Now almost the majority of App
support the use of multiple third-party account to log in, such as: micro letter, QQ, microblogging, we called this unified multi-account login. These accounts table design, process design is essential, otherwise the subsequent expansion of the thief poor. This article does not provide any code practical operation, but sort out what bloggers according to design our account modules, provide ideas for reference purposes only.
First, the self-built landing system
1.1 Log in Register phone number
The design idea is that each phone number corresponds to a user, the phone number is required.
Process:
- First, enter the phone number, and then sent to the server. The phone number to determine whether the account exists, and if not, it will generate a random code to bind to the cell phone number and verification code
Redis
and set the expiration of a certain time (expiration time is usually 5 minutes, this is our general phone verification valid codes), and finally the verification code to the user via SMS. - After the user receives the verification code, the verification interface base fill code and password information, and then transmits the data server. After the server receives, first determine the
Redis
whether the phone number corresponding to the code inside ,, consistent failure to return an error code, successfully give the user to create an account and save the password. - After successful registration, the user can through their
手机号+密码
landing carried out.
problem:
- Poor user experience, need to retrieve a verification code, fill in the information code / password / username, and many other of the completion of registration before you can use;
- Easily forgotten password, forgotten password can only be reset forgotten passwords.
1.2 Optimization Register Login
The idea of the program is the weakening of passwords required, regardless of whether the user that is registered, by
手机号 + 验证码
(reserved landed directly手机号 + 密码
log on the way).
Process:
- Enter the phone number, and then sent to the server. The server generates a random verification code, phone number and bind the code to
Redis
and set a certain expiration time (the expiration time is generally 5 minutes, which is the general validity of our phone verification code), and finally the verification code sent via SMS to the user. - After the user receives the verification code, just fill in the verification code interface received, submitted to the server. After the server receives, first determine the
Redis
whether the phone number corresponding to the code inside the same, failure to return an error code, successfully log in directly. If the old user directly pulling user information; if it is a new user, suggesting he could improve user information (not mandatory). - User
手机号 + 验证码
login, can also optionally set a password, and then can手机号 + 密码
log in a way that: a non-password required.
User table design:
id | user_name | user_password | user_mobile | state | more |
---|---|---|---|---|---|
User id | username | user password | cellphone number | Account status | other information |
1.3 introduce a third party account scheme
1.3.1 microblogging Login
Into the Web2.0
era of microblogging open third-party website login, say product, which we have to, we add will be able to log in using micro-blog account App
of it, but also have our own users and associated tables.
Process:
- The client calls Weibo login interface, input user name and password, the login is successful, it will return
access_token
throughaccess_token
retrievalAPI
interface to obtain user information. - End user service information to create a user account at our table, after the third-party account login can be carried out directly by the micro-blog account.
Weibo user information table Design:
id | user_id | uid | access_token |
---|---|---|---|
Primary key id | User id | Microblogging unique id | Authorization code |
1.3.2 nightmare coming
Then, QQ and open user logged in, WeChat open the user is logged in, the user is logged Netease developed. . . . . . To access all of a sudden a lot of third-party login, only in accordance with the "micro-blog user information table" to create a new table, each rewrite a third-party login.
Second, optimizing system account
2.1 Analysis of the original account system
- Self-built landing system: Whether
手机号 + 密码
, or手机号 + 验证码
, is a用户信息+密码
form of authentication; - Sign in: also
用户信息+密码
in the form of user information that is third-party systemsID
(uniquely identify a third-party system), ie passwordaccess_token
, but there is a limitation on a regular basis using a modified password.
2.2 The new account system
2.2.1 Data table design
User basic information table:
id | nickname | avatar | more |
---|---|---|---|
User id | nickname | Head portrait | other information |
User authorization information table:
id | user_id | identity_type | identifier | credential |
---|---|---|---|---|
Primary key id | User id | Login type (phone number / email) or third-party application name (micro-channel / microblogging) | Uniquely identifies a phone number / email / third party | Password credentials (passwords self preservation accounts, third-party save the token) |
Description:
- User table is divided into
用户基础信息表
+用户授权信息表
; - User information table does not save any password, do not save any login information (such as user name, phone number, email), leaving only a nickname, avatar and other basic information; and all the relevant authorization, are placed in the user information authorization form, user information table and user authorization table is one to many relationship .
2.2.2 Login Process
手机号 + 验证码
Follow the previous scheme.
邮箱/手机号 + 密码
:
Users fill out 邮箱/手机号 + 密码
; when the login request, first determine the type, such as logging phone number, for example:
Used type= 'phone'
in conjunction identifier= '手机号'
to find, if any, is determined and removed password_hash
(password), and whether the entry credential
match, then the match is verified, followed by user_id
access to information users;
- Log third party, such as micro-letter sign in:
Query type= 'weixin'
binding identifier= '微信 openId'
, if recorded directly login is successful, and updates token
; assuming the micro channel communicating with the server is not hijacked credentials without problem determination.
2.2.3 the advantages and disadvantages
advantage:
- Login type unlimited expansion, the new logon type of development costs decreased significantly;
- Under the original conditions, applications need to verify that the phone number has been validated and verified whether the mailbox, you need more than one field corresponding to such
phone_verified
andemail_verified
now as long as the authorized user information table to add a singleverified
field, each login can visually see have you verified that the situation; - Add user authorization information table in the appropriate time and
IP
address, you can more fully track user's habits, such as: no longer log in using the microblogging more than two years, it has been bound micro-channel 300 days; - If you say E-mail and mobile phone number that is part of user information, the user basic information table despite the expansion, the user basic information table still have email, phone, but they simply as "display purposes", and the nickname, avatar or gender of these attributes are not The essential difference;
- Demand can bind any number of the same type of login that a user can bind multiple micro-channel can have multiple mailboxes, you can have multiple phone numbers. Of course, you can also be limited by a single login only one record;
Disadvantages:
- When the user login exists within multiple station mailbox, user name, phone number, etc., it must change with the time to change your password, otherwise it becomes
邮箱 + 新密码
,手机号 + 旧密码
can log on, is certainly very strange situation; - The amount of code increases, in some cases increasing the logical judgment, the difficulty increases; for example, whether the user is logged in, regardless of whether the user has registered, click on the same link is a return visit after authorization microblogging third parties, may emergence of several situations:
- The microblogging site is not registered, well, directly related to his registration and login;
- The microblogging site has been in existence, the current user is not logged in, log in directly to success;
- The micro-Bo is not registered on this site, but the current user has logged in and associated micro-blog account is another, depending on whether or not to allow treatment for what bind multiple microblogging accounts;
- The microblogging site is not registered in the current user is logged in, try binding operation;
- The micro-Bo has been registered, users have been using this account to log in, to bind himself why he repeated;
- The microblogging site has been in existence, but the current user has logged in and is associated with another micro-blog account, for what treatment?
Third, a key to landing
3.1 Background
Recall 手机号 + 验证码
of login:
- Enter the phone number and wait for a verification code text message, enter the verification code, click Login. Finish the entire process may take more than 20 seconds, the operation is relatively complicated;
- It is dependent on text messaging network, because if not receive text messages, will not log on.
- From a security point of view, there is a risk of leakage verification code. If someone knows your phone number, and a verification code to steal, he can log in to your account up.
But back to think about why we need a verification code? Code function is to determine the phone number is yours and that in addition to using SMS, whether there are other ways to authenticate the phone number?
- If you can get to the phone number currently in use, you will be able to enter the number of the user to verify the. However, for security reasons, the client is unable to get directly to the phone number, the operator can then
SIM
query the data to the card. - Now operators have the ability to open the relevant, we can now, after the user enters the phone number by calling the operator interface determines whether the user inputs the same phone number and local number. As a result, eliminating the need for users to wait for a verification code text message, enter verification code process, but also unlimited text messaging network, simplifies the login process.
- But want to go further, if the operator can put the current number is returned directly to us, not just used to verify that the user does not even need to fill in a phone number.
This is the part of the protagonist: a key to log on .
3.2 My numbers certification
Phone card to get the current mobile phone use, directly use this number to log in, which is a key to log on.
The benefits of this are obvious login. It can be more easily and quickly complete the registration, login process, the original process may take 20 seconds, reduced to about 2 seconds, largely enhance the user experience logged.
The main steps are as follows:
- SDK Initialization: Call SDK initialization method, passing in the project AppKey and AppSecret on the platform.
- Arouse authorized Page: Call SDK evoke authorization interface. SDK will first operators to launch mobile phone number to obtain mask request, after a successful jump to the authorization request page. Authorization page displays the phone number mask and carrier protocols to the user for confirmation.
- Agreed to authorize and sign: Users agree to the agreement, click the login button authorization page, SDK will take this request token number, the request will succeed token is returned to the client.
- Take a number: the acquired token sent to our own server, the server carries a token call interface key operator log, the call is successful return phone number. Login or register server operation using a mobile phone number, return to the operating result to the client, a key to complete the login.
At present, Ali cloud has been provided in this way and are compatible with the three major operators numbers, see Ali Cloud SDK
IV Summary
It seems bloggers, not the best option, choose to apply the current design of the system. Do not get to the bottom one is better, the shoes do not fit, only feet know.