help menu

Join us on the Community Forums!

  • Community Guidelines

    The Fitbit Community is a gathering place for real people who wish to exchange ideas, solutions, tips, techniques, and insight about the Fitbit products and services they love. By joining our Community, you agree to uphold these guidelines, so please take a moment to look them over.

  • Learn the Basics

    Check out our Frequently Asked Questions page for information on Community features, and tips to make the most of your time here.

  • Join the Community!

    Join an existing conversation, or start a new thread to ask your question. Creating your account is completely free, and takes about a minute.

Not finding your answer on the Community Forums?

Cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Logging into a Web Site from Fitbit App Settings

‎03-07-2018 19:51

‎03-07-2018 19:51

tl;dr: How can I get a Fitbit companion app to pass log-in credentials to a web site?

 

I’ve developed an app (‘Slideshow’) that would let users view their own pictures on their watch. The pictures need to be cropped and resized to suit the Ionic, and I’ve developed some web pages to do this.

 

For security reasons, I don’t want to open up the web site to the world, since it allows files to be uploaded to my server. Therefore, the web site has the standard username and password credentials.

 

Obviously, there has to be some linkage between the Fitbit companion and the web site, so the companion can fetch the images from the web site. Because the web site can react to communications from the companion but not vice versa, the user selects a username and password on the Fitbit app Settings page. These are passed using fetch() to the web site, which then creates an account for the user. This will make more sense if you follow along using the current draft of the app, which you can install from the link here.

 

The problem comes when the user has to use the web site. The obvious approach is for the user to touch a link on the Settings page to open a browser app, and that’s how I’ve implemented it at the moment. However, once the browser starts, the user can no longer see the username and password they specified, which makes it hard for them to log in. Fitbit rejected the app for this reason.

 

I could pass the username and password as GET parameters on the Settings page link, and then have the web site extract them and log in automatically. However, this feels horribly insecure. I’d be happier if the credentials could be passed using POST, but links on a Settings page can’t do that. The companion app can send POST variables, but it can’t open a browser window so that doesn’t help.

 

Compounding the problem is that, in some circumstances (eg, Firefox on Android), links in the Settings page open in an in-app browser component/view that isn’t sufficiently functional to be able to display the site (even though Firefox itself has no problems with it). This argues against including a clickable link on the Settings page.

 

An alternative would be to provide the web site’s URL as a field that could be copied and pasted into a browser’s address bar. This is inelegant too, because text on Fitbit Settings pages generally can’t be copied, and pasting into browsers’ address bars isn’t something that everyone could manage.

 

Does anyone have any suggestions about how I can get users logged in to the web site?

Peter McLennan
Gondwana Software
Best Answer
0 Votes
5 REPLIES 5

‎03-07-2018 20:32

‎03-07-2018 20:32

 

Can you generate disposable URL from the app?
Basically the app contacts the server with a user ID. The server generates a random GUID and associates it with the user ID. That Guid is passed in the get and - as soon as the logs the user in - it destroys the GUID.
Worth trying, you might hit a limitation.

Best Answer
0 Votes

‎03-07-2018 20:42

In response to paperinik

‎03-07-2018 20:42

@paperinik Excellent idea! I think I should be able to make that work. Many thanks!

Peter McLennan
Gondwana Software
Best Answer
0 Votes

‎03-07-2018 23:22

In response to Gondwana

‎03-07-2018 23:22

Unfortunately, because the Link component doesn't have a settingsKey, I suspect that I won't be able to change its source attribute from the companion (which may not have been possible in any case).

 

I don't know if it's possible to do so directly in settings/index.jsx. I really can't get my head around React! 😞

Peter McLennan
Gondwana Software
Best Answer
0 Votes

‎03-08-2018 00:56 - edited ‎03-08-2018 00:57

‎03-08-2018 00:56 - edited ‎03-08-2018 00:57

How about something like:

 

https://username:password@members.geocities.com/

Like my response? Vote for it! Or accept as solution!
Best Answer
0 Votes

‎03-08-2018 01:15

In response to EmTe

‎03-08-2018 01:15

@EmTe I seem to have two problems:

  1. I can't dynamically change the link source in settings/index.jsp. I don't think the Fitbit API/environment allows it.
  2. I'm loathe to pass the credentials in the URL for security reasons, even though they'd probably be encrypted in HTTPS and the stakes aren't high. The URL would have to be something like http://gondwanasoftware.net.au/slideshow?username&password. Even if I hashed the credentials, anyone who could see the URL would be able to use it to gain access.

I'm now leaning towards reversing my current approach; ie, getting the user to nominate a username and password in the web site first. The web site would then provide a GUID that could be copied and pasted into the Fitbit app settings page. It's still not hugely secure or elegant, but would hopefully be good enough to get the app accepted.

Peter McLennan
Gondwana Software
Best Answer
0 Votes