I am developing an App that checks on a web server if users exist but should support offline login. I am tempted to store the user's hash information locally to perform offline checks, so I return the password_hash generated via php on the server.
First of all - is that a secure enough approach? Is it possible to check the password_hash in a similar way as PHP's password_verify via PCL? Or should I consider creating a local salt/hash pair? I so, what is the suggested approach?
I would think you generate hash in Xamarin and not sending the whole password to the server but in any case... PCL doesn't have that functionality but you can use DependancyService and implement that in platform specific code
For Andoid:
HashAlgorithm.ComputeHash("fgf");
For iOS
HashAlgorithm.ComputeHash(stream);
Related
I am working on a simple app that allows users to search for something using an API and save it to view later.
However, I don't want to integrate authentication in the app. I can, but would rather not as a UX decision. Do you know of a way to generate a device token, that is unique to every device and can be used to store which assets a device has saved in the db?
I am thinking of expo push tokens as a possible solution, but that would require users to accept push notifications - so what happens if a user says no?
Sounds like you could just use react-native-uid to generate a unique id for your device and then store it in AsyncStorage and fetch it from there going forward.
For more inspiration, or perhaps just a more canonical way to do this... read up on suggestions surroundings the recently deprecated constant for installationId here:
https://docs.expo.dev/versions/latest/sdk/constants
I haven't used this before but if you're looking for something bullet proof then this is probably your goal of getting the same concept.
Firebase Anonymous Authentication might be ideal to use in this case. This can be used to create a user in Firebase auth without any credentials and can be useful especially when you are using either of Firebase's databases since you can use security rules with user's UIDs.
However, once the user logs out of the account by any means including but not limited to using sign out option in your app, clearing app data or uninstalling the app, the same account with that UID cannot be recovered. I looked up for AsyncStorage and apparently that gets cleared to if the app is deleted.
So long story short, I need to pass in a username and password to a web API in order to receive a JWT giving me access to use the API. I'll need to call the API for both web and console apps, so it will be used a lot.
I obviously don't want to call it using plaintext in the app(s) (them)selves because I don't want the credentials stored in version control. I also don't want to use Secret Manager or Environment Variables, because these apps will be used in production.
The only thing I can think of is storing the username/password (as plaintext) somewhere on the server and letting Windows Authentication handle the security of the data.
Is that a good practice though? I mean I guess it's as secure as the server is and if someone got access into the server we'd have bigger problems, but it just seems like it isn't good practice.
Also, I know Azure Key Vault would be ideal in this scenario, but the company is going through a lot of transitions and finances are up in the air with covid - so we're trying to minimize costs as much as possible for the time being.
Any one have any input?
Edit: see my answer for the solution
Currently working on a Hybrid App with Ionic where there is a requirement to store an authentication Token in order to keep the user logged in, and also guarantee that this data cannot be accessed outside the App context.
There is of course plenty of solutions for this task, each one with different pros-and-cons so it's confusing (for me) to locate the one technology that fits.
I've been looking at angular-localForage and other candidates:
LocalStorage
Obvious choice for small data.
Data gets wiped in iOS when the system is low on memory.
IndexedDB
Buggy support in iOS (IndexedDB support)
WebSQL (SQLite)
Apparently a good option for small data and decent support (WebSQL suppport) but it's deprecated.
SQLite
There are related issues with Cordova in iOS.
LokiJS
Looks like an overkill for this scenario but is definitely a strong candidate. Is the any security concerns I should be aware of (as I read it locally persist data to JSON files)?
PouchDB + SQLite
Well, it's a JS client to work with CouchDB or Couchbase databases wich can also work with SQLite but again I only need to store a Token..
So apparently the best option for Android/iOS cross-compatibility should ironically be WebSQL, but is no longer being developed and I have to guarantee long-term support.
So my question is: are there any other options I'm missing to securely store an access Token? If don't, wich of the above ones should be the best choice for this task?
After doing some research I will share my conclusion.
Funny enough, none of the above candidates are suitable for securely storing an access Token. The approach should be using a native solution for both Android (Shared Preferences) and iOS (Keychain).
In the particular case of Ionic, a broadcaster plugin for Cordova could be used to communicate JS with Native so you can access the stored data.
The only secure way is using "httponly cookie". However, since april 2020 Apple uses wkwebview which has cookie problem.
SQLite is the best option to go with as the content of DB will be encrypted and saved. Also native apps rely on SQLite to save data.
To make CRUD easier with SQLite, I have created a wrapper library. Please check it here
Go for LocalStorage, it is the best way to store
I am creating an app with user login using sqlite i am storing the login details which includes the users favorite movies.suppose another user who has downloaded the app also picks the same movie i want to be able to let the other 1st know about 2nd user.how do i do that.does the sqlite db used to store login details be available for the other user or should i have server to upload each user's login details?I think my confusion is stemming from the fact that i dont understand how people use sqlite in iphone app ?
In very rare instances SQLLite should be used directly. The best way to handle data storage local to an iOS device is CORE DATA. I would suggest you consider using Core Data for storage and not call or mess with SQL Lite directly.
Where would I find info about creating a user login system using meteor.js? Is there an existing library that I could use?
UPDATE 4: And Meteor now has full support for accounts, users, etc
see http://docs.meteor.com/#accounts_api
UPDATE 3: Since v0.5.0, Meteor supports authentication
and allow/deny rules on collections.
See http://docs.meteor.com/#allow for info.
Thanks, #Dan Dascalescu !
Update 2: As Greg points out, you actually can lock down the CRUD
methods by overriding them with empty functions (more info here:
https://stackoverflow.com/a/10116342/1180471). So while I assume the
auth functionality will make things simpler, you can already roll your
own with relatively low effort.
Original answer kept for historic purposes:
AFAIK meteor doesn't provide a way to do this yet since there is no way to lock down (part of) the database, so for the moment the only way to do it in a secure way is to bypass meteor and either:
- drop down to node and use a seperate database or authentication API
- use HTTP authentication
I imagine this is pretty high up on their todo list, though...
Update 1:
They already started implementing, you can see the code in the livedata-auth branch:
https://github.com/meteor/meteor/compare/master...livedata-auth
In the meantime, Meteor has implemented a full authentication and user management system, complete with a UI for easy login using popular OAuth services (Google, Facebook, GitHub, Twitter, Weibo).
It actually isn't too hard to do some simple auth in meteor. The blogging system britto has it setup. Essentially you, restrict the database from the client, then use an api key to make requests to server side methods.
restricting client db access: How do you secure the client side MongoDB API?
britto server code: https://github.com/jonathanKingston/britto/blob/master/server/server-britto.js
in the britto source, take a look at the methods create user and login user
You can find a working example of a user login system I've created for Meteor over at https://github.com/matb33/meteor-userauth.
You'll need Meteor > 0.3.5, so as of this writing you'll need to run the devel branch of meteor.
And you can also build a custom login system with Meteor very easily.
See my notes: http://meteorhacks.com/extending-meteor-accounts.html