down2323 2018-02-02 13:21
浏览 57
已采纳

使用Laravel Socialite进行社交网络身份验证的安全性

I am using the Socialite for a social network authentication in Laravel App. I wanted to add registration using social networks, without possibility to use the classic registration method byentering username and password. Currently, I decided to create a User model which contains name and username, that is used for uathorization and separate tables in db for each social network that contain user_id and id from the social network as PK.

When the system receives the user's id in chosen social network, it checks the appropriate table for that id and if it exists there - get's the user id and authenticates user to the system. If not - adds there and also authenticates.

The function that handles the response from the social network:

public function handleProviderCallback($social)
{
    $userSocial = Socialite::driver($social)->user();

    $registeredUser = DB::table($social.'_accounts')->find($userSocial->id);

    if(!empty($registeredUser)) {
        Auth::loginUsingId($registeredUser->user_id);
    }else{
        $user = new User;
        $user->name = $userSocial->name;
        $user->username = 'user2222'; //will be implementer in future
        $user->avatar = $userSocial->avatar;
        $user->save();

        DB::table($social.'_accounts')->insert(['id' => $userSocial->id, 'user_id' => $user->id ]);
        Auth::loginUsingId($user->id);
    }

        return redirect()->action('HomeController@index');
}

The question is about security, may you explain me whether that solution is quite secure or not? I mean the authentication without password, just in case receiving the user's id from the social network. Can that query from the social network be forged to get an access to smb'a account?

展开全部

  • 写回答

1条回答 默认 最新

  • dongmin1166 2018-02-02 13:26
    关注

    Since you are using oAuth this is the preferred method of user authentication.

    Since you are using Socialite it automatically checks against the provider to prevent fake requests being fired. Thus yes this would be considered safe.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
编辑
预览

报告相同问题?

手机看
程序员都在用的中文IT技术交流社区

程序员都在用的中文IT技术交流社区

专业的中文 IT 技术社区,与千万技术人共成长

专业的中文 IT 技术社区,与千万技术人共成长

关注【CSDN】视频号,行业资讯、技术分享精彩不断,直播好礼送不停!

关注【CSDN】视频号,行业资讯、技术分享精彩不断,直播好礼送不停!

客服 返回
顶部