Adventures with OAuth
Jul. 2nd, 2011 01:22 amOK, so on the good side, ruby on rails does make it suspiciously easy to get all sorts of login stuff working.
On the more questionable side, I have a number of nagging doubts:
* Since when do rails guides suggest putting "secret keys" (for signing cookie sessions, or for authenticating your app to facebook/twitter/etc) in your source code. Did this suddenly stop completely obviating any sort of security while I wasn't watching?
* Facebook, your "how to register an app with facebook" helpfully -- and correctly -- notes that apps should request the minimum amount of access to your account necessary. However, having set that high standard, they provide lots of options for "would like more access" but no option for "would like a unique URL to use for identification and nothing else, don't NEED access to your phone number, email address, friends, underwear colour, etc, etc" which is all in the basic package all apps have to request by default.
EDIT: Thanks to all the people who tested the previous version of the site. You're lovely.
EDIT: Thanks to the OmniAuth library, you should now be able to log in with your facebook account at wheresmystuff.heroku.com. It's a little clunky, but it should work. OpenID will hopefully come shortly.
EDIT: The first time, it should ask for authentication. Thereafter it will visit facebook, but just authenticate automatically provided you are already logged into facebook. I'm not sure how you _remove_ permission yet. I don't believe there are any major privacy problems (more than using facebook for anything else), the app doesn't actually access any data from facebook but the profile, and doesn't use any but the name. But also, the current version is not tested for reliability or security -- if you have stuff in your facebook profile it would be bad if it were released publicly, then you probably _shouldn't_, but it might be wise not to authenticate random beta-test apps, even if they seem reliable; I don't think it's likely, but in principle, if someone subverted the website with malicious code and then got you to log in via facebook, I think it can read all the stuff in your profile. (It shouldn't be able to do _more_ than that unless facebook asks you to confirm that's ok.)
On the more questionable side, I have a number of nagging doubts:
* Since when do rails guides suggest putting "secret keys" (for signing cookie sessions, or for authenticating your app to facebook/twitter/etc) in your source code. Did this suddenly stop completely obviating any sort of security while I wasn't watching?
* Facebook, your "how to register an app with facebook" helpfully -- and correctly -- notes that apps should request the minimum amount of access to your account necessary. However, having set that high standard, they provide lots of options for "would like more access" but no option for "would like a unique URL to use for identification and nothing else, don't NEED access to your phone number, email address, friends, underwear colour, etc, etc" which is all in the basic package all apps have to request by default.
EDIT: Thanks to all the people who tested the previous version of the site. You're lovely.
EDIT: Thanks to the OmniAuth library, you should now be able to log in with your facebook account at wheresmystuff.heroku.com. It's a little clunky, but it should work. OpenID will hopefully come shortly.
EDIT: The first time, it should ask for authentication. Thereafter it will visit facebook, but just authenticate automatically provided you are already logged into facebook. I'm not sure how you _remove_ permission yet. I don't believe there are any major privacy problems (more than using facebook for anything else), the app doesn't actually access any data from facebook but the profile, and doesn't use any but the name. But also, the current version is not tested for reliability or security -- if you have stuff in your facebook profile it would be bad if it were released publicly, then you probably _shouldn't_, but it might be wise not to authenticate random beta-test apps, even if they seem reliable; I don't think it's likely, but in principle, if someone subverted the website with malicious code and then got you to log in via facebook, I think it can read all the stuff in your profile. (It shouldn't be able to do _more_ than that unless facebook asks you to confirm that's ok.)