In working on Podium, a site which aggregates upcoming talks in Toronto, I ran into a challenge that I'm sure many others have faced: implementing a comprehensive workflow including Facebook Connect.
With our next version, we want visitors to have the option of connecting through Facebook, or by creating a custom Podium account. This presents particular challenges that I couldn't find documented too well online.
This post will document the flow after a user successfully connects their Facebook account and my server receives a request at /facebook/connect. At the end of the post you'll find a diagram I drew that helped guide me through the logic.
I'm using PHP on the server side, but since it's logistical, it shouldn't really matter.
Login/Workflow
- Does the
getUserAPI method return a Facebook ID (eg. not0)? Yes- Is the user already logged into a Podium account?
Yes- Does the logged in user already have a Facebook ID assigned to their Podium account?
Yes- Fail: "You already have a Facebook account connected to your Podium account. Please disconnect your existing Facebook account first."
No- Is the Facebook ID already assigned to a Podium account?
Yes- Fail: "This Facebook account is already connected to a different Podium account. Please disconnect the Facebook account from that Podium account first."
No- Assign the Facebook ID and email to their Podium account
No- Is the Facebook ID already assigned to a Podium account?
Yes- Log the visitor into that Podium account
No- Is the Facebook email already assigned to a Podium account?
Yes- Assign the Facebook ID and email to the Podium account (this works because Facebook requires emails to be verified before being set as the primary one)
- Log the visitor into their Podium account
No- Create a Podium account
- Assign the Facebook ID and email to their Podium account
- Log the visitor into their Podium account
No- Fail: May happen when a user does not allow an application to access their details. May also happen for unknown reasons.
I wouldn't be surprised if there are some edge cases that I'm missing here. This logic makes solid sense to me. I imagine something similar (yet hopefully less complex) will be required for the /facebook/disconnect request/workflow.
I hope this helps someone else. It took some time to sketch out, but was worth it I reckon. If you're in Toronto, check out Podium, won't ya ;)
Sketch
Updates
The picture is already out of date, as I added in a check against the primary email of the Facebook account. There is an edge case I thought of, but am choosing not to address due to it's unliklihood. Namely, that a Facebook account is connected to a Podium account, then the Facebook primary email is changed, and then the visitor attempts to disconnect their Facebook account from Podium and reconnect it to a different Podium account.
Phewf. Ya, not accounting for that :P