I am using the Socialite for a social network authentication in Laravel App. I wanted to add registration using social networks, without possibility to use the classic registration method byentering username and password. Currently, I decided to create a User model which contains name and username, that is used for uathorization and separate tables in db for each social network that contain user_id and id from the social network as PK.
When the system receives the user's id in chosen social network, it checks the appropriate table for that id and if it exists there - get's the user id and authenticates user to the system. If not - adds there and also authenticates.
The function that handles the response from the social network:
public function handleProviderCallback($social)
{
$userSocial = Socialite::driver($social)->user();
$registeredUser = DB::table($social.'_accounts')->find($userSocial->id);
if(!empty($registeredUser)) {
Auth::loginUsingId($registeredUser->user_id);
}else{
$user = new User;
$user->name = $userSocial->name;
$user->username = 'user2222'; //will be implementer in future
$user->avatar = $userSocial->avatar;
$user->save();
DB::table($social.'_accounts')->insert(['id' => $userSocial->id, 'user_id' => $user->id ]);
Auth::loginUsingId($user->id);
}
return redirect()->action('HomeController@index');
}
The question is about security, may you explain me whether that solution is quite secure or not? I mean the authentication without password, just in case receiving the user's id from the social network. Can that query from the social network be forged to get an access to smb'a account?
