I have two freeagent companies and use the same username to log in to each.
The password is different for each user. Given there is no way to specify
the subdomain with the API, I have three questions:
- How does it work out which company I am referring to?
- Given that the answer to the first question is probably “using
username and password”, does this mean you are storing passwords in plain
text so they can be searched against?
- What would happen if I had used the same password for both companies?
I’m developing an app for use by others, and although I always use
different passwords for every auth most users do not.
Hi Tom,
Thanks for getting in touch. First up let me assure you that we do not
store passwords in plain text. As is common secure practice, we store
securely hashed passwords and hash submitted passwords for comparison when
authenticating users.
The API itself uses OAuth to associate your application with a particular
user account in FreeAgent. It does so by asking the user to sign into their
FreeAgent account to authorise your application. This only happens once,
and your app then gets a token with which you can then access FreeAgent as
that user - I’m sure you’ve read over the process in the docs
https://dev.freeagent.com/docs/oauth already.
Now, when your user tries to authorise your app to access FreeAgent,
they’re presented with a login form for FreeAgent. They provide their email
and password. We then take that email and find all matching users with that
email. We then try to sign the user in to each found account in turn. In
most cases, there will only be one user and it will either succeed or fail.
Where there is more than one user, if the password only works for one of
the found user accounts, we log them straight into that account.
Where it matches more than one, however (i.e. where a user has the same
email and password for multiple accounts), we present the user with a
drop-down menu listing all the accounts against which their username and
password successfully authenticated, and ask them which to give your app
access to.
In other words, it “just works” 
Hope this helps,
-J
Excellent reply, and a great way of handling the multiple account issue. I
had hoped that you had something like that in place - probably should have
just tested it by changing my password. Also thanks for the detail on the
password issue. I probably should have guessed given how properly RESTful
the API (good job btw) is, but I thought I had better ask.
Cheers,
TomOn Wednesday, 9 July 2014 15:16:28 UTC+1, Jonathan Barrett wrote:
Hi Tom,
Thanks for getting in touch. First up let me assure you that we do not
store passwords in plain text. As is common secure practice, we store
securely hashed passwords and hash submitted passwords for comparison when
authenticating users.
The API itself uses OAuth to associate your application with a particular
user account in FreeAgent. It does so by asking the user to sign into their
FreeAgent account to authorise your application. This only happens once,
and your app then gets a token with which you can then access FreeAgent as
that user - I’m sure you’ve read over the process in the docs
https://dev.freeagent.com/docs/oauth already.
Now, when your user tries to authorise your app to access FreeAgent,
they’re presented with a login form for FreeAgent. They provide their email
and password. We then take that email and find all matching users with that
email. We then try to sign the user in to each found account in turn. In
most cases, there will only be one user and it will either succeed or fail.
Where there is more than one user, if the password only works for one of
the found user accounts, we log them straight into that account.
Where it matches more than one, however (i.e. where a user has the same
email and password for multiple accounts), we present the user with a
drop-down menu listing all the accounts against which their username and
password successfully authenticated, and ask them which to give your app
access to.
In other words, it “just works” 
Hope this helps,
-J
