After authentication, what will be sent to our backend from the mobile app is only the email of the user.
Hey Al Ryan, this seems like a faulty implementation of OAuth, what you get back from facebook is a token you send that token to your server, and it will send it back to facebook to verify it's not faked, then only user can be logged in.
Otherwise anyone can call the server with a email and act as that user.
This is a library with social auth and JWT support, see if this helps.
I'm also sharing solution from my project
- Create a facebookAuth named graphql mutation
- Above mutation will take two params
access_token and access_verifier
- Send a GET request to this url
f"https://graph.facebook.com/me?fields=name,email&access_token={access_token}"
- If json response has a key
errors, stop user from logging in.
- Otherwise above response will contain
email, use it to create/get a User object.
- Now you simply need to return the JWT token from your mutate function.
- To generate access and refresh tokens call this function
jwt_encode, imported as from dj_rest_auth.utils import jwt_encode
- above will return tuple access_token, refresh_token
Note I have used dj_rest_auth instead of django-graphql-jwt, but it's pretty equivalent you just need a function to sign the JWT, rest all is custom logic so better write yourself.
PS: OAuth is a sensitive entry-point for attackers so implement is securely, you can contact at atul7555[at]gmail.com for any assistance.
