2

In building an a small Android app, I decided to try out Digits to login with a phone number and Parse for the back end.

How might I validate a Digits session with the Parse server?

I've started with the below example, though I'm not sure if this is 'correct' (adapted from this post).

Android Client:

  1. Request auth (oauth?) token and user id from digits

    a. Send in a digits key and secret, retrieve an object

  2. Validate this session with Parse

    a. Send in phone number, auth token, and user id

    b. Receive acknowledge with user info if authorization is valid

Parse:

  1. Auth endpoint takes phone number, auth token, and user id

    a. Validate with twitter endpoint

    b. Insert auth token hash and user id into a Sessions table (future requests will ping this table, not twitter)

    c. Return acknowledge to client

The above makes sense, but a Parse Example with Github login seems to do something slightly different. With Parse, the initial request to the third-party is made from the Parse server, not the client.

Github requires a 'state' parameter to be sent in, which seems to be why the Parse example has its initial request sent from the server, whereas Digits does not require such parameter. Does this make the Digits authentication any less secure? Is there a way to make this process more secure/correct?

Improve this question
1
  • did you manage to integrate 2 together? Commented Mar 2, 2015 at 1:46

1 Answer 1

Reset to default
5

Here's a gist of my current solution.

On the Parse side of things I send in an http request that looks something like the following:

// Within a /verify_credentials webhook
Parse.Cloud.httpRequest({
    method: 'GET',
    url: req.get(headers[0]),
    headers: {'Authorization': req.get(headers[1])},

    success: function(httpResponse) {
        var obj = JSON.parse(httpResponse.text);
        res.status(httpResponse.status).send("success");
    },
    error: function(httpResponse) {
        res.status(400).json({
            error: 'Unable to make a twitter request'
        });
    }
});

On the Android side of things, I send an http request to the Parse server with the Parse session information within the headers:

    TwitterAuthConfig authConfig = TwitterCore.getInstance().getAuthConfig();

    // Cast from AuthToken to TwitterAuthToken
    TwitterAuthToken authToken = (TwitterAuthToken)session.getAuthToken();

    OAuthSigning oAuthSigning = new OAuthSigning(authConfig, authToken);
    // First value should be the location we're querying to twitter. 
        // The second is the actual validation information
    Map<String, String> authHeaders = oAuthSigning.getOAuthEchoHeadersForVerifyCredentials();
    try {
        cloud.verifyCredentials(
                authHeaders.get("X-Auth-Service-Provider"),
                authHeaders.get("X-Verify-Credentials-Authorization"),
                session.getId(),
                callback);
    }
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

How is this working out? Have you launched, and if so, how is this solution holding up?
@Felker this worked fine for the app we working on. We've switched to app engine since so I'm not sure how effective this solution would still be. I believe Parse is closing down, but it might work with their Nodejs library

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.