I am designing a RESTful API which will serve as common backend for several mobile apps. So far, it consists of:
Users table: id (primary), name, email, password
Apps table: id (primary), name, description
Just independent tables...
I want to implement the OAuth Password Grant method to request OAuth Access Tokens from mobile apps, using an email / password form in each case so that I can use OAuth scopes to leverage access levels.
And I am just wondering which is the best approach for designing the database schema.
My tries, so far:
Adding an app_id field to users table and making the email field unique, but this would limit them to use only the first app where they register. So that is not a solution. However, with this approach, I could implement OAuth scope-based permission system the easy way :(
Adding an app_id field to users table but not making email field unique. Then I could have two rows with the same email and different app_ids. But the implementation of OAuth scope-based permission in this case would be inconsistent as I could have two rows with the same email / password when I called 'oauth/token' route...
As many users can be registered in many apps, other idea was to create a pivot table between apps and users (app_user). That table would have:
app_id, user_id, and a role field to specify the role of each user in each app. So far so good with this, but the problem here comes when a user with high privileges in an app would use his/her golden Access Token to perform forbidden actions in another app... :(
Please, can someone shed some light on this topic?
Many thanks in advance.
Related
I have a simple ToDo app written in ReactJS with Express backend and MySQL. I've recently implemented Auth0 authentication, and the app successfully requires authentication before allowing a user to view or add tasks. Any user can see all the tasks (stored in DB), but at least authentication is required first.
Next, I want ensure that users can see only their OWN tasks. Can anyone either describe how this works, or share any decent resources on the subject? Any examples I can review somewhere? I imagine there is probably an ID value I can fetch from Auth0 user DB and silently include that as a column in the DB, then allow users to only fetch tasks matching their own ID.
Any resources appreciated.
I am trying to understand what is the intended use case for app auth and app users. Im basically thinking about building an app that would use Box to store data of users that would subscribe to our service. Our service would allow each user to access and view their data.
If I have an account that basically owns the data of all the subscribed users, can I use the enterprise access token as a base for authentication while using the user account token to restrict the user to only viewing the data from their specific sub directory. Or do I have to have a unique account with its own api key for every user?
I hope this makes sense. Any assistance would be appreciated.
Thanks.
App Auth and App Users -- which is officially called Box Platform -- is essentially a white-labeled version of Box. I think of it this way: "Box" as we know it is software-as-a-service. It offers a web app, mobile apps, and all the trimmings. Box Platform is the platform layer upon which the SaaS is built, providing API-based management of users/content/comments/collaborations/etc. With Box Platform you have a walled garden in which you can build apps that leverage all the features of the APIs, but are not otherwise "Box apps."
I'm basically thinking about building an app that would use Box to store data of users that would subscribe to our service. Our service would allow each user to access and view their data.
This is an appropriate use case. With Box Platform you will be the owner and administrator of a Box enterprise and all the accounts and data contained within.
If I have an account that basically owns the data of all the subscribed users, can I use the enterprise access token as a base for authentication while using the user account token to restrict the user to only viewing the data from their specific sub directory. Or do I have to have a unique account with its own api key for every user?
I think it's generally cleanest to create unique accounts for each user as opposed to giving users a special subdirectory in the admin account. From there you can use the App Auth workflow to get an access token specific to that user.
We're using multiple Facebook apps for our product, in V1.0 we used to get the same user id for all apps. We save accounts collection in our db in which we save Facebook id in and creating new accounts for users in which we don't have their FB id already.
Last week we've created a new app, when we started to use it we found out that we're getting a different id for existing users and we're creating a new account for them in our db. (This happened because the new app was created on v2.0 as explained here - https://developers.facebook.com/docs/apps/upgrading#upgrading_v2_0_user_ids)
I read that we can use business manager in order to define all apps and get all the user id for all apps under the same business (https://developers.facebook.com/docs/apps/for-business), but I couldn't find how can I connect these ids to the original id.
I saw a hack that once I have app_scoped_id, I can make a another FB api call to get the original id (Get Facebook User ID from app-scoped User ID) but this means I keep managing the FB ids on our db, is this a good approach? or should I move on to manage the app scope ids? how can I get them for my V1.0 apps before this transition takes place? can I migrate my data in db (when having FB global ids only)? or do I must have a user access token in order to get this info?
Thanks!
Ilana
I am creating an iOS App which the user will be able to login to via his account with our website (internal), or via Facebook or Twitter.
What I would like to know is how should I manage the database in order to verify his Facebook / Twitter account with his internal account on my website?
I.e When the user logs in via his internal account, I just run a simple authentication check to see if his username and password are valid. However with Facebook and Twitter, I obviously can't do this as I don't have access to the user's password.
Thanks in advanced.
my suggestion is that you would create a new table for each of the login types and connect it to your users/members table.
for example - for facebook login you would have a facebook_users table to hold the user's data (such as name, pic and most important - fbid)
than add a column named facebook_user_id to your existing members table.
in order to get the logged user from facebook you don't need to access his password... you should use the Facebook JS SDK and specifically the FB.getLoginStatus and FB.login function...
offcourse my suggestion is only one of many applicable ways to accomplish the task
Save fbid instead of fb-login user_name (you can keep both) of the user in your internal login table - A unique mapping exists (I'm sure something similar exists for twitter as well). Why do you need fb password for it?
Moreover, you run the check on internal table to authenticate user account, but when using login from fb or twitter, isn't the user already authenticated?
I'm busy to enable login stuff via facebook oauth on my website, but the only thing I want to get is the email of the user.
I saw in dev docs the 'scope=email' but, it seem's mandatory for the user to allow access to anything about him.
is there's a way to ask him to grant access only on his email ?
No. The bare minimum that your app will request from the user is his Basic Information, followed by your extended permissions (in your case, his email address).
nope. email is a so called extended permission. so you have to get the basic set of data of the user. (like: name, fbid, gender, locale).