No way to set your password

The register/login process is fine, but you need the current password in order to change/set it from you profile.

Hm, good point. This wasn't the case in D6 and I didn't think about it when I ported the module to D7. Of course you don't really need a password if you're logging in via Facebook every time, but we should build-in some kind of skipping functionality so you don't need a password if you haven't set one yet. Because FBOAuth saves an empty string in the database, it's impossible to enter a "correct" password since anything entered (even an empty string) will be hashed first before checked against the database.

In the mean time, if a user is unable to login, they can use the Reset Password tab to set a "new" password.

Hm, setting a password would be a good thing, but I don't think this would be something all sites would want. There's really no need to set a password at all, users that use Facebook to log in have a tendency of using it all the time, rather than using a password.

The code you dug up looks like it could be a work-around, though attempting to trigger the no-password behavior by setting SESSION variables seems unreliable.

subscribe.

I have the same issue here..
As quicksketch said, I don`t think people would like to get a generated password. The best solution is to skip the "current password" field at the first time new users edit their profile.

It would be nice to get this working as soon as possible because if someone Deauthorize the Facebook login feature and did not setup new password, they will loose account access.

It would be nice to get this working as soon as possible because if someone Deauthorize the Facebook login feature and did not setup new password, they will loose account access.

If you have an existing account on the Drupal site and you (re-)authenticate with Facebook, if the e-mail addresses line up between Drupal and Facebook, your account is automatically linked (rather than making a new account), because e-mail addresses have to be unique anyway. So they're still not actually locked out of their account. And as I said above, the user can use the password reset option to gain access to their account too.

Here is a patch for fboauth module.
If a user has authenticated his facebook account, he won't be presented with "current password" field, though he can set his password and other details.
When he de-authenticates his facebook account, a warning to reset password is already displayed.

Thanks @fotuzlab, I'll give this a shot. Though it looks like we should only hide the password field if they haven't specifically set one? Removing this field also has security repercussions in that it makes the end-user more vulnerable to XSS attacks to hijack their account. Though D6 didn't have similar protections... so we're no worse off than any D6 site out there.

I agree with you on that. It is definitely like back porting to D6.

The other option I found feasible was to ask the user to set a password at time of or after authentication. But users are not used to such kind of workflow. I mean most of the websites use facebook connect and users are habitual of instant registration.
Not sure if auto generating and feeding a password would be a good option on every profile edit attempt.

May be we can add a warning to set a password asap to secure user's details. Once the password is set, "current password" field would show again for future edits.
Thoughts?

May be we can add a warning to set a password asap to secure user's details. Once the password is set, "current password" field would show again for future edits.

I think that would make sense. FBOAuth already asks users to set a password when they first log in, though ironically you can't actually do that in D7 version. FBOAuth sets the password column in the database to an empty string so it's already easy enough to know that the user hasn't set a password at all. While an empty column may sound dangerous (as if you might be able to log in with a blank password), this isn't the case because all passwords (even blank) are hashed before they're checked against the database. A blank value therefor will never match anything.

So in short I think we could check if the password is blank, and if so, show another message on the user profile page requesting that the user set a password. We can hide the existing "Current password" field using your code in #9.

"show another message on the user profile page"

Did you mean persistent/status message at the time of login?

I have another idea that might not have a lot of security problems. What do you think if we do this, when the new user connects to facebook our app get some information from him (email, name, bio, etc), right? We can define a default "current password" with birthday date, for example. So, the user will connect using facebook and to change the password, the current one will be his birthday date (information we got from facebook).
We continue showing the alerts (as said before) asking the user to change their current password.

We can define a default "current password" with birthday date, for example. So, the user will connect using facebook and to change the password, the current one will be his birthday date (information we got from facebook).

That sounds even more likely to cause problems. When the user doesn't have a password at all, it's impossible to guess. Imagine a site that had thousands of users and if their passwords were all set to their birthdays. It'd be much more likely that a hacker would figure that out a lot faster than the end-users would.

Did you mean persistent/status message at the time of login?

I meant just put a message at the top of the user/x/edit page.

Was busy travelling...
Here is the revised patch against 7.x-1.4

Patch #16 works fine on version 1.4

Putting these patches together into a single file (and using the right patch format) would make reviewing a bit easier. This isn't a critical bug (or even major bug), as I said in #5. Users aren't locked out, they *can* actually set a password by using the password reset, and most users won't notice because they'll use the Facebook login button anyway.

@quicksketch: I have renamed the patch.
IMO it should be marked critical for its usability issue. Of course you can reset your password, but then you need to logout first. Most users do not think so hard. This bug was reported to me by a user and to her it was a blocker, without any work around!

Just adapted the patch to the drupal standard.

@fotuzlab it's not just a matter of file name, maybe this page can be helpful in the future. It was for me.

Drupal for FB has the same issue, but it auto generates a password during account creation. I added a patch there that notifies the user of this pass here #1326430: Sending account creation notice with password to new user after using FB Connect. Maybe it can be considered as an alternative way here, as it is one less thing for the user to do or click.

Thanx Davide for the link. I'll surely follow these guidelines to submit a patch in future :)

@giorgio79: Interesting! I was thinking on the lines of how users are acclimatized to using facebook connect...click and over, no mails, no notifications, no pass generation. But surely your solution solves the security issues one may have. Lets have others' opinions.

But surely your solution solves the security issues one may have. Lets have others' opinions.

I don't know... e-mailing a user a raw-text password is about the least secure thing you can possibly do. IMO that's much worse than disabling the existing password field. Sending passwords over unencrypted traffic like e-mail is highly susceptible to interception.

I agree. Sending passwords via email is really a bad habit.
Surely more exploitable than having no "old password" field in the user edit form for those users who haven't set their password yet.
(imho)

If it's included in Drupal core I guess it passed security review http://api.drupal.org/api/drupal/modules%21user%21user.module/function/_......

It's included as an option, not as the only way.
What about doing the same and add an option to let the site admin choose?

If it's included in Drupal core I guess it passed security review http://api.drupal.org/api/drupal/modules%21user%21user.module/function/_......

Drupal core doesn't have a token any more for password, you can only send a password reset link (essentially the same thing as users using the reset password form). The default e-mails that come out of the box just say literally Password: Your Password.

In any case, I think the current approach is taking the right path. I need to find time to actually sit down and apply it and test it out.

The approach in #21 worked great for me. I only found one problem where the message is displayed immediately after the user submits the form, which is rather confusing. This patch works the same way but only displays the message when the form is initially viewed and not on submit. Thanks for the patch, committed to the D7 branch.

Here's the patch of the committed changes.

Thanks quicksketch could you create a new release please? This is a great new feature. :)

I'd like to get #1441758: Support deauthorization requests from Facebook solved first too.

I have updated this slightly to use the hook_user_login() to highlight to the user that they should set an account password every time a user logs in.

This helps to make the user accounts more secure even though it is linked to a Facebook account.

Updated user_login() hook to work with the popup window from #1364698: Popup / modal dialog?