Reputation: 187222
Can Facebook Omniauth email address be securely trusted?
I have a traditional Devise user authentication system that simple uses email and password to login. I want to add login with Facebook. I have this mostly working, but I am curious about the security implications of handling an edge case.
Let's say this stuff here happens:
- User is currently unauthenticated, but has an existing account with email "[email protected]"
- User clicks "Login with Facebook", authorizes access from Facebook
- Facebook calls back to my server showing email as "[email protected]"
At this point we have a user account with no attached Facebook credentials, and we have a Facebook credential with no attached user, but they both have the same email.
So at this point there are two options:
- Complain at the user that that email address is already in use by another user, and that to add Facebook to their account they must first login (with their password) and associate the Facebook account.
- Or simply sign them in to the account that had the same email, and then attach the facebook credential to their account.
Option 2 is preferred as it's easier for the user, but it means giving access to an account via Facebook that has never before been linked Facebook. If the email address the server gets from Facebook can be spoofed or altered in any way, this is a huge security issue.
But my server trusts that a user is secure for an email, and so does Facebook. But can I trust the communication between them?
Upvotes: 0
Views: 285
Answers (1)
Reputation: 19203
You can only link the accounts if the email has been confirmed on both services.
On your side, you should be confirming the user's email (using Devise's Confirmable module).
On Facebook's side, they should send a verified_email field that confirms that that account's email address has been confirmed. Unfortunately, Facebook only returns a verified field which is affected not only by email but also by SMS confirmation and by entering a valid credit card.
However, it seems that the email will only be returned if it has been confirmed. See this SO question for more information. The problem is I can't find the official documentation that confirms this (this is as close as I could get), so in the meantime I recommend testing this on your own just to be absolutely sure. If you do find the right documentation, don't forget to add a comment here.
Upvotes: 1
Related Questions
- Are tfbnw.net email addresses suspicious for facebook login
- Ruby on Rails Omniauth facebook doesn't return email
- omniauth-facebook cannnot get email address
- How to get the Facebook user email from omniauth for Rails 4?
- OmniAuth - Facebook login not supplying email in user_info
- Omniauth-facebook & Devise: if email exists
- Facebook API: is the email field guaranteed to be validated?
- Insert Facebook email address in database with Omniauth-facebook and Devise
- why facebook email is not retrieved?
- Facebook OAuth getting only email, possible?