03-07-2018 19:51
03-07-2018 19:51
tl;dr: How can I get a Fitbit companion app to pass log-in credentials to a web site?
I’ve developed an app (‘Slideshow’) that would let users view their own pictures on their watch. The pictures need to be cropped and resized to suit the Ionic, and I’ve developed some web pages to do this.
For security reasons, I don’t want to open up the web site to the world, since it allows files to be uploaded to my server. Therefore, the web site has the standard username and password credentials.
Obviously, there has to be some linkage between the Fitbit companion and the web site, so the companion can fetch the images from the web site. Because the web site can react to communications from the companion but not vice versa, the user selects a username and password on the Fitbit app Settings page. These are passed using fetch() to the web site, which then creates an account for the user. This will make more sense if you follow along using the current draft of the app, which you can install from the link here.
The problem comes when the user has to use the web site. The obvious approach is for the user to touch a link on the Settings page to open a browser app, and that’s how I’ve implemented it at the moment. However, once the browser starts, the user can no longer see the username and password they specified, which makes it hard for them to log in. Fitbit rejected the app for this reason.
I could pass the username and password as GET parameters on the Settings page link, and then have the web site extract them and log in automatically. However, this feels horribly insecure. I’d be happier if the credentials could be passed using POST, but links on a Settings page can’t do that. The companion app can send POST variables, but it can’t open a browser window so that doesn’t help.
Compounding the problem is that, in some circumstances (eg, Firefox on Android), links in the Settings page open in an in-app browser component/view that isn’t sufficiently functional to be able to display the site (even though Firefox itself has no problems with it). This argues against including a clickable link on the Settings page.
An alternative would be to provide the web site’s URL as a field that could be copied and pasted into a browser’s address bar. This is inelegant too, because text on Fitbit Settings pages generally can’t be copied, and pasting into browsers’ address bars isn’t something that everyone could manage.
Does anyone have any suggestions about how I can get users logged in to the web site?
03-07-2018 20:32
03-07-2018 20:32
Can you generate disposable URL from the app?
Basically the app contacts the server with a user ID. The server generates a random GUID and associates it with the user ID. That Guid is passed in the get and - as soon as the logs the user in - it destroys the GUID.
Worth trying, you might hit a limitation.
03-07-2018 20:42
03-07-2018 20:42
@paperinik Excellent idea! I think I should be able to make that work. Many thanks!
03-07-2018 23:22
03-07-2018 23:22
Unfortunately, because the Link component doesn't have a settingsKey, I suspect that I won't be able to change its source attribute from the companion (which may not have been possible in any case).
I don't know if it's possible to do so directly in settings/index.jsx. I really can't get my head around React! 😞
03-08-2018 00:56 - edited 03-08-2018 00:57
03-08-2018 00:56 - edited 03-08-2018 00:57
How about something like:
https://username:password@members.geocities.com/
03-08-2018 01:15
03-08-2018 01:15
@EmTe I seem to have two problems:
I'm now leaning towards reversing my current approach; ie, getting the user to nominate a username and password in the web site first. The web site would then provide a GUID that could be copied and pasted into the Fitbit app settings page. It's still not hugely secure or elegant, but would hopefully be good enough to get the app accepted.