社交媒体集成分享及验证
In this part, we will have a look at how we can make sure people don’t have multiple accounts after signing into our application through different means.
在这一部分中,我们将研究如何确保通过不同方式登录我们的应用程序后人们没有多个帐户。
If you allow users to sign up through different social networks and perhaps your own registration system, there is a good chance some users will have multiple accounts. How annoying can it be for a user who signed up through Facebook earlier, to come back later and log in through Twitter because he thought he used that one?We can prevent this by letting the user merge manually or try to use an automatic system to try and identify duplicated users.
如果您允许用户通过不同的社交网络以及您自己的注册系统进行注册,则很有可能某些用户将拥有多个帐户。 对于一个较早通过Facebook注册的用户,后来又回来并由于他以为使用过Twitter而通过Twitter登录的用户会感到多么烦恼?我们可以通过允许用户手动合并或尝试使用自动系统来防止这种情况的发生尝试找出重复的用户。
I suggest a setup of two database tables. The first table is the general user table, which contains all information about the user.
我建议设置两个数据库表。 第一个表是常规用户表,其中包含有关用户的所有信息。
CREATE TABLE IF NOT EXISTS `user` ( `id` int(11) NOT NULL AUTO_INCREMENT, `username` varchar(255) NOT NULL, `password` varchar(255) DEFAULT NULL, `firstname` varchar(50) NOT NULL, `lastname` varchar(50) NOT NULL, `emailaddress` varchar(50) NOT NULL, `city` varchar(50) NOT NULL, `birtdate` date NOT NULL, `gender` varchar(10) NOT NULL, PRIMARY KEY (`id`) ) ENGINE=InnoDB DEFAULT CHARSET=latin1 AUTO_INCREMENT=1 ;Note: As you can see, I used the fields that we also used in our SocialLoginInterface. You might need more or less fields depending on your application. You even could decide to split this table in a user and user_profile table if you wish.
注意:如您所见,我使用了在SocialLoginInterface也使用的字段。 您可能需要更多或更少的字段,具体取决于您的应用程序。 如果愿意,您甚至可以决定将此表拆分为user和user_profile表。
The second table contains all data regarding any third party logins the user used.
第二个表包含有关用户使用的任何第三方登录的所有数据。
CREATE TABLE IF NOT EXISTS `user_provider` ( `id` int(10) unsigned NOT NULL AUTO_INCREMENT, `user_id` int(11) COLLATE utf8_unicode_ci NOT NULL, `provider` varchar(50) COLLATE utf8_unicode_ci NOT NULL, `provider_uid` varchar(255) COLLATE utf8_unicode_ci NOT NULL, PRIMARY KEY (`id`) ) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci AUTO_INCREMENT=1 ;In provider, we save the name of the provider we used – for example Google+. In the provider_uid column, we save the actual user ID from the provider.
在provider ,我们保存所使用的提供商的名称,例如Google+。 在provider_uid列中,我们保存了provider_uid的实际用户ID。
Let’s imagine a user registered through Google+. Later on, he comes back and registers himself through your default registration system. After logging in, he suddenly remembers that he was already logged in once before with Google+.
假设有一个通过Google+注册的用户。 稍后,他回来并通过您的默认注册系统进行注册。 登录后,他突然想起自己已经使用Google+登录过一次。
According to the above database scheme, there will be two records in the user table and one record in the user_provider table. The best way to merge these two accounts is by letting the user connect other social networks to their account.
根据上述数据库方案, user表中将有两条记录, user_provider表中将有一条记录。 合并这两个帐户的最佳方法是让用户将其他社交网络连接到他们的帐户。
You can do this by allowing users to “log in” with a social network, after already being authorized in your system. However, instead of “log in”, we are now going to call it “connect”.
您可以通过在系统中获得用户授权后,允许用户“登录”社交网络来实现此目的。 但是,我们现在将其称为“连接”,而不是“登录”。
Just add a “connect” button to your application, which calls the log in URL from the social network as you probably did on the log in page. As soon as the callback URL is called, you check if the provided user id from the social network is already within your user_provider table.
只需在您的应用程序中添加一个“连接”按钮,就可以像在登录页面上一样从社交网络调用登录URL。 一旦调用了回调URL,您将检查从社交网络提供的用户ID是否已在user_provider表中。
If so, it means you found a different account of the user. In that case, you can basically remove the duplicate account and connect the user_provider record with the current user.
如果是这样,则意味着您找到了该用户的其他帐户。 在这种情况下,您基本上可以删除重复的帐户,并将user_provider记录与当前用户连接。
If not, then it just seems to be that this user was not logged in before with that social network. In that case, you can just add a record to user_provider. Next time he logs in through this social network, he will be immediately recognized.
如果不是,则似乎该用户之前未使用该社交网络登录。 在这种情况下,您只需将一条记录添加到user_provider 。 下次他通过该社交网络登录时,将立即得到认可。
Note: Before merging the 2 accounts together, you could first ask the user if he actually wants to do this. Maybe there is a reason the user had two separate accounts. Next to that, don’t forget to also merge any content added by the duplicate user with the current user, so all data is connected with one account.
注意:在将两个帐户合并在一起之前,您可以先询问用户是否确实要这样做。 也许有一个原因,用户拥有两个单独的帐户。 紧接着,不要忘记将重复用户添加的任何内容与当前用户合并,因此所有数据都与一个帐户关联。
There is, however, also a possibility that the user is logged in through Google+ and now wants to merge his account with an already existing account, which was registered through the default registration system. In that case, you could just ask the user to fill in a username and password. When filled in, you could check if there is actually a combination available in the user table, containing the provided username and password.
但是,用户也有可能通过Google+登录,现在希望将其帐户与通过默认注册系统注册的现有帐户合并。 在这种情况下,您可以要求用户填写用户名和密码。 填写后,您可以检查user表中是否确实有可用的组合,其中包含提供的用户名和密码。
Instead of letting the user merge accounts manually, we could also try to see if we can merge automatically. This can be achieved by checking the profile of the user we retrieved back from a social network with the already existing users, right at the moment after the connection with the social network.
除了让用户手动合并帐户外,我们还可以尝试查看是否可以自动合并。 这可以通过在与社交网络连接后立即检查我们从社交网络中与现有用户之间检索到的用户的个人资料来实现。
A good start is by checking the email address. The email address is a field which cannot be easily faked and is quite unique. So after you received back all data from the social network, you can check if the email address you retrieved already exists in the database. If that’s the case, you seem to have found a match. Instead of creating a whole new user, you could update that existing user.
一个好的开始是检查电子邮件地址。 电子邮件地址是一个不容易伪造的字段,非常独特。 因此,从社交网络收到所有数据后,您可以检查检索到的电子邮件地址是否已存在于数据库中。 如果是这样,您似乎已经找到了匹配项。 您可以更新该现有用户,而不必创建一个新用户。
That’s it? I wish it was. However, not all social networks return an email address. Twitter, for example, does not return an email address and you cannot retrieve it any other way. Next to that, who says my Google+ email address is the same as I used in your application? In the end, there is no full guarantee that you merged all possible accounts.
而已? 我希望是。 但是,并非所有社交网络都返回电子邮件地址。 例如,Twitter不会返回电子邮件地址,您无法以其他任何方式检索它。 接下来,谁说我的Google+电子邮件地址与我在您的应用程序中使用的电子邮件地址相同? 最后,不能完全保证您合并了所有可能的帐户。
Since we cannot guarantee there was an actual merge, we can add a second level which checks the user profile. As you have seen in the previous article, we are collecting more data then just the email address. The next check we could perform is any combination between the other fields. Checking the birth date alone for example, will give you too many possibilities. However, how big is the chance that you find two people with the exact same last name and birth date? Or how big is the chance that you find two people with the same location, first name and gender?
由于我们不能保证有实际的合并,因此我们可以添加第二级来检查用户配置文件。 如您在上一篇文章中所见,我们正在收集更多数据,而不仅仅是电子邮件地址。 我们可以执行的下一个检查是其他字段之间的任意组合。 例如,仅检查出生日期将为您提供太多的可能性。 但是,找到两个姓氏和出生日期完全相同的人的机会有多大? 或者,您找到两个具有相同姓名,姓氏和性别的人的机会有多大?
Basically, the combinations are endless. Just try to think reasonably and take into consideration that not all social networks are returning all data. In the previous article we saw for example that Google is not giving you back a birth date.
基本上,组合是无止境的。 请尝试合理考虑并考虑到并非所有社交网络都返回所有数据。 例如,在上一篇文章中,我们看到Google没有给您回生日。
So, can we actually merge, based on these details? No! You just opened up a potential security flaw if you did. Just imagine I am impersonating someone on Google+. By logging into your application, I would be able to take control of the account I am impersonating. To prevent this from happening, we need to add one more step in between the log in and the actual merge: Validation.
那么,我们是否可以根据这些细节进行合并? 没有! 如果您这样做,则只是打开了一个潜在的安全漏洞。 试想一下,我正在模仿Google+上的某个人。 通过登录您的应用程序,我将能够控制我要模拟的帐户。 为了防止这种情况的发生,我们需要在登录和实际合并之间再增加一个步骤:验证。
Whenever the user logs in through Google+ and your system has found a possible match in your database, ask the user to validate. The simplest way is telling the user you found a potentially already existing account. Next, allow this user to verify it’s him by allowing him the original log in. So if the existing account was created through your default registration system, allow the user to fill in the password for this account. If the account was created by a different social log in, allow the user to log in again through that same method. If the user does so and you get a positive result on the verification, you know for sure you got the correct user.
每当用户通过Google+登录并且您的系统在数据库中找到可能的匹配项时,请要求用户进行验证。 最简单的方法是告诉用户您已找到一个潜在的现有帐户。 接下来,允许该用户通过允许其原始登录来验证他是谁。因此,如果现有帐户是通过您的默认注册系统创建的,则允许该用户填写该帐户的密码。 如果该帐户是由其他社交登录创建的,则允许用户通过相同的方法再次登录。 如果用户这样做,并且您在验证中获得肯定的结果,则可以肯定知道您拥有正确的用户。
In the end, we still can have some duplicate accounts. However, we at least tried to keep it to a minimum and by trying, we also tried to improve the user experience.
最后,我们仍然可以有一些重复的帐户。 但是,我们至少尝试将其最小化,并且还尝试改善用户体验。
With this article, we reached the end of this series. Hopefully, these articles taught you something about how to create framework agnostic packages, how you can set up a social log in with Google+ and how you can merge accounts together.
通过本文,我们到达了本系列的结尾。 希望这些文章教给您一些有关如何创建框架不可知的软件包,如何使用Google+设置社交登录以及如何将帐户合并在一起的知识。
Some follow up articles will be online soon, showing you how to expand these articles with other social networks. I am looking forward to your feedback in the comments below.
一些后续文章即将上线,向您展示如何通过其他社交网络扩展这些文章。 我期待您在以下评论中的反馈。
翻译自: https://www.sitepoint.com/social-network-authentication-merging-accounts/
社交媒体集成分享及验证
相关资源:JAVA上百实例源码以及开源项目源代码