Secure Storage on PWA


#1

How to sotore sensitive data like passwords in my PWA?


#2

You don’t. At least definitely not locally inside your PWA. You should handle that on your server.


#3

To back up Luukschoen’s statement - if you’re talking passwords you need to store tokens instead if you can.


#4

What do you mean by tokens? Tokens retrieved from backend after a login request?

If so, my app needs to update the tokens with some frequency in a transparent way. So it needs to keep user and password to retrieve new tokens.


#5

To reiterate what others have said, you definitely do not ever want to store a password in your application. There are different ways you can create tokens for the sake of remembering a user, but to give one example that doesn’t require you to store user credentials…

A JSON Web Token (JWT) can be stored locally on the device after the user authenticates initially. This JWT can contain some identifying information like a user id (not the password, nothing sensitive should be stored in a JWT), then when you need to authenticate that user you can just check the userId that is stored in the JWT they send to the server. The trick with a JWT is that the server can tell if it has been tampered with, so if a user sends a JWT that says they are the user with an id of 53 you can believe that.

Theoretically, the JWT could be stolen from storage just like the password could, so there is the potential that an attacker who stole a JWT could authenticate themselves as that user, but performing the authentication in this manner means they won’t be able to steal the password itself.


#6

Lots of systems allow for a token to be refreshed…