CB Connect for Facebook

Hi All,

I am just wondering if someone could confirm if what I am feel are issues are in fact the way CB connect for Facebook is designed to work.

Couple of possible issues.
1)
I am already registered on my site, but logged out. So I am presented with the CB login form with a CB Connect to Facebook button to "sign in".
I click on the button and I am presented with the FB OAuth dialog with my required permissions, I click to login with facebook.
I go back to my site but I am not logged in but a joomla error is shown which says "This email is already registered."

If they are already registered should the accounts not just be joined rather than throwing an error?
This could be confusing for already registered users who must login with email/password then click on the FB button to link. In future they are then able to sign in just by clicking the FB button.

2)
I go to my CB profile and in the menu click "Unjoin this site".
The application is removed from FB however the users FB account number is not removed the users CB record.
This means the menu still shows unjoin and invite which again could be confusing as the users has asked to be unlinked but this makes it look like we have not do what they want.
Also until the CB facebook id field is empty the user can not re-link CB and FB.

3)
On all of the FB OAuth dialogs if the user clicks cancel they are redirected to FB instead of back to my site.
If the user is logged out of FB the intial FB login screen cancel works as expected.

4)
The user is registered on the site and their account it linked to FB.
Since their last visit the site admin has altered the permissions they ask FB for.
The user returns to the site and clicks the FB button to login.
They are presented with a FB OAuth asking for the new permission(s) but they either click cancel or if asking for a FB extended permission they click the remove button for that permission then press skip.
They are then redirected back to the site and logged in however in both instances above they have not allowed the permissions the site requires.

(This is not an issue for me as I am just asking for basic and publish_actions on login then later on asking for more if as and when I need them. But I thought I would mention it since I spotted this.)

For example later in my site I ask for user_events and publish_events. If in the FB OAuth dialog they click cancel they are redirected back to my site and I pick-up the error and do not allow them to continue giving them a nice message.


Thank you in advance for your help with these.

Kind Regards

Mike

If they are already registered should the accounts not just be joined rather than throwing an error?

No, it doesn't match the user based off Email Address. That'd be a massive security vulnerability. They need to login to Joomla and click "Link". Then they can use the "Sign In" button to login with their Facebook credentials.

The application is removed from FB however the users FB account number is not removed the users CB record.

The ID is kept encase they want to link again in the future. They'd just need to click the sign in button and accept the terms again and they'll instantly login.

This means the menu still shows unjoin and invite which again could be confusing as the users has asked to be unlinked but this makes it look like we have not do what they want.

That shouldn't be happening. I suspect it's due to the Joomla session still having the Facebook ID present. Will need to investigate and fix if is the case.

forge.joomlapolis.com/issues/3519

Also until the CB facebook id field is empty the user can not re-link CB and FB.

Not true, just click the sign in button after logging out. There's no need for them to "link" again.

On all of the FB OAuth dialogs if the user clicks cancel they are redirected to FB instead of back to my site.
If the user is logged out of FB the intial FB login screen cancel works as expected.

I can't control how the dialog behaves. You'll need to review your applications dialog configuration regarding that as believe you can specify a custom URL for the cancel button.

They are then redirected back to the site and logged in however in both instances above they have not allowed the permissions the site requires.

That's fine, they may have rejected some of the permissions, but it doesn't disable the application. It just means your install can't utilize the API associated with those permissions. It's far better then blocking them from your site entirely, which would cause massive userbase loss. I do not recommend altering permissions constantly after you've an established userbase. Decide what you need and go from there. If Facebook sends back a unauthorized login then they won't login, but Facebook is sending an authorized login so it continues.

No, it doesn't match the user based off Email Address. That'd be a massive security vulnerability. They need to login to Joomla and click "Link". Then they can use the "Sign In" button to login with their Facebook credentials.

I had to think about this, sorry if I am being a little "dumb".
I guess you are referring to someone pretending to be facebook and firing stuff at the site until they find a valid email?

Didn't an earlier version just link the accounts?

That shouldn't be happening. I suspect it's due to the Joomla session still having the Facebook ID present. Will need to investigate and fix if is the case.

forge.joomlapolis.com/issues/3519

Not true, just click the sign in button after logging out. There's no need for them to "link" again.

With regards to the session I checked and after clicking unlink and the page doing what it does. The variable cbconnect_facebook still exists in the session, loging out and back in sorts the session and the menu on the CB profile no longer shows the FB stuff.

With regards to the re-linking, the current process for all registered users with no previous link is:
1. Login to the site.
2. In the CB login box click on the FB button (which says "link").
3. CB and FB do their stuff.
4. On their CB profile user decides to select "Unlink" on the menu.
5. CB and FB do their stuff. On FB app is removed.

In my view at this point if the user decides to re-link or re-authorise whatever we call it they will do what they did the first time and look at the CB login module. But the FB "Link" button is not showing.

I am assuming this is the reverse of the session problem above.
The CB menu items are looking at the session and if the session isset then they show.
But the CB module is looking at the database and if the FB id field isset then it does not show the button. I tested this by manually clearing the field in the backend and the button shows again. If anything they both need to look at session.

The reason being for an already registered person as per the top question they get an error if they try to login with facebook but have not logged in and "linked" first.


Thanks again to the CB team and thank you for your help with these.

Kind Regards

Mike

I guess you are referring to someone pretending to be facebook and firing stuff at the site until they find a valid email?

If it matched by email then in the authorization dialog you can just tell it to send whatever email you want. It'd be easy for someone to hijack someone else account, even an administrators, so it does not nor will it ever match by email.

Didn't an earlier version just link the accounts?

You can enable linking only by disabling registration within CB Connect configuration.

With regards to the session I checked and after clicking unlink and the page doing what it does. The variable cbconnect_facebook still exists in the session, loging out and back in sorts the session and the menu on the CB profile no longer shows the FB stuff.

Yeah, I'll be fixing that with next release.

I am assuming this is the reverse of the session problem above.

Nope, it's working as intended. They do not have to re-link. Facebook, and all social sites, policy allows indefinite storage of their ID. All they have to do is click the "Sign In" button, authorize the application, and they're signed in. The unlink is just deauthorizing the application. This is done encase of accidental unlink resulting in them never being able to get back into their account, because passwords are generated.

Thanks for your time with my queries.

With regards to the re-linking if they unlink what I meant is rather than not showing the button we should show the button as a way of promoting facebook to encourage them to re-authorise the app.
I know they can re-authorise by clicking "login with facebook" when they are logged out but in my view it would be nice.

Once the session issue is sorted in the next release I can manually add this if this is not something you want to do as standard.

Also just something I have noticed:
On the cblogin I am getting a load of empty span tags when in horizontal or div tags when vertical.
Looking at this I found it is due to the CB Connector.
plugin.cbconnect.php line 16 is showing all of the buttons which in cbconnect.class.php on line 1142 returns the button html.
On line 1178 it then adds a span or div tag around the button. But this is adding the tags even if the $return variable is empty.
To stop it I have just added a around this at line 1178 to stop this.

Not a big issue it only caught me out due to my css.

Thanks

Mike

Once the session issue is sorted in the next release I can manually add this if this is not something you want to do as standard.

3.3.4 fixes the session issue and no I won't be adding any such change, sorry.