Source: www.dustyblog.cn
Now almost most apps support the use of multiple third-party accounts for login, such as: wechat, QQ, Weibo, etc., we call this unified login of multiple accounts. The table design and flow design of these accounts are crucial, otherwise the subsequent scalability will be poor.
This article does not provide any code practice, but comb the blogger according to the design of our account module, provide ideas, just for reference.
A self-built landing system
1.1.1 Mobile number login and registration
The idea of the design is that each mobile phone number corresponds to a user, and the mobile phone number is mandatory.
Process:
- First enter the phone number and then send it to the server. Check whether the mobile phone number has an account. If not, a random verification code is generated and bound to the mobile phone number and verification code
Redis, and set a certain expiration time (the expiration time is generally 5 minutes, which is the validity period of our mobile verification code), and finally send the verification code to the user through SMS. - After receiving the verification code, the user fills in the verification code and password and sends the data to the server. After receiving the packet, the server determines whether the
RedisInside this mobile phone number corresponds to the verification code is consistent, failure to return error code, success to the user to create an account and save the password. - After successful registration, users can pass their own
Mobile phone number + passwordLog in.
Question:
- Poor user experience, you need to obtain the verification code, fill in the verification code, password, user name and other information to complete registration, and then use.
- If you forget the password, you can reset the password only by forgetting the password.
1.1.2 Optimize registration and login
The idea of the scheme is to weaken the mandatory password, that is, regardless of whether the user has registered, the user can log in directly through the mobile phone number + verification code (retain the mobile phone number + password login method).
Process:
- Enter your phone number and send it to the server. The server generates a random verification code and binds the mobile phone number to the verification code
Redis, and set a certain expiration time (the expiration time is generally 5 minutes, which is the validity period of our mobile verification code), and finally send the verification code to the user through SMS. - After receiving the verification code, you only need to fill in the received verification code and submit it to the server. After receiving the packet, the server determines whether the
RedisInside this mobile phone number corresponding verification code is consistent, failure to return error code, successful direct login. If the user is an old user, pull the user information directly. If the user is new, prompt him to improve the user information (not mandatory). - By the user
Mobile phone number + verification codeAfter login, you can also choose to set the password, and then you can passMobile phone number + password, that is, the password is optional.
User table design:
| id | user_name | user_password | user_mobile | state | more |
|---|---|---|---|---|---|
| The user id | The user name | The user password | Mobile phone number | Account status | Other information |
1.2 Introducing third-party Account Schemes
1.2.1 Weibo recording
In the era of Web2.0, Weibo opened up third-party website login, and the product said, we need to add a weibo account to log in to our App, and it must be associated with our own user table.
Process:
- The client invokes the Weibo log page and enters the user name and password. After a successful login, the system returns
access_tokenThrough theaccess_tokenDraw onAPIInterface to obtain user information. - The server creates an account in our user table through the user information. Later, the third-party account can be directly logged in through the weibo account.
Design of Microblog user information table:
| id | user_id | uid | access_token |
|---|---|---|---|
| The primary key id | The user id | Unique ID of weibo | Authorization code |
1.2.2 Nightmare
Then, QQ and open user login, wechat open user login, netease development user login…… Suddenly to access a lot of third-party login, can only according to the “Weibo user information table” to create a new table, rewrite a set of third-party login.
Second, optimize the account system
2.1 Analysis of the original account system
- Self-built landing system: no matter
Mobile phone number + password, orMobile phone number + verification codeBoth are of the same kindUser information + passwordVerification form of; - Third party login: yes
User information + passwordIn the form of user information in third-party systemsID(unique identifier in third-party systems), the password isaccess_token, is nothing more than a password that has a validity period to change.
2.2 New account system
2.2.1 Data table design
Basic User information Table:
| id | nickname | avatar | more |
|---|---|---|---|
| The user id | nickname | Head portrait | Other information |
User Authorization Information Table:
| id | user_id | identity_type | identifier | credential |
|---|---|---|---|---|
| The primary key id | The user id | Login type (mobile phone number/email address) or third-party application name (wechat/Weibo, etc.) | Mobile phone number/email/unique identification of third party | Password certificate (save password of self-built account, save token of third party) |
Description:
- User table is divided into
Basic user information table+User authorization information table; - The user information table does not save any password, does not save any login information (such as user name, mobile phone number, email), only retains nickname, profile picture and other basic information; All items related to authorization are placed in the user information authorization table. The user information table and user authorization table have a one-to-many relationship.
2.2.2 Login process
Mobile phone number + verification code
I’m going to do what I did before.
Email/mobile phone number + password:
User fill in email/mobile phone number + password; When requesting login, determine the login type, for example, using a mobile phone number:
Use type=’phone’ and identifier=’ phone’ to search for user information. If yes, check whether password_hash matches credential of the entry. If yes, verify.
- Third-party login, such as wechat login:
Query type=’weixin’ combined with identifier=’ weixin openId’, if there is a record, then directly login success, and update token; Assuming that communication with wechat server is not hijacked, there is no need to judge the certificate problem.
Then the advantages and disadvantages
Advantages:
- Unlimited expansion of login types, the development cost of new login types is significantly reduced;
- In the original condition, the application needs to verify whether the mobile phone number and email address are authenticated, and the corresponding field is as follows
phone_verified和email_verified, now as long as inUser authorization information tableAdd a unified to the tableverifiedField, each login method can intuitively see whether the authentication situation; - in
User authorization information tableAdd the corresponding time andIPAddress, you can track the user’s use habits more completely, such as: has not used Weibo for more than two years, has been bound to wechat 300 days; - If you say that email and mobile phone numbers are part of the user’s information, the Users table is expanded to include email and phone, but they are only used for “display purposes”, and are not fundamentally different from nicknames, profile pictures, or gender attributes;
- Any number of login methods of the same type can be bound as required, that is, a user can be bound to multiple wechat, multiple mailboxes and multiple mobile phone numbers. Of course, you can limit one login to one record;
Disadvantages:
-
When a user has multiple login methods, such as email, user name and mobile phone number, the password must be changed together, otherwise the email + new password, mobile phone number + old password can be logged in, it is definitely a very weird situation;
-
The amount of code has increased, and in some cases logical judgment has increased and difficulty has increased; For example, no matter whether the user has logged in or registered, the user clicks the same link to the third party authorization of Weibo and then returns. There may be several situations:
This micro-blog has not been registered in this site, very good, directly register and log in to him;
This microblog already exists in this site, the current user has not logged in, directly logged in successfully;
This microblog is not registered in this site, but the current user has logged in and is associated with another microblog account. How to deal with this depends on whether multiple microblog accounts are allowed to be bound.
This microblog has not been registered in this site, the current user has logged in, try to bind;
This microblog has been registered and the user has logged in using this account. Why does he bind himself repeatedly?
This microblog already exists in this site, but the current user has logged in and associated with another microblog account, what should I do?
Three, one key login
3.1 background
Review the login method of mobile phone number + verification code:
- Enter the mobile phone number, wait for the verification code SMS, enter the verification code, and click login. The whole process may take more than 20 seconds to complete, and the operation is cumbersome;
- It relies on SMS networks, because if you don’t receive SMS messages, you can’t log in.
- From a security perspective, there is also the risk of captcha leakage. If someone knows your phone number and steals the captcha, they can also log into your account.
But think back, why do we need captchas? The purpose of the verification code is to confirm that the phone number is yours. Is there any other way to authenticate the phone number besides using SMS?
- If you can get the current mobile phone number, you can verify the number entered by the user. But for security reasons, the client can’t get the phone number directly, the carrier can
SIMThe card data is displayed. - Now operators have opened up the ability to determine whether the mobile phone number entered by users is consistent with the local number by invoking the operator’s interface after users enter the mobile phone number. In this way, users do not need to wait for a verification code SMS message or enter a verification code, and are not restricted by the SMS network, simplifying the login process.
- But take it a step further, if the carrier can send the current number directly back to us, rather than just for verification, users won’t even need to fill in their cell phone number.
This is the main character of this section: one-click login.
3.2 Local Number Authentication
After obtaining the card number of the current mobile phone, you can directly log in using this number, which is one-click login.
The benefits of this login approach are obvious. It can be more convenient and quick to complete the registration and login process, shortening the original process of 20 seconds to about 2 seconds, greatly improving the user experience of login.
The main steps are as follows:
- SDK initialization: Call the SDK initialization method, passing in the AppKey and AppSecret of the project on the platform.
- Invoke the authorization page: Invoke the SDK to invoke the authorization interface. The SDK will first initiate a request to obtain the mobile phone number verification code from the carrier, and jump to the authorization page after the request is successful. The authorization page displays the phone number mask and carrier agreement for the user to confirm.
- Consent to authorization and login: The user agrees to the relevant protocol and clicks the login button on the authorization page. The SDK will request the token for retrieving the number and return the token to the client after the request is successful.
- Number retrieval: we will send the obtained token to our own server, and the server will call the operator’s one-click login interface with the token, and the mobile phone number will be returned when the call is successful. The server uses the mobile phone number to log in or register and returns the operation result to the client to complete one-click login.
Four, summary
For bloggers, there is no best solution, just choose the design that works for the current system. Don’t dig into what is good and what is bad. Only the foot knows whether the shoe fits or not.
Recent hot articles recommended:
1.1,000+ Java Interview Questions and Answers (2021)
2. Don’t use if/ else on full screen again, try strategy mode, it smells good!!
3. Oh, my gosh! What new syntax is xx ≠ null in Java?
4.Spring Boot 2.5 is a blockbuster release, and dark mode is exploding!
5. “Java Development Manual (Songshan version)” the latest release, quick download!
Feel good, don’t forget to click on + forward oh!