0

I trying to implement login facebook by using Loopback as API,

Following http://loopback.io/doc/en/lb3/Tutorial-third-party-login.html and https://github.com/strongloop/loopback-example-passport I can't apply the tutorial to my case because at the example, client side and server side are on the same project.

My app:

  1. Web application (NextJS custom express server)

    • example endpoint: www.myapp.com
    • User click login by facebook button to get access_token after that send to API.

  2. API application (Loopback)

    • example endpoint: www.api-myapp.com
    • API get access_token from client then fetch data from facebook graph API.
    • If email is existed then auto-login and return token to the client.
    • Else register a new user and return token to the client.

From the following flow, I can't implement this flow by using Loopback :( I can register/login via username and password in a normal case but I confusing to register/login by facebook login.

bellpiapple
  • 39
  • 4

1 Answers1

2

This behavior would be very easy to implement using Loopback. Assuming you are following the third party login documentation, you would simply:

  • Enable facebook-passport authentication.
  • Create a button in your frontend for "login with facebook" which redirects the user to the authpath (ie http://<api-server>/auth/facebook).
  • Set the successRedirect to http://<app-server>/<post-login-url>.
Derek Brown
  • 4,232
  • 4
  • 27
  • 44
  • Thanks for your advice :) By the way I set successRedirect to my web application but I didn't get any data from them how can I get access_token and user data like an example – bellpiapple May 03 '18 at 19:00
  • `access_token` and `userId` would only be set for your API server not your app server. Either A) your API server and APP server need to share the same domain so you can share cookies or B) create an API endpoint which returns the currently logged in user via JSON. – Derek Brown May 04 '18 at 03:34
  • Is it a proper way to send access_token and userId via query parameter? ``app.get('/auth/account', function (req, res, next) { var User = app.models.consumer; User.findById(req.accessToken.userId, function(err, user) { if (err) { next(err); } res.redirect(301, 'http://localhost:3001/login?accessToken=' + req.accessToken.id + '&userId=' + user.id); }); });`` like this – bellpiapple May 04 '18 at 08:35
  • That obviously works fine, though Express has some ways of encoding the values without strings: https://stackoverflow.com/questions/19035373/how-do-i-redirect-in-expressjs-while-passing-some-context – Derek Brown May 04 '18 at 13:07
  • You however, shouldn't return the `access_token` via that endpoint- it would let any (malicious) application get ahold of the API token. Why do you need the API token in the application? – Derek Brown May 04 '18 at 13:08
  • I need token and userId back to the application to store as a login cookie so I will encoding the values before sending as you send a ref. – bellpiapple May 07 '18 at 14:49
  • You don't need to save the accessToken in the app yourself, it is already saved by Loopback. – Derek Brown May 07 '18 at 17:57
  • I need the access_token to call an API such as create or edit or delete something that needs to using access_token to authentication. ps. means access_token not a token from a social provider – bellpiapple May 08 '18 at 19:37
  • No you don't. The access_token is automatically saved by Loopback as a cookie and used when you make those requests. – Derek Brown May 08 '18 at 19:39
  • Example API : apitest.com APP : apptest.com as different domain if the request from APP to API will not send access_token error will occur for sure but if the application is at the same domain or in the same project loopback it can use. https://github.com/strongloop/loopback/issues/2142 – bellpiapple May 08 '18 at 20:27