The user logs in → the server validates the login and sends back a token that will be used to authenticate the user on future requests to the server.
The problem: how do I store this token securely on the users device?
I’m aware of Ionic Offline Storage, which seems to be perfect for this use case, however we are a small team that doesn’t have the cash flow to be able to afford Enterprise Ionic at the moment.
What are free, open source alternatives that are still maintained?
To rephrase what I think I’m hearing from @Tommertom here, can you outline the specific threat you’re concerned about here? For example:
We’re worried about blackhat getting physical access to a device and impersonating an actual user on our service
This would be a reasonable, albeit rather unusually paranoid, concern, which would be addressed by adding another layer of security. However, and this is a big “however”, in order for it to be meaningful, your user would have to enter a passphrase (at least) every time they open your app, and every time the phone comes out of hibernation. Generally, users aren’t willing to trade that rather significant annoyance for protection in the case their phone gets stolen, especially since if that were to happen, the authentication token on your app is not likely to be top of mind.
We want to make sure that whitehat (authorized user) is not permitted to see the innards of the token we are storing on their device, because it contains some other sort of secret in it
This, on the other hand, would be a no-good, very bad, unreasonable concern that would not be solved by storing the token “securely”. Redesign the system so that it’s OK if authorized users can inspect their tokens.