Persist username and password


#1

Hi everyone,

I have an app with a username and password. Below is the code for this. My question is, how can I persist the username and password once its been entered and approved? The current setup logs me out after a while. I actually only need it to authenticate once, after that it can bypass authentication altogether.

Any help is appreciated. thanks!

function ($scope, $stateParams, $ionicAuth, $ionicUser, $state) {

$scope.credentials = {
    'username' : '',
    'password' : ''
}

$scope.login = function(){
    
    if(($scope.credentials.username == 'username' && $scope.credentials.password == 'password')){
        //Navigate!
    
        $state.go('tabsController.category');
    }
    else {
        $scope.credentials.password = '';
        alert('Username or Password is incorrect');
    }
}

}


#2

Can’t you just save their username and password using ionic-storage and then do a this.storage.get() check of their credentials when opening the app to bypass your login?


#3

Never do this. The entire point of having people enter a password is so that compromising the device does not compromise sensitive information. Submit the credentials, receive a JWT, persist that if you wish, but never save passwords themselves.


#4

Thanks for your input. I’ll check into ionic-storage!

@rapropos, I hear what you’re saying. This is an interesting scenario, as it’s a universal password (one username and password) for the entire user base. This app contains protocols for my EMS system (which are public information anyway, upon request) but the Chief wanted to have the app password protected to avoid just anyone with an iOS and Android device to take them without asking.
The users are asking me to find a way to persist, or save the password so they only have to log in once, and I’m trying to find the best way to do this. I’d love to eventually use TouchID and FaceID.

Thanks again.


#5

For that to really be effective, you can’t just compare the password to some constant value baked into the source code. Anybody with a copy of the app binary (not even any need for a device) would be able to access the (let’s call it “secret stuff” for the sake of brevity even though I get that it technically isn’t).

What you would have to do is encrypt the secret stuff using a KDF (personally I recommend scrypt). Then the first time the app is run, the user enters the password, you use the KDF to generate a decryption key, decrypt the secret stuff. If you use AES in GCM mode, the decryption operation can detect whether or not the right password has been provided, even without said password itself being stored anywhere in the app binary. WebCrypto is capable of doing AES/GCM in Ionic apps.

Which brings us to an alternative answer to your question, which is:

Instead of storing the password anywhere, you could store “decrypted secret stuff” in ionic-storage. You would have no larger of a threat surface than storing the password - a stolen authorized device has everything needed to access the secret stuff, but it would be considerably more performant, as the decryption need only be done on first run. On successive runs, you simply load secret plaintext from storage.

This scheme would also obviate the need for the concept of “username”. Only a password would be required.


Can I use SQLCipher with Ionic "Storage"?