Sign in with facebook (OAuth): how to and threats

Many websites provide possibility to authorize with OAuth protocol (e.g. using facebook account).

How to

In ASP.NET application it is very easy to implement. Check this 3 minutes long screencast by Scott Hanselman.

In Rails it is a little bit more complex, but also not big deal. There is nice Rails cast #360 about it (12 minutes).


However it is good to know what data we are providing when we click ‘Login with facebook’. I implemented facebook auth with omniauth-facebook library (according to above rails cast). I was surprised when I look at the source code.

This is auth data available for developer, when we sign in with facebook:

  :provider => 'facebook',
  :uid => '1234567',
  :info => {
    :nickname => 'jbloggs',
    :email => '',
    :name => 'Joe Bloggs',
    :first_name => 'Joe',
    :last_name => 'Bloggs',
    :image => '',
    :urls => { :Facebook => '' },
    :location => 'Palo Alto, California',
    :verified => true
  :credentials => {
    :token => 'ABCDEF...', # OAuth 2.0 access_token, which you may wish to store
    :expires_at => 1321747205, # when the access token expires (it always will)
    :expires => true # this will always be true
  :extra => {
    :raw_info => {
      :id => '1234567',
      :name => 'Joe Bloggs',
      :first_name => 'Joe',
      :last_name => 'Bloggs',
      :link => '',
      :username => 'jbloggs',
      :location => { :id => '123456789', :name => 'Palo Alto, California' },
      :gender => 'male',
      :email => '',
      :timezone => -8,
      :locale => 'en_US',
      :verified => true,
      :updated_time => '2011-11-11T06:21:03+0000'

We provide our email(!), timezone and even location! Actually I was not aware of that. I thought facebook provides just basic info like name and photo.

We should think twice before we sign in to some website with OAuth. Especially due to providing our email address. Malicious websites can use it for sending spam.

Sending email from Rails application

It took me a while to configure sending email from Rails application. I went through many different tutorials, blogs, StackOverflow posts etc. Step, by step I found working configuration.

To send emails I use ActionMailer. First you need to generate mailer:

rails generate mailer UserMailer

It will create UserMailer class in app/mailers directory. In this class we need to define our method for sending emails:

class UserMailer < ActionMailer::Base
  default from: ""

  def send_email(user_email, content)
  	@user_email = user_email
  	@content = content
  	mail(to: "", subject: "Email from")

Then in the directory app/views/user_mailer we need to create template for our email: send_email.html.erb (this name must match the name of action created in UserMailer class):

<!DOCTYPE html>
    <meta content='text/html; charset=UTF-8' http-equiv='Content-Type' />
      From: <%= @user_email %>
      <%= @content %>

(*) If you do not want to send html you can create plain text and name file send_email.text.erb.

Now, the hardest part. Configuration of smtp. You need to add it to config/environments/development.rb (or test.rb or production.rb). I found this configuration working for gmail:

# set delivery method to :smtp, :sendmail or :test
  config.action_mailer.delivery_method = :smtp
  config.action_mailer.perform_deliveries = true

  # these options are only needed if you choose smtp delivery
  config.action_mailer.smtp_settings = {
    :address        => '',
    :port           => 587,
    :domain         => '',
    :authentication => :login,
    :user_name      => '',
    :password       => 'your_password',
    :enable_starttls_auto => true

The last thing is call ActionMailer from our app:

UserMailer.send_email(params[:from], params[:content]).deliver

Form for sending email can looks like that:

<%= form_tag '/send_email', method: 'post' do %>
	<div class="field">
		Email<br />
    <%= email_field_tag :from %>

	<div class="field">
		Content<br />
    <%= text_area_tag :content, nil, rows: 10, cols: 25 %>

  <div class="actions">
    <%= submit_tag "Send", class: "btn btn-large btn-primary" %>
<% end %>

For that you need to configure action in controller and match route e.g.:

match '/send_email', to: 'your_controller#your_action'

Method send_mail (from UserMailer class) can have as much parameters as you need. It can be also 0. In above example, the params are just rendered in the email template (send_email.html.erb file).

Getting started with Ruby on Rails

Ruby on Rails logo

Recently I decided to learn Ruby on Rails. When you start learning a new technology you are always looking for the best available materials (to learn as efficient as possible). I did the same (using Google and StackOverflow). Fortunately I found The Best Way to Learn Ruby on Rails and I followed the recommended steps. With small modifications (extensions).

First of all I extended first step. Instead of just going through “Try Ruby” exercises I also read first chapter of Seven Languages in Seven Weeks (which is about Ruby). It was very good move, because this book is written in the way to show the flavors of language by comparison with others. I am a .NET guy, who was coding in PHP, C++, Java and Python before. Because of that I was more interested in the differences between Ruby and these languages, than in programming from ground up. I also reviewed (not read) Humble Little Ruby Book. It is a little bit more deep, but it gives you solid Ruby basics.

I was working with Rails on Windows and on Mac. Installing on Windows is very easy when you use RubyInstaller. There is also version for Mac. However on Mac you can also install Rails using RVM. In that case I recommend you installation screncast by Michael Hartl. On Windows I used RubyInstaller, but on Mac I took advantage of Michael Hartl’s screencast. Additionally you may also need SQLite Database Browser to browse your database easily. I did not know about it at the beginning and I was using rails dbconsole. Browsing with SQLite Database Browser is much more comfortable!

When I had Rails installed I went through Jeffrey’s Introduction to Rails. During that I tried to follow him, by writing code on my machine, but many times he was too fast. I needed to pausing video very often and even scrolling back to see written command (he was changing screens to quickly). Anyway it was very nice introduction and I recommend it. But you can skip rewriting and trying code he is writing. Just watch it to get a flavor of Rails.

After that I went through Rails for Zombies tutorials. I was very lucky, because Code School had promotion in May 18-19, and they provided Rails for Zombies 2 for free in these days. These tutorials are very solid. The exercises force you to learn by typing, because you cannot proceed to next level, until you do not finish all tasks.

Agile Web Development with Rails cover

With all basics gained as described above I started a book: Agile Web Development with Rails. I really like this book. It has 3 parts:

  • Getting started (Rails installation, create first app, quick Rails architecture overview)
  • Building application (tutorial)
  • Rails in Depth

The longest part of the book is the tutorial(2nd). Through this part you are creating an complete application exploring different Rails features. Unfortunately this book is a little bit outdated. Authors use ruby version 1.8.7 and Rails 3.0.0. I installed most recent versions: ruby 1.9.3p392 and Rails 3.2.13. Sometimes you need to fix the code (e.g. Chapter 11 – Task F: Add a Dash of Ajax). During that I found Ruby on Rails documentation very useful.

The last part is going deep into Rails. I really recommend this part! It is not only about Rails, but also about Web Applications and MVC architecture in general: how browser works, how requests are handled by Rails app, session, cookies etc.

When I was in the middle of book I was a little bit angry (because it is outdated) and I switched to Ruby on Rails tutorial by Michael Hartl, which is strongly recommended on StackOverflow. Well…guys at SO are right. This is really good piece of knowledge not only about Rails, but also about using git, css, Bootstrap and Web Development in general. I really enjoyed it! If you do not want to buy videos, you can just read the free book (it is the same content as in videos and more). There are also nice videos describing advanced setup for Rails development on Mac and SublimeText configuration for Rails. Actually this tutorial covers Rails development from A to Z.

As a summary to the book and Michael Hartl’s tutorial I reviewed Rails Guides. It is a nice overview for most important rails features. Can be also used as a reference. Some of the RailsCasts are also useful.

I wanted to try a few different tutorials/books to see different approaches. E.g. Michael Hartl use rspec for unit tests, but the authors of Agile Web Development with Rails are using rails testing framework.

My adventure with Ruby (on Rails) lasts almost two months. Now I can admit that ROR is a very powerful and developer friendly framework. It contains many features, which are already grabbed by ASP.NET (e.g. migrations, bundling). What was surprising for me, you do not need IDE to develop Rails apps. I use SublimeText2 (awesome editor!) and it is really enough. Some Rails developers use VIM or Emacs. Of course there are some IDEs such as RubyMine or Aptana Studio. I tried both. RubyMine seems to be pretty cool…but I stick with SublimeText. Additionally, during Rails development you spend lot of time with console (to create/run/undo migrations, create models/controllers, run tests etc.).

If you want to start Rails development, my recommended steps are:

You might also find these tools/resources useful:

What I like in Ruby on Rails? The syntax, convention over configuration and lots of implemented features in the framework layer. Moreover: Rails are just cool.

Build 2013

June was a month of conferences for .NET developers! We had Tech Ed North America, Norwegian Developers Conference, Tech Ed Europe and bunch more, but the biggest one was Microsoft Build Developer Conference.

All videos are live and available for free on Channel 9. Both Keynotes are worth to see, but for .NET people second day’s keynote would be more interesting. I also recommend Scott Hanselman‘s session What’s New in ASP.NET and Visual Studio 2013. Scott shows lots of nice new features like:

  • One ASP.NET
  • Bootstrap as default template in ASP.NET project
  • Multiple default browsers in Visual Studio
  • Real-Time website refreshing between Visual Studio and Browser (without page reloading)
  • New ninja snippets
  • and much, much more

There is also very solid session Introduction to Node.js on Windows Azure by Tomasz Janczuk. I really enjoyed this session. Tomasz shows Node.js basics, and how to it on Windows Azure in very simple and clear way.

Third must see (if you are .NET dev) is Visual Studio 2013 for Web Developers: Deep Dive by Mads Kristensen. Mads shows hot new features in VS editors (HTML, CSS, JavaScript) and WebEssentials add-on.

Other interesting stuff:

Windows 8.1 Preview and Visual Studio 2013 Preview

At the build conference (June 26-28, 2013) Microsoft announced Windows 8.1 Preview and Visual Studio 2013 Preview. I installed them on my Virtual Machine. Just in case, to protect my system from some unexpected features 🙂

In case of Windows 8.1 there are no big changes. Only some small, useful improvements. I like ‘search all’, which enables you to search within apps, settings and files in the same time. However I am still using Search Everything, because it’s faster and more effective. It’s also cool to have the Start button, which brings you to the metro desktop, but again – no big deal (I was ok with WIN button). You can find list of improvements/changes here and here.

The new Visual Studio is more interesting. The One ASP.NET idea is applied. When you create new project, there are only one template: ‘ASP.NET Web Application’. Then in second step, you can choose which types of applications you want to include into it.

Visual Studio 2013 One ASP.NETVisual Studio 2013 One ASP.NET templates

There is MVC 5 (Preview) in it, along with various scaffolding options. You can e.g. scaffold just edit action.

Great feature for web developers: you can open page in multiple web browsers and then refresh them all from Visual Studio (e.g. after change in code).

The editors experience is improved. You can have code map in the scroll bar. HTML editor is rewritten from scratch. Short list of my favorite features:

  • new code snippets (in HTML document try: ‘div.myClass*4>lorem’ and click TAB)
  • intellisense in web.config
  • ALT + UP/DOWN – move code line up or down
  • ALT + 1/2 – extends text selection to level up or down
  • ALT+SHIFT+W – allows to surround selected text with new tag
  • ALT+V – voice commands (which shows shortcuts), yes we can speak to Visual Studio!
  • JavaScript frameworks intellisense (e.g. AngularJS)

But the greatest news is: WebEssentials2013 are now Open Source on github. Everyone can contribute. The policy is to add experimental features to WebEssentials and then move the hottest to Visual Studio (once they are tested). To see all, new, hot features watch Mads Kristensen’s talk at build 2013.

Another cool thing is possibility to ‘sign in’ in the Visual Studio. Once you sign in using your Microsoft account, you can synchronize settings across your devices. Now, it is enough to customize you Visual Studio only once.

There is much more new features. You can find them here and here.