want to add login with Facebook. I have this mostly working, but I am curious about the security implications of handling an edge case.

Let's say this stuff here happens:

1. User is currently unauthenticated, but has an existing account with email "foo@bar.com"
2. User clicks "Login with Facebook", authorizes access from Facebook
3. Facebook calls back to my server showing email as "foo@bar.com"

At this point we have a user account with no attached Facebook credentials, and we have a Facebook credential with no attached user, but they both have the same email.

So at this point there are two options:

1. Complain at the user that that email address is already in use by another user, and that to add Facebook to their account they must first login (with their password) and associate the Facebook account.
2. Or simply sign them in to the account that had the same email, and then attach the facebook credential to their account.

Option 2 is preferred as it's easier for the user, but it means giving access to an account via Facebook that has never before been linked Facebook. If the email address the server gets from Facebook can be spoofed or altered in any way, this is a huge security issue.

But my server trusts that a user is secure for an email, and so does Facebook. But can I trust the communication between them?

解决方案

You can only link the accounts if the email has been confirmed on both services.

On your side, you should be confirming the user's email (using Devise's Confirmable module).

On Facebook's side, they should send a verified_email field that confirms that that account's email address has been confirmed. Unfortunately, Facebook only returns a verified field which is affected not only by email but also by SMS confirmation and by entering a valid credit card.

However, it seems that the email will only be returned if it has been confirmed. See this SO question for more information. The problem is I can't find the official documentation that confirms this (this is as close as I could get), so in the meantime I recommend testing this on your own just to be absolutely sure. If you do find the right documentation, don't forget to add a comment here.

这篇关于Facebook Omniauth电子邮件地址可以安全地信任吗？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！