I have both the laravel built in and social authentication. Suppose if a user logs in using facebook, i store the user details such as fb_id, username, email etc. to the users table which is authenticable from built in login system.This way i can use laravel Auth.
$fb_user = Socialite::driver('facebook')->user();
$user = User::firstOrCreate(['fb_id'=>$fb_user->id,'name' => $fb_user->name, 'email' => $fb_user->email]);
Auth::login($user, true);
return redirect('/');
Now, the users table have a user with username and password NULL. Couldn't anybody login with just username from built in login if no password validations are required? OR what is wrong with my concept here?
Couldn't anybody login with just username from built in login if no password validations are required?
Yes Anybody can login.
From the comments:
Solution 1:
Password should be hashed.Assuming empty passwords are allowed, they will hash to something that is not empty (for example, password_hash('',PASSWORD_DEFAULT); returns something like $2y$10$MD7HZwh9oki9U74Ta1/7OuDpYK8UXAFEufgMIeNazKSyv1xRabwqu) Therefore there should be no real issue with this method.
Solution 2:
We should have a field to flag the user as being from a separate authentication source. That way if anyone tries to login directly using those details you can ignore rows with that flag when checking credentials