How to check if a visitor/user is already logged in on Google? (not on the app itself)

[Serkan Durusoy]

Hi There,

I have a strange, but somewhat logical task ahead.

I am using accounts-google to create and sign in users. I need the app to detect if a visitor is logged in on Google.

So far I've come across the Google+ api which claims to provide this information by https://developers.google.com/+/web/api/javascript#gapiauthchecksessionstatesessionparams_callback but that requires the use of an external script which I could not manage to get into my app.

A little background:

Say I have users A and B. They are among other people who share a pool of computers.

A logs into app using google login, does their work, goes on to some other google app, completes all tasks and logs off there. Thinking, oh well, when I log off drive, I also automatically get logged of mail, calendar etc, so I must also be logged off of the app.

B comes along, fires up the app, only to find that A's super secret app data is there to take a peek. 

So in essence, I need to check, during a first request and even better yet whenever the app gets activated (it may have been kept in the background, so there would be no request per se):

* if there is no google session, call Meteor.logout()

* if there is a user session, check if the app user matches the google user which gapi.auth.checkSessionState(sessionParams, callback) seems capable of 

The inverse of this problem is equally important. A user can log out of the app, thinking they've also logged out of all google services, which is not the case. Therefore, to mitigate that, I'm redirecting the user to https://accounts.google.com/Logout after logout, so that I make sure the user is logged off completely.

PS:

As I've said, this may seem irrational and a usability killer, but the app environment is a business where google apps is at the very center. And all other google apps behave this way. You log out of one, you're completely out. That's a business context which custom apps should not deviate from.

PPS:

It would also be swell to log the user in automatically. Just like the other apps, a user logs into drive, they are also in mail and calendar etc. So I would love if some auto login were available, but that's an exercise for another day.

PPPS:

On a side note, I came across https://developers.google.com/+/api/auth-migration#timetable which kind of suggests that we need to give up on our classic oauth2.0 authentication and migrate to google+ login, which essentially is claimed to be more secure, robust, and feature-packed. 

I'm all out of P's ;)

Cheers,

Serkan

[David Andersson]

I have the same problem but solving it by simply requiring {forceApprovalPrompt: true} all the time.

http://docs.meteor.com/#/full/meteor_loginwithexternalservice

Even though this requires me to approve each time I sign in.

Cheers,

David

--
You received this message because you are subscribed to the Google Groups "meteor-talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to meteor-talk...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/meteor-talk/c36e2e0e-86fd-45ee-bae9-8baa209ceafb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

David Andersson
dava...@gmail.com | +46-702-172280

[Serkan Durusoy [DNA | encoding the future]]

ugh that's ugly! :(

I've been reading up on the new api which handles all these cases automatically.

I think I'm going to give that a try and implement a custom accounts package.

Sent from my iPhone

You received this message because you are subscribed to a topic in the Google Groups "meteor-talk" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/meteor-talk/ggZwNTPNqQI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to meteor-talk...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/meteor-talk/CAEDON15bXwRQ%3D7QH-af91E2Euxk_J02XnUOKgfvQHj2GahAOJQ%40mail.gmail.com.

[Serkan Durusoy]

Hi David,

I just gave your method a quick try and it does not solve my problem.

User A opens tab 1 and logs in

User A opens tab 2 and checks email on gmail

User A logs out of gmail (optionally closes the window) thinking he's all out

User B opens window, logs in to gmail

User B opens new tab or just writes in the address on the same tab to go to app

User B sees that User A is still logged in

passing in {forceApprovalPrompt: true} does not help

It only causes them to approve account access requests over and over, which is not even more annoying.

[Serkan Durusoy]

Ok, drifting and sifting through thoughts, I've tried the following hack:

Accounts.onLogin(function(loginObject){

  if (loginObject.type === 'resume') {

    Meteor.users.update({}, {$set: { "services.resume.loginTokens" : [] }});

  }

  return true;

});

So that the visitor has to log in wether or not they are already logged in to Google. Checking for loginObject.type === 'resume' allows me to know if this is a new login attempt or reuse of an existing unexpired one.

But there is one caveat! (there never is none)

This is not browser tab friendly. If I log in, open another tab and paste in the address, or ctrl+click a link on the first tab to follow it to the second, I get logged out on all tabs!

This may be a great hack for some business-app usecases but in my case, back to square one.

I really really really don't want to create a new accounts-googleplus package...

sigh*

 

[Serkan Durusoy]

BUMP!

http://stackoverflow.com/questions/28722415/how-to-make-sure-user-in-apps-session-and-googles-session-are-the-same-when-us

[Serkan Durusoy]

Ok, for historical reasons only, here's my current hacky approach to the problem, go check out the new board at https://forums.meteor.com if you have not already.

It seems impossible with Meteor's current accounts package, although one could create a new one using Google's latest googleplus api.

But there seems to exist a workaround by:

1) Set up onBeforeAction hooks on your router to login the user automatically (which asks for credentials if user is not logged in to external service)

var loginWithGoogle = function() {
  if (Meteor.isClient) {
    Session.set('loginError', undefined);
    Meteor.loginWithGoogle({
      loginStyle         : "redirect",
      requestPermissions : ['profile', 'email'],
      requestOfflineToken: true
    }, function (err) {
      if (err)
        Session.set('loginError', 'reason: ' + err.reason + ' message: ' + err.message || 'Unknown error');
    });
  }
}

var requireLogin = function() {
  if (! Meteor.user()) {
    if (Meteor.loggingIn()) {
      this.render(this.loadingTemplate);
    } else {
      console.log('The app is automatically asking for you to log in.');
      loginWithGoogle();
    }
  } else {
    this.next();
  }
}

Router.onBeforeAction(requireLogin, {except: ['some-special-public-route']});

2) Log the user out when they are navigating away from every page (caveat: login/logout gets called everytime the user navigates within the app)

Meteor.startup(function(){
    $(window).bind('beforeunload', function() {
        closingWindow();
    });
});

closingWindow = function(){
    console.log('The app is automatically logging you out because you are leaving.');
    Meteor.logout();
}

3) improvement area: set a session variable to track user's navigation within the app and run the unload event depending on the variable.