Cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Logging into a Web Site from Fitbit App Settings

tl;dr: How can I get a Fitbit companion app to pass log-in credentials to a web site?

 

I’ve developed an app (‘Slideshow’) that would let users view their own pictures on their watch. The pictures need to be cropped and resized to suit the Ionic, and I’ve developed some web pages to do this.

 

For security reasons, I don’t want to open up the web site to the world, since it allows files to be uploaded to my server. Therefore, the web site has the standard username and password credentials.

 

Obviously, there has to be some linkage between the Fitbit companion and the web site, so the companion can fetch the images from the web site. Because the web site can react to communications from the companion but not vice versa, the user selects a username and password on the Fitbit app Settings page. These are passed using fetch() to the web site, which then creates an account for the user. This will make more sense if you follow along using the current draft of the app, which you can install from the link here.

 

The problem comes when the user has to use the web site. The obvious approach is for the user to touch a link on the Settings page to open a browser app, and that’s how I’ve implemented it at the moment. However, once the browser starts, the user can no longer see the username and password they specified, which makes it hard for them to log in. Fitbit rejected the app for this reason.

 

I could pass the username and password as GET parameters on the Settings page link, and then have the web site extract them and log in automatically. However, this feels horribly insecure. I’d be happier if the credentials could be passed using POST, but links on a Settings page can’t do that. The companion app can send POST variables, but it can’t open a browser window so that doesn’t help.

 

Compounding the problem is that, in some circumstances (eg, Firefox on Android), links in the Settings page open in an in-app browser component/view that isn’t sufficiently functional to be able to display the site (even though Firefox itself has no problems with it). This argues against including a clickable link on the Settings page.

 

An alternative would be to provide the web site’s URL as a field that could be copied and pasted into a browser’s address bar. This is inelegant too, because text on Fitbit Settings pages generally can’t be copied, and pasting into browsers’ address bars isn’t something that everyone could manage.

 

Does anyone have any suggestions about how I can get users logged in to the web site?

Peter McLennan
Gondwana Software
Best Answer
0 Votes
5 REPLIES 5

 

Can you generate disposable URL from the app?
Basically the app contacts the server with a user ID. The server generates a random GUID and associates it with the user ID. That Guid is passed in the get and - as soon as the logs the user in - it destroys the GUID.
Worth trying, you might hit a limitation.

Best Answer
0 Votes

@paperinik Excellent idea! I think I should be able to make that work. Many thanks!

Peter McLennan
Gondwana Software
Best Answer
0 Votes

Unfortunately, because the Link component doesn't have a settingsKey, I suspect that I won't be able to change its source attribute from the companion (which may not have been possible in any case).

 

I don't know if it's possible to do so directly in settings/index.jsx. I really can't get my head around React! 😞

Peter McLennan
Gondwana Software
Best Answer
0 Votes

How about something like:

 

https://username:password@members.geocities.com/

Best Answer
0 Votes

@EmTe I seem to have two problems:

  1. I can't dynamically change the link source in settings/index.jsp. I don't think the Fitbit API/environment allows it.
  2. I'm loathe to pass the credentials in the URL for security reasons, even though they'd probably be encrypted in HTTPS and the stakes aren't high. The URL would have to be something like http://gondwanasoftware.net.au/slideshow?username&password. Even if I hashed the credentials, anyone who could see the URL would be able to use it to gain access.

I'm now leaning towards reversing my current approach; ie, getting the user to nominate a username and password in the web site first. The web site would then provide a GUID that could be copied and pasted into the Fitbit app settings page. It's still not hugely secure or elegant, but would hopefully be good enough to get the app accepted.

Peter McLennan
Gondwana Software
Best Answer
0 Votes