0

I'm building a very simple API using silex (php micro-framework). I have an idea on how to authenticate user using Facebook connect or username / password.

I want to build this API to provide data to my mobile app. My API is using HTTPS. The authentication with Facebook:

  • Facebook Connect happen on the mobile app
  • The mobile app is sending the user token and facebook_id to the API
  • The API check the user Facebook id requesting /me?token=...
  • The API check the Facebook app_id is correct /app?token=...
  • -> The user does exists and is authenticated

Now using login / password:

  • the mobile app send the username and encoded password
  • The API check the combinaison is correct
  • -> The user does exists and is authenticated

The question is about the user session. I don't really want to do this tests on every requests (ie. for Facebook auth there is 2 requests to Facebook).

I was thinking to open a session for the user and store some kind of API token. The token would be hashed and salted (salt + user_id + time delivered). I would store it in the session table and would only need to check that the token is still valid and belong to the requesting user.

So the mobile app would only send the user id + the api token for every request.

What to you think of it ? Do you thing of a better solution keeping it simple? Or do you see any issue with this design?

Cheers, Maxime

maxwell2022
  • 2,818
  • 5
  • 41
  • 60
  • Maybe you should simplify your question a bit as it is quite confusing to know what exactly you are asking for (I think that's why you have a down vote .) – dennis Feb 05 '14 at 11:34

2 Answers2

1

Facebook's authentication flows are based on the OAuth 2.0 protocol. More information about the protocol can be found here.

The flow follows these general steps:

  • Determine whether someone is already logged in.
  • If they aren't logged in, prompt them to do so (with a login dialog).
  • Exchange secure codes to confirm identity.
  • Generate an access token.

Once your client has obtained the access token, it should store that token. The client can then perform API requests on the user's behalf using the access token. So there's no need to follow the steps above again once you have the access token (unless that token has expired).

Facebook provides a number of SDKs for you to use, including a couple of mobile SDKs. I suggest you use an appropriate SDK for your mobile app. Implementing an OAuth 2.0 dialog with Facebook will be much easier than doing everything manually. Start reading here.

Community
  • 1
  • 1
Jasper N. Brouwer
  • 21,517
  • 4
  • 52
  • 76
0

You can save the Facebook Id in the first user login. Then after check for active facebook user you can search and compare in Mysql for existent facebook Id.

user3280814
  • 1
  • 1