FB callback_url now optional #64

Open
wants to merge 1 commit into from

2 participants

@kav

Made FB redirect url optional. (Works this time, sorry about the brain fart last time). Been using this for a few weeks and it works like a charm. Happy to share the Express middleware code I use with it to achieve the onion layers people seem to keep complaining about.

@ciaranj
Owner

Hey! Thanks for this, I'm interested in your middleware to understand how you're using this exactly, the redirecturl you're tweaking there is the one that (by default) comes back-into the facebook strategy to finish off the authentication hand-shake (i.e the route that is declared within the strategy /auth/facebook (or whatever it is can't see from the diff above ;) ) Is that still the intention of this fix ? (presumably to get away from the fact that you have to currently know up front what your host is which is a PITA when moving from dev -> live etc. etc. ?

It helps with that. It also allows users to enter the application via any app url and successfully land at that URL after the auth loop without me have to write a bunch of code to track the url they requested.

I don't have an explicit auth/facebook route, instead I have middleware https://gist.github.com/1220663 so my routes look like this

app.get '/lobby', fb.ensureLogin, app.controllers.lobby.index
app.get '/room', fb.ensureLogin, app.controllers.room.index

Owner

Sorry for the long delay ! :) What is the difference between your 'redirectUrl' and the value of request.url at that point in the code ? .. I'm really interested in solving this problem generically across strategies :)

My redirectUrl is either the value you passed in as the callback url or it's the request.url. This means if you pass something for the callback url the code behaves as it always has. If you didn't however then the user's request url (i.e. request.url) is passed to Facebook as the redirect_url and thus you can wrap any url on your site in a Facebook auth request and know that the user will be returned to the url they originally requested rather than sent to some standard landing page.

I'm not sure my fix is completely perfect, there is a bit more that could be done, for example Facebook sends the request back with a signed request param which could be parsed off and handled before the request is passed to the original url, but it does work pretty well.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment