What should password field be?


(Adam Beers) #1

When using the create user API call with Google Sign-In, what should the password field be when sending the POST command? The Google Sign-In doesn’t actually return a password, so what should be used?


(Adam Beers) #2

Nobody has any ideas?


(Vinoth Kannan) #3

Are you using user login and registration in a seperate app? If yes then you must use SSO instead of creating users via API.


(Adam Beers) #4

Once the user is created by my external site, how does that user then get added to the discourse database? How does a key get created for that user, so they can post things to the site?


(Vinoth Kannan) #5

Just to keep all the discussion in one place, I’m replying to your message here.

If you use your master api_key in your android app then you have serious security issue. Developers can decrypt your app and can get api key easily.

Firebase will return IdToken on successful login. You should send this to your server and validate it using one of the methods in Verify ID Tokens  |  Firebase. If it successful you can generate user api_key on server itself and send to android client.

Also you can store the user api_key (not master api_key) on Firebase behind auth rules and retrieve anytime.


(Adam Beers) #6

If I don’t use Firebase, but use the normal Discourse auth, what is the normal API flow for creating a user and then having that user login?

How long do the user API keys last? Do they expire?

Also, if I allow Google and Facebook logins, how are those users created in the Discourse server using API calls?

The CURL for creating a user indicates that an api_key and api_username are required. What are those if a user is trying to create a new account and they don’t have a key or username?

curl -X POST --data "name=dave&username=dave&email=dave@example.com&password=P@ssword&active=true" http://localhost:3000/users?api_key=test_d7fd0429940&api_username=test_user


(Vinoth Kannan) #7

Like I already told SSO is the best option even if you have Google, Facebook logins in original website.

For Android app

Simple solution is buy hosting at discourse.org. Discourse already have open source android which is currently work only their customers.

Else you have to autorize Discourse instance from android like how they did in their official app. Stll you may use SSO in this case.

I think since it is little advanced concept, if you want more help then you have to post a job in #marketplace. Then myself or someone else will help you to find alternative solution.