In the spring boot rest application (frontend end is Angular), Looking to implement OTP-based login. without any password.
Every time a user needs to log in using a mobile/email number and the OTP sends it to the mobile/email.
The first-time login, treat as registration and create a user in DB, and further same user login will fetch profile data from DB.
Similar to
https://www.cowin.gov.in/
Upon registration, get the user's email and create a user entry in your DB.
When user clicks Login present them with a screen to enter their email. Upon submitting email, check if it exists in the backend. If it does, generate an OTP and save it to the user e.g if using a SQL DB, save the OTP in a column in the user's row. Send the user an email with the OTP and update the UI to display the input field for the OTP.
When the user enters the OTP, verify that what they entered is what is stored in DB. If they match, fetch profile data. If not, display error message.
Related
In my Spring Boot I'd like to have both social login and signup with user and password.
Let's say the user signs-up via Google. After some time, he forgets that he signed-in via Google and tried to register using the same email.
What should happen in this case?
Should I save user info (returned by Google) in a "users" table of my database to prevent the same user to register twice?
Is there an article or something that explains a similar login/registration flow?
you can save all the users(OAuth or signup) in the user table. you can maintain a column by which you will be able to identify them if a user is signed in via OAuth or email. then if a user tries to signup via the same email you can show a message. or you can design your signup process using multiple steps. at first, the user needs to enter her email address, then you can send her an email where she needs to click some link that has some token in the url, if she previously logged in using some oath provider then she will be automatically logged in otherwise she needs to set her password.
I have an application where a user (we will call 'original user') can create a 'plan' and then add other user's to that 'plan' so they can view the 'plan'. The original user can simply enter the email address of the user they want to add. If that user already exists, the user will be added to the plan and there are no issues.
In the case that the user does not exist, I am having the original user enter the email address and an initial password for that user. I can trigger an email to go to the new user to notify them. The new user is added to the Plan Mapping table so they are attached to that plan.
The vulnerability in my approach is that the original user could start creating accounts for people inappropriately and that the original user has to tell the new user their password or the new user has to hit 'Forgot Password' the first time they log in.
It would be ideal for the original user simply to add an email for the user they want to add to the plan. If the user exists, the user is added to the plan automatically. If the user does not exist, they are added to the Plan Mapping somehow and sent an email with a token to create an account.
I know how to send an Activation email. However, that doesn't work because the password is still created by the original user. I don't know how I could send an email with that user to sign up and then automatically do the Plan Mapping after that user signs up.
1) You could create a user without password.
2) When create a signed url for the new user and send it via email. https://laravel.com/docs/6.x/urls#signed-urls
3) User will get to the link you have create and will have to enter a new password.
When user login from laravel PWA then no need to put user name password again up to user logout by himself (like android app user not logout upto which it will not ask for user name password) means remembering the user is already login
you have to first get user name and password then store this on local indexed db https://developer.mozilla.org/en-US/docs/Web/API/IndexedDB_API/Basic_Concepts_Behind_IndexedDB and when next time user login then it will get auto login means fetch user name and password from local indexed db
We have developed an app that let user login with facebook. The app has been granted all required permissions to retrieve name, email, gender and age range etc. But our app developer stored only id,name and email while user login. Now we need to retrieve gender and age range of all those users who have logged in the app.
Is there a way to rerun user query to retrieve those data? I am looking to develop an program using Spring-social and RestFB but it needs user login action to retrieve required data which is problem in our case since we cannot recreate login action again.
As long as the user granted public_profile permission to your app, and you have their app-scoped user id, you can make the API call using your app access token.
And if you are looking to request this data for a lot of users, then you should optimize your requests in the following ways:
request the fields you need only: /user-id?fields=id,gender
request data for multiple users in one go: /?ids=user-id-1,user-id-2,user-id-3&fields=fields=id,gender – https://developers.facebook.com/docs/graph-api/using-graph-api/v2.5#multirequests
perhaps even use Batch Requests if necessary, https://developers.facebook.com/docs/graph-api/making-multiple-requests/
I am working on a Laravel 4.2 project.
I already have implemented an email activation module for new user registration. Whenever a new user registers, I provide an activation link to him in an email and clicking on link, I compare the token (a random string with 30 characters) I have provided with link and user's email address with database records. If found to be matching, I just set is_active field of users table to true and redirect him to login page with a Congratulations message for successful activation.
But now, I DON'T want him to redirect to login page, but if successful activation, I want him logged in directly to his account.
But I believe that authenticate an user with just a string token and email address is not a secure way.
There must be something that I can trust on. Many sites do this including stackoverflow itself but I am not sure how?
Can you please guide me how to do this?