How to secure communication between Ionic app and the custom php REST API


#1

I have a project that includes a web application, a mobile app (Ionic 3) and a REST API module (on HTTPS).
My main concern is to implement a secure login and communication between them.
Bellow I detail the solution I choose and I want to ask if it is correct and secure.

Steps to follow:

  1. on login in the app the server returns a JWT - Acces Token

  2. when I call any function from API (except login) I will send the following parameters:

  • inside header: JWT AccesToken (stored in local storage)
  • inside body: any other param necessary to call the API’s functions
  1. inside every function from the REST API, before execution, I check if the Access token is valid.

Token validation:

a) if the Access token is valid I continue to execute the function and return a value to mobile app

b) if the Access token is NOT valid means I have 2 possible error sources:

  • b1) the Access token integrity is compromise -> the returned answer redirect the user to login (this way he doesn’t have access anymore to app)
  • b2) the Access token expired -> I create a new Access token with the same payload but with new validity. The same time I create the new Access token I also check the IdClient (IdClient is generated from Access Token payload) in DB (if is active, if has the same rights to access the API … ). After this I send this new JWT Access token to the mobile app to be used and stored.

This way, I believe I don’t have to use a Refresh token, even if the Access Token I used has a limited life period

Is this correct and secure or am I missing something?

Thanks a lot!


How to secure a REST API between mobile app and the server