Facebook OAuth - unable to log in

[roenfeldt]

As per the problem described in more detail on DevDojo, I have been trying to figure out what's preventing me from successfully make the social provider authentication functionality work. After digging deeper into the codebase, I ended up overriding the following:

• vendor/devdojo/auth/src/Models/SocialProvider.php,
• vendor/devdojo/auth/src/Models/SocialProviderUser.php,
• vendor/devdojo/auth/src/Http/Controllers/SocialController.php, and
• vendor/devdojo/auth/routes/web.php.

By debugging the private createSocialProviderUser() method of the SocialController.php Controller, I realized the following:

• assumming the email address returned by Facebook is not associated with an existing user in the app, Socialite is correctly returning the $user object along with its id, name, email, avatar, user, token, and expiresIn properties and their corresponding values from Facebook;
• the value of the $driver parameter of the createSocialProviderUser() method is correctly received as facebook;
• the $user->socialProviders()->create() call somehow fails, despite the fact that:
  1. 'provider_slug' => $driver // 'facebook'
  2. 'provider_user_id' => $socialiteUser->getId() // '9002[...]40[...]'
  3. 'nickname' => $socialiteUser->getNickname() // null
  4. 'name' => $socialiteUser->getName() // 'John Doe'
  5. 'email' => $socialiteUser->getEmail() // '[email protected]'
  6. 'avatar' => $socialiteUser->getAvatar() // 'https://graph.facebook.com/v3.3/9002[...]40[...]/picture'
  7. 'provider_data' // {"name":"John Doe","email":"[email protected]","id":"9002[...]40[...]"}
  8. 'token' => $socialiteUser->token // 'EAAPoOafsNc4BOZBnOaV6fDf4nMrSeQn7[...]'
  9. 'refresh_token' => $socialiteUser->refreshToken null
  10. token_expires_at' => $socialiteUser->expiresIn ? now()->addSeconds($socialiteUser->expiresIn) : null // 'Formatted: 2025-01-17 21:15:59 | Timezone: Europe/Copenhagen | Timestamp: 1737144959'

For some reason, the user doesn't get created, despite all the valid data as I mentioned above. Could one or both null values prevent the user from being persisted?

That is where I got stuck. Any help will be greatly appreicated.

Thanks a lot!

[bobbyiliev]

Hey!

Thank you for all of the additional information here!

I will look into this and keep you posted!

[roenfeldt]

Hey Bobby,

I just realized something: each of my attempts to register a new user via the Facebook Social OAuth failed to create the user, yes, but the User model's IDs still kept being incremented in the DB.

After my many attempts with FB OAuth, today I registered a new user the normal Laravel Auth way, and it turns out that its id value is 45. I am positively certain that there were only two users (the default "Admin", and "Test 1"), created with Laravel Auth, when my FB OAuth implementation attempts started.

I'm not sure if this is normal SQL behavior, just wanted to bring more insight into the issue.

[bobbyiliev]

Hey @roenfeldt

I've tried to look into this further and reproduce it locally on my end but it all seems to be working as expected.

A couple of things that come to my mind:

• Regarding the empty log, can you confirm if you have APP_DEBUG=true set in your .env file? If not, can you set it and give it another try?
• What type of database are you using, is it SQLite or MySQL for example?
• Also in your browser web console, do you see any errors? You can try to: open the browser web console, then click on the register button and go through the flow and keep an eye on the console for any errors.

[roenfeldt]

Hey @bobbyiliev

For some strange reason, when trying to access the /auth/setup route, I'm getting redirected to /dashboard. This only happens in staging/production, as accessing the local Wave /auth/setup can be done with zero issues. I didn't touch anything Auth-related. The only thing I changed is the logo. I updated all Composer packages, but the issue still persists.

If you please explained which is the Controller or closure that is responsible with handling requests to /auth/setup, I could try to investigate the issue further.

Otherwise, if you suspect anything that may cause my staging/production server enviroment to differ from my local Wave installation, please share your thoughts.

Thank you so much.

/Daniel

LE: the laravel.log file doesn't show any errors, despite the fact that I set APP_DEBUG key to true in .env.

[bobbyiliev]

Hey!

I recently answered a similar question about this here: https://devdojo.com/question/devdojoauth-drift-theme

The redirect from /auth/setup to /dashboard is a security feature triggered when the APP_ENV in your .env file is set to production. This ensures that access to the setup page is disabled in production environments to protect your app.

To access the setup page, you can temporarily change the APP_ENV value in your .env file to local. This will prevent the redirect and allow you to complete the setup process.

Once you’ve finished setting up the authentication, make sure to change the APP_ENV value back to production before deploying your app. This step is important to prevent unauthorized access to the setup page in a live environment.

Let me know if this works for you!

- Bobby

[roenfeldt]

Hey Bobby, thank you for the insightful reply. Preventing unauthorized access to the setup page in a live environment makes a lot of sense. It would be awesome if this feature was mentioned in the Wave documentation though :)

[roenfeldt]

Now back on topic:

The FB social authentication won't work, regardless of the fact that my Wave setup is unmodified (except for the logo).

After clicking the "Continue with Facebook" button, the Facebook consent page opens (I'm already logged in on Facebook). The consent page is stating:

"You previously logged in to [App Name] with Facebook.
Would you like to continue?"

The browser's console is showing two errors:

1. EvalError: call to eval() blocked by CSP
2. Content-Security-Policy: The page’s settings blocked a JavaScript eval (script-src) from being executed because it violates the following directive: “script-src https://*.facebook.com https://*.fbcdn.net https://*.facebook.net https://127.0.0.1:* 'unsafe-inline' blob: data: 'self' https://connect.facebook.net/ 'wasm-unsafe-eval' https://*.google-analytics.com https://*.google.com” (Missing 'unsafe-eval')

I then click the "Continue as [Facebook User]" button, which is probably supposed to authenticate the user and persist it to the database, in case the user isn't already registered with the credentials Facebook is providing.

However, instead of getting authenticated, I'm redirected back to the /auth/login#_=_ URI and the "An error occurred during authentication. Please try again." message is showing up.

The browser's console is showing the following errors:

1. Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://static.cloudflareinsights.com/beacon.min.js/vcd15cbe7772f4[...]15. (Reason: CORS request did not succeed). Status code: (null).
2. None of the “sha512” hashes in the integrity attribute match the content of the subresource. The computed hash is “z4PhNX7vuL3xVC[...]5AULVxXcg/SpIdNs6c5H0NE8XYXysP+DGNK[...]kxvUdBeoGlODJ6+SfaPg==”.

I believe it's important to mention the fact that the domain's DNS records are handled through Cloudflare.

The same behavior is occurring regardless of whether I'm using Firefox, Chrome, or Safari. The Facebook app is correctly configured.

The Laravel/Wave app is hosted on DigitalOcean, and it's using a MySQL database, and laravel.log is clean.

I'm totally puzzled here. What I am doing wrong? Especially the part where #_=_ gets appended to the /auth/login URI. Where does that come from?

/Daniel

[bobbyiliev]

Hey Bobby, thank you for the insightful reply. Preventing unauthorized access to the setup page in a live environment makes a lot of sense. It would be awesome if this feature was mentioned in the Wave documentation though :)

No worries at all, happy to help with this!

Ah yes, this should be available in the docs already here:

https://devdojo.com/wave/docs/customizations#authentication-views

Which then links to the auth package docs:

https://devdojo.com/auth/docs/setup-customizations/#authorization

[bobbyiliev]

Regarding the Facebook authentication I still have not been able to reproduce the issue on my end, it seems to all be working.

Regarding this question here:

I'm totally puzzled here. What I am doing wrong? Especially the part where #= gets appended to the /auth/login URI. Where does that come from?

I think that this should be ok, I am also seeing it but the authentication works as expected.

One thing that you can check on the Facebook setup side is to make sure that you have the necessary permissions, especially the email and the public_profile like so:

[roenfeldt]

Hey @bobbyiliev,

As I wrote on the DevDojo discussion topic, I decided to move on and focus on more important tasks of building with Wave, because I couldn't make social auth work, not even on an out-of-the-box Wave project.

Once again, many thanks for your help and efforts, they're greatly appreciated!