Facebook breaks logins (opens in new tab)

(developers.facebook.com)

117 pointsapoorvamehta13y ago52 comments

52 comments

37 comments · 11 top-level

Smerity13y ago· 12 in thread

This is a good time to remind ourselves: Facebook's API is a service and can be a single point of failure for your business. Unlike AWS, you don't even pay for it and it has a history of being problematic[1].

Allowing users to log in to your application using Facebook is quite common. It can be easier for users. It can give you access to demographic data with less work. But the API can die, change, or act generally unpredictable. And you have zero control over it.

This particular issue is impacting 9gag, Pinterest and others. Whilst many of these sites support user logins without Facebook, just as many of them don't. Imagine if tomorrow Facebook charge to connect to their API or there's some extreme exploit. How much damage would your application face?

[1]: http://techcrunch.com/2011/08/11/facebook-wins-worst-api-in-...

pkorzeniewski13y ago

I find it ridiculous that so many sites use FB as main login method, this is a critical part and relying on something that you have no control over, which is also probably collecting data about users that use your site, is a big red flag. Sure, it's more conveniant for many users to just click 'Login with FB', but I find it short-sighted.

PommeDeTerre13y ago

I've found sites that only allow logins via Facebook to be very convenient to use. The moment I see them doing that, I know immediately that it's a site that I have no reason to use. I can move on right away, rather than wasting time with it.

chii13y ago

You can get the best of both worlds by making it so that your user (has to?) also set a password when they finish logging in via facebook the first time.

This way, if facebook ever down (or removes their services), you have an _out_ for your users to login via the traditional username/password.

pidge13y ago

You don't even have to make them set a password when they first register - just verify their email address and handle setting a password though the usual forgotten-password flow if you ever need to.

2 more replies

garethadams13y ago

It also gets you the worst of both worlds, in that you have to build both a Facebook auth solution, and store some form of user password hash on your servers

1 more reply

papsosouid13y ago

>You can get the best of both worlds by making it so that your user (has to?) also set a password when they finish logging in via facebook the first time.

Then why are they bothering to sign in with facebook at all? It is now a more involved process than simply signing up with email/password, which is what facebook logins are supposed to be for avoiding.

eloisant13y ago

Also, unlike AWS, you can't choose to migrate to a different provider in a way that will be completely transparent to your users.

gavinlynch13y ago

I think all the points you make are obvious. If you rely on something that you have no control over, you're liable to get burned if you don't pay attention to API changes or if Facebook doesn't keep it's contracts from an architectural standpoint.

But it's also the price you pay if you want to tap into their user base. So it is what it is. You just have to keep your head on a swivel. shrugs

papsosouid13y ago

>But it's also the price you pay if you want to tap into their user base. So it is what it is.

It is? The facebook userbase is entirely and completely unwilling to sign up with a password? Putting a facebook login button on your site doesn't tap into facebook's userbase. If you want to try to tap into their userbase, you need actual integration with facebook, which can be done even though you had them sign up using a password. That way they can still use your site when facebook fucks up, and only the "automatically spam my friends" stuff stops working.

blowski13y ago

Interesting correlation between popularity and quality - i.e. the worst APIs are probably the most used.

imrehg13y ago

Or maybe the less used APIs just don't reveal themselves as crap yet, because of the lack of experience with them?

I'm yet to see a very well done API.

1 more reply

anoncow13y ago

Apparently, the Stackexchange network handles this by linking an account to an email id. If you cannot login by using facebook, you can use google to login provided you have the same email id and link the accounts.

supervillain13y ago· 8 in thread

I wonder if Facebook stores it's password in clear-text, since you can login with either 'Password' or 'password', does it hash the first character and the rest into 2 different hashes? If not, we have a our passwords in readable form in their database that have huge privacy and security issues.

switz13y ago

They hash it once and save it to the database. When logging in, they generate three hashes (if I remember correctly) and compare it to the hash in the database. If any match, it logs you in.

Edit: Here's a post on the matter http://www.zdnet.com/blog/facebook/facebook-passwords-are-no...

akx13y ago

Facebook stores three hashes of your password (let's say it's "pAssword"):

* "pAssword" - the password as it is

* "PaSSWORD" - the password, case inverted, in case you have caps lock on

* "PAssword" - the password with its first letter capitalized, for those with mobile devices that insist on Capitalizing Everything.

bungle13y ago

I don't think they store three hashes, but just try to validate password with three hashes.

Something inline this: https://github.com/bungle/web.php/blob/master/password.php#L...

1 more reply

cnicolaou13y ago

Isn't that supposed to increase the chances of guessing the password? Unless there's a constraint on the number of attempts to guess the password, which I think there is.

1 more reply

ohwp13y ago

Or they just make everything lower- or uppercase before checking it against the encrypted version.

rmc13y ago

Almost certainly not, since this would reduce the entropy of their passwords, making brute forcing easier.

pidge13y ago

It's more likely that they coerce to lowercase the the first letter of the password you put in and then store/compare the hash of that resulting plaintext. They could even transparently upgrade passwords created before they started doing this by using the plaintext from the next time you login successfully to regenerate the hash.

buddydvd13y ago

Lowercasing the first character--by itself alone--does not address inverted case scenario (e.g. "PaSsWoRd" and "pAsSwOrD" evaluate to "paSsWoRd" and "pAsSwOrD" respectively).

One way to resolve that issue is to create two versions of the password (one with normal casing and one with inverted casing, but both with the first character lowercased), sort them, and pick the first result.

    ["pAsSwOrD", "PaSsWoRd", "PAsSwOrD"].map(function canonicalize(pwd) {
        function invert(str) {
            return (str == str.toUpperCase()
                    ? str.toLowerCase()
                    : str.toUpperCase());
        }
        var head = pwd.substring(0, 1).toLowerCase();
        var tail = pwd.substring(1);
        var vers = [head + tail,
                    head + tail.split("").map(invert).join("")];
        return vers.sort()[0];
    });

Which gives the following result:

    ["pAsSwOrD", "pAsSwOrD", "pAsSwOrD"]

The three different variations get canonicalized into one version. With it, you can just store one hash instead of three.

bleonard13y ago· 2 in thread

For omniauth/rails people out there, we found this to work.

   fb_options[:client_options] = {
        :site => 'https://graph.facebook.com',
        :authorize_url => 'https://www.facebook.com/dialog/oauth',
        :token_url => '/oauth/access_token'
      }
   provider :facebook, api_key, secret_key, fb_options

hayksaakian13y ago

The explanation:

> (according to) Andrew Fowler (from the comment thread on facebook)

The solution is to replace your OAuth Dialog URL: "https://graph.facebook.com/oauth/authorize?...... with the up-to-date URL: "https://www.facebook.com/dialog/oauth?....... They removed support for some parameters without fixing the redirect from their old endpoint.

mpd13y ago

This looks to have resolved it for us as well. Thank you.

alex_c13y ago· 2 in thread

I was having lunch recently with a few developers, and the topic of "What is the worst API you ever had to work with" came up. The unanimous answer was immediately "Facebook". Everything from the documentation, to multiple ways to do similar things (each of them incompletely documented), to deprecations that never actually go away, to arbitrary breaking changes.

ceejayoz13y ago

I'd go with Instagram's over Facebook's.

phillmv13y ago

What did you try to do?

I've worked with both and Instagram is… pretty straightforward. Granted, I only ever authenticated and consumed feeds, but still.

Facebook on the other hand is a maze of twisty little passages, all alike

1 more reply

aidos13y ago· 1 in thread

I have to admit that I sort of struggled to understand what Facebook were trying to communicate to me when that message popped up on my account.

Maybe if you worked with the Facebook login system / followed their API frequently it would have made sense. For someone who once integrated Facebook logins into their site it felt a little bit cryptic.

henrikschroder13y ago

I've done way too much work integrating Facebook login and payments, and their error messages never make sense. You just have to learn how to map their undecipherable gibberish into actual errors, and then go fix it.

joebeetee13y ago· 1 in thread

It's still broken for mobile web

joebeetee13y ago

http://developers.facebook.com/bugs/ is broken as well if you are logged in. Big bug.

thathoo13y ago

Yep, that worked for me: added this in devise.rb: config.omniauth :facebook, FB_APP_ID, FB_APP_SECRET, {:scope => '.....', :client_options => {:ssl => {.....}, :display => 'popup', :setup => true, :site => 'https://graph.facebook.com, :authorize_url => 'https://www.facebook.com/dialog/oauth, :token_url => '/oauth/access_token'}}

jhaile13y ago

Does anyone know if there is a workaround if you are currently using the FB.login method to authenticate users?

edouard123456713y ago

seems fixed.

sutro13y ago

Is the United Breaks Guitars guy available?

contingencies13y ago

http://imgur.com/V5LD0EB

j / k navigate · click thread line to collapse

52 comments

37 comments · 11 top-level

Smerity13y ago· 12 in thread

[1]: http://techcrunch.com/2011/08/11/facebook-wins-worst-api-in-...

pkorzeniewski13y ago

PommeDeTerre13y ago

chii13y ago

You can get the best of both worlds by making it so that your user (has to?) also set a password when they finish logging in via facebook the first time.

This way, if facebook ever down (or removes their services), you have an _out_ for your users to login via the traditional username/password.

pidge13y ago

You don't even have to make them set a password when they first register - just verify their email address and handle setting a password though the usual forgotten-password flow if you ever need to.

2 more replies

garethadams13y ago

It also gets you the worst of both worlds, in that you have to build both a Facebook auth solution, and store some form of user password hash on your servers

1 more reply

papsosouid13y ago

>You can get the best of both worlds by making it so that your user (has to?) also set a password when they finish logging in via facebook the first time.

eloisant13y ago

Also, unlike AWS, you can't choose to migrate to a different provider in a way that will be completely transparent to your users.

gavinlynch13y ago

But it's also the price you pay if you want to tap into their user base. So it is what it is. You just have to keep your head on a swivel. shrugs

papsosouid13y ago

>But it's also the price you pay if you want to tap into their user base. So it is what it is.

blowski13y ago

Interesting correlation between popularity and quality - i.e. the worst APIs are probably the most used.

imrehg13y ago

Or maybe the less used APIs just don't reveal themselves as crap yet, because of the lack of experience with them?

I'm yet to see a very well done API.

1 more reply

anoncow13y ago

supervillain13y ago· 8 in thread

switz13y ago

They hash it once and save it to the database. When logging in, they generate three hashes (if I remember correctly) and compare it to the hash in the database. If any match, it logs you in.

Edit: Here's a post on the matter http://www.zdnet.com/blog/facebook/facebook-passwords-are-no...

akx13y ago

Facebook stores three hashes of your password (let's say it's "pAssword"):

* "pAssword" - the password as it is

* "PaSSWORD" - the password, case inverted, in case you have caps lock on

* "PAssword" - the password with its first letter capitalized, for those with mobile devices that insist on Capitalizing Everything.

bungle13y ago

I don't think they store three hashes, but just try to validate password with three hashes.

Something inline this: https://github.com/bungle/web.php/blob/master/password.php#L...

1 more reply

cnicolaou13y ago

Isn't that supposed to increase the chances of guessing the password? Unless there's a constraint on the number of attempts to guess the password, which I think there is.

1 more reply

ohwp13y ago

Or they just make everything lower- or uppercase before checking it against the encrypted version.

rmc13y ago

Almost certainly not, since this would reduce the entropy of their passwords, making brute forcing easier.

pidge13y ago

buddydvd13y ago

Lowercasing the first character--by itself alone--does not address inverted case scenario (e.g. "PaSsWoRd" and "pAsSwOrD" evaluate to "paSsWoRd" and "pAsSwOrD" respectively).

    ["pAsSwOrD", "PaSsWoRd", "PAsSwOrD"].map(function canonicalize(pwd) {
        function invert(str) {
            return (str == str.toUpperCase()
                    ? str.toLowerCase()
                    : str.toUpperCase());
        }
        var head = pwd.substring(0, 1).toLowerCase();
        var tail = pwd.substring(1);
        var vers = [head + tail,
                    head + tail.split("").map(invert).join("")];
        return vers.sort()[0];
    });

Which gives the following result:

    ["pAsSwOrD", "pAsSwOrD", "pAsSwOrD"]

The three different variations get canonicalized into one version. With it, you can just store one hash instead of three.

bleonard13y ago· 2 in thread

For omniauth/rails people out there, we found this to work.

   fb_options[:client_options] = {
        :site => 'https://graph.facebook.com',
        :authorize_url => 'https://www.facebook.com/dialog/oauth',
        :token_url => '/oauth/access_token'
      }
   provider :facebook, api_key, secret_key, fb_options

hayksaakian13y ago

The explanation:

> (according to) Andrew Fowler (from the comment thread on facebook)

mpd13y ago

This looks to have resolved it for us as well. Thank you.

alex_c13y ago· 2 in thread

ceejayoz13y ago

I'd go with Instagram's over Facebook's.

phillmv13y ago

What did you try to do?

I've worked with both and Instagram is… pretty straightforward. Granted, I only ever authenticated and consumed feeds, but still.

Facebook on the other hand is a maze of twisty little passages, all alike