Hello
I’m quite new to ionic 5 and angular. I am wanting to develop an app that requires the user to log in the first time and remember them so they won’t have to login every time.
I have read different articles on how to do this, one telling me to store the user and password locally and another explaining how insecure this is and that I should use a JWT token generated by the server.
As you guys have a lot more experience than me, could you educate me on the best method and practices to achieve this?
You definitely should not store username and password in the app. How we solve this in our apps:
A User can log in and gets a Auth Token returned that than is send with every REST call. With this you can authorize the user in every request and you know who is calling. Also we store this Token in a secured Storage.
iOS: Keychain
Android: SecuredPreferences
Then if you open the App again, read the Token and try to authorize the user --> If it works: Token is valid and user is logged in, if not: Forget token and show login screen
Thank you for this information, is there any documentation on ionic to explain how to do this?
Also I plan to get the login information from a database from my web hosting, can this still be achieved with this method?
Can you elaborate a bit here about what precisely you mean here? What is “login information”, what does "get"ting it involve, what is in this database and who manages it?
I suggest that you understand the basics of OAuth2
https://oauth.net/2/
Also this youtube video may help:
https://www.youtube.com/watch?v=SXDce0e3Ue4
Also you can use 3rd party services for authentication using JWT and OAUTH2
However you don’t need to store username or password, you exchange them when user login for a token, that you can store securely in some local storage in your ionic app.
In Oauth, you need to send the token (JWT) on every API call, that’s how the server will recognize the user and authorize the request.
You need to handle what happens if the token got rejected by the server, mainly you will have to remove the current token from local storage and redirect the user to login page to obtain a new token.
Apologies for being vague
The app will send the entered email and password to a php file (api) to be checked with the information in the database.
The database will contain user information i.e. email, password, name etc…
and it ran through my web hosting.
Ill have a read upon Auth Tokens and Oauth and see if I can find some tutorials so I can get familiar with them
That’s what I needed to know.
Forget about OAuth; the only point of it is to do authentication via third-parties where you don’t directly get the password.
If you remember only one thing you read today, please let it be this:
DO NOT STORE USER PASSWORDS IN THAT DATABASE
The majority of data breach horror stories you’ve read about in the news over the years have been caused by people doing that.
Instead, use a hash function, store and compare hashes. I use bcrypt. If you have a massive user base and strained hardware resources, and are willing to impose some pretty hardcore guidelines on minimum password length on your users, then you may be interested in this essay arguing for faster hash functions and longer passwords. Personally, I have not encountered a situation where that tradeoff makes sense for me, so I still stick with bcrypt.
So do continue to read about JWT. As you can see, there are a zillion implementations, including what looks like about 10 for PHP. I can’t speak to the details of those, because I use Go for my backends.
One final thing: make sure you have a SSL certificate for you web hosting so that you can use HTTPS to transport the login information securely. I use LetsEncrypt for this.
1 Like