Can you tell if Google sign-in had 2fa? - google-signin

On a web app using Sign-in with Google, I want to know if Google had let the user in with 2fa challenge or without and decide to present a 2fa challenge to the user if they have not. Is there a way to know that?
Failing that, is there a way to tell if the user has 2fa enabled on their Google account or not (regardless of it being part of the most recent login session)?

Google doesnt tell you if the user has 2fa enabled on their account or not.
The only information you are going to get back from a google sign in is if it went though or not.

Related

Detect whether authetication credientials are already linked or not in Firebase

In Firebase, I want the users to be able to sign in with providers like Facebook, Twitter, and Google but not to sign up with them. So, when the user tries to login with them, how can I detect whether his/her credentials are linked to an account or not before trying to sign in with those credentials to Firebase?!
I don't think this is going to be possible. To be able to link accounts with those providers, you'll need to enable the providers in the Firebase console. And once you do that, users can call the API themselves to create an account with that provider.
If you don't care about this out-of-bounds abuse, and just want to make it work in your application code, have a look at the fetchSignInMethodsForEmail method.

Limit each firebase user to only one auth provider?

How do I make it so that when a new user signs up in firebase, they can only login with that provider? Ex: a new user uses an email and password to sign up and then is rejected when trying to log in with Google.
I'm using Firebase with javascript in React if it helps.
What you're asking doesn't sound possible. The different auth providers don't know about each others' user bases. jackoboy on Google isn't at all related to jackoboy on Facebook. While they might have the same email address, that's never a guarantee that they are the same individual. So when jackoboy signs up with Google, there is nothing that can possibly stop jackoboy from also signing up with Facebook as a different account.
If you want to impose your own checks to see if the end user might be the same, you're going to have to write some code for that on a backend you control, then delete the second account if it appears to be the same person, by whatever logic you determine. Firebase Auth just isn't going to do that for you.

Google Sign-In: Keeping user signed out if he/she signs out elsewhere

I use Google Sign-In in order to let my users connect their Google Calendar and related services to our web app. The problem is that if a user signs out of her connected account somewhere else, this will revoke access from our app as well.
I understand that this is primarily a user issue, but several of them still expect their Google integration with our app to work even if they are not signed in to the account in question.
Is there any way at all we can achieve this? Does Google Sign-In have something akin to a Refresh Token which will allow us to create a new session even if the user has signed out?
After trying multiple approaches, we came to the conclusion that this simply is not possible. You should NOT use Google SignIn if you need persistent access to a users profile until he/she manually revokes it. The natural choice for that is plain oauth2.

Facebook PHP SDK, server-side login, without clicking any link (knowing password).

Can i log in to my Facebook account (Knowing user id and password), in the server using Facebook php-sdk, and without need to click any URL?
If yes, please explain.
It is against Facebook's Terms of Service to use a user's email address and password to login to their account. You should instead use the Facebook API to achieve this, but it requires manual login by a user.
There are ways of achieving automatic login using credentials, but since it's not allowed, I won't go into detail. Facebook also detects and prevents most of the common method of auto-login.

Google Calendar API . Can I write to a users calendar when the user isn't logged in?

This may seem like a totally idiotic question but I am looking at writing a web app/service that will utilize google's calendar API's and I needed to see if I have the ability to write to a users calendar when the user isn't logged into there google account. I couldn't find any clear documentation that illustrated whether or not I could do this or not. I pictured the authorization process something the user agrees to when they sign up for my site and then my app can go add things to there google calendar. Does anyone know if this is possible? If so, can someone hook me up with a link that illustrates how that works?
Thanks in advance
You're thinking about "logged in" wrong.
Because web connections don't persist between requests, any web-site or web-service is checking headers such as the Authorization header and/or Cookie header (depending on what authorisation method is used), with each and every request and matching the request to a user.
Hence logging in* means that the web client (browser or whatever) is set to use the details that relate to a particular user in making the request.
When you use the API, the authorisation information you send, is performing the same job. As such, when the user is using your API they are logged in through your API, whether they're logged in through a web page or other application or not.
E.g.:
My web browser is currently logged into google to an account I use for work stuff.
My mail client is logged into google calendar to an account I use for private stuff.
When I look at google calendar, I see that I don't have any calendars (I don't use it on my work account).
When I look at Thunderbird, I see my calendars.
If I peek at the traffic being sent by the browser and mail client, on both I see headers like:
Authorization: GoogleLogin auth=...stuff I'm not going to share or it would help you impersonate me
So, I'm "logged in" on Thunderbird because the code using the API logs me in itself.
Indeed, the same application can access multiple accounts and be "logged in" to all of them, as long as it has the authentication details to do so.
*Strictly, some would argue that "logged in" isn't the correct term at all, and refers to different sorts of access mechanism where there is state on the connection. Whatever about that opinion, we use the metaphor of being or not being logged in, because users understand it.
The answer to your question is yes. Use OAuth 2 and the Authorization Code flow (web server flow), with offline enabled. Store the refresh tokens (which last indefinitely until the user has revoked), and you'll be able to upload events to Google Calendar even when the user isn't currently logged in.
More info: https://developers.google.com/accounts/docs/OAuth2WebServer#offline
Credits to Ryan Boyd for this note.

Resources