Update:
Google Login-in: I am working on a method to pass the data through firebase db so we can do this through the devices browser instead of web viewer. I am close and have a working model allbeit insecure at the moment.
Facebook: works a charm.
Twitter: works well but I need to be able to scope email addresses and I havenât yet sought permission for that.
Overall: Getting the user data uid, token, email, avatar etc is the easy part. The difficulty is then logging in with Thunkable because the Thunkable interface only has one option (email, password). The work around is to link the account to multiple auth methods. Fortunately Firebase makes this easy. soâŚ
Once we log the user in using Facebook, we get their email from the results object of the UI and after linking the account with the provided email and a known secure admin psuedo password, we return that to thunkable in a message . In thunkable on receipt of this message we programatically use the login block with this email and password. We are effectively logging in using both facebook and email. Its working well!!!
I am however today, exploring ways of keeping this known admin psuedo password safe and hidden in the html javascript environment and making it a known admin created password that we donât have to pass in a message. The password can be the same for all users as long as it remains secure and hidden. Anyone having a go at this may find the below function is the cracker. The below code uses the refresh token to create a user password (which should be long lived and is never known to the user) however I am looking for a more robust solution. We are very close guys. Alternatively, Thunkable COULD create a block to allow us to log in using the token itself regardless of the provider method used!!! I am determined to make this work securely.
function ProcessResults(result) {
let results = JSON.stringify(result)// User successfully signed in.
console.log(email: ${result.user.email}, uid: {result.user.uid}
)
let pw = result.user.refreshToken
pw = pw.slice(pw.length - 8, pw.length)//create a password as last 8 characters from the Refresh token
//First Time Signup:
if (result.additionalUserInfo.isNewUser === true) {//if Signup, Link Thunkable email login, create User database node and pass results to nodeJS
if (result.additionalUserInfo.providerId !== âpasswordâ) {//exclude email choice from trying to link. canât link email type accounts to email type account. We can use Thunkable directly for this.
var credential = firebase.auth.EmailAuthProvider.credential(result.user.email, pw);//this is what Thunkable will use to log in.
firebase.auth().currentUser.linkWithCredential(credential)
.then(function (usercred) {
var user = usercred.user;
console.log(âAccount linking successâ, user);
}).catch(function (error) {
console.log(âAccount linking errorâ, error);
});
}
else { ThunkableWebviewerExtension.postMessage(${result.user.uid},${result.user.email},password
) }
firebase.database().ref(âusersâ).child(${result.user.uid}/LoginResults
).set(results)
}
EDIT: EurekaâŚ
We donât have to hide or store the pseudo password. We can generate a new one and update it every time the user logs in and pass it to Thunkable each time.
let user = firebase.auth().currentUser;
console.log(âupdate passwordâ)
user.updatePassword(pw).then(() => {
// Update successful.
}, (error) => {
console.error(error)
// An error happened.
});
console.log(pw)
Iâll start to tidy up this project and post a full solution soon. I may limit it to Facebook just to keep it relatively simple. We can go through the Google login in subsequent posts. Small wins keep me going
