[hoodie.account] offline signIn/signOut

[tlvince]

How feasible is offline login session control?

We have a use case whereby we need multi-user support that works offline. After the initial bootstrapping (download app, signup), the user(s) are 90% offline (they've only a small window of time to go online).

What makes this trickier is the device (an Android tablet) is shared between users whilst offline. These users need at minimum visibility control over their data, i.e. they need to be able to login/logout so that they can only see their data and not that of others.

There are a number of related issues here (security of local data, "offline signups"(?)), but lets assume the simplest case where all users have already signed up and security isn't an issue.

AFAIT, right now, hoodie.account.signIn and hoodie.account.signOut are online-only operations. Can they feasibly work offline?

[gr2m]

It's correct that the current hoodie.account.signIn and hoodie.account.signOut do not work offline as they send requests to the server to start a user session, which then triggers the bootstrap of the users data from the server.

I'd love to find a way to make it possible though. Probably with the help of a custom plugin, at least in the beginning. My usecase would be that the bootstrapping of user data can take quite a while. Making hoodie.account.signIn work offline would make it immediate instead, which would be a great benefit for the user experience.

Another use case: Sometimes a user needs to sign out, despite of changes that have not yet been synchronized. If we'd find a way to sign out when offline, it should fix this use case, too.

The only way I could think of so far would be to securely encrypt the user's data in the browser's local store. When a user signs in, you'd check if an encrypted store exists and then decrypt it. So far the general concept.

How exactly the encryption / decryption would work, and if there is a secure method at all, that I haven't researched yet. Probably we'd use the user's password to encrypt / decrypt, which means we'd need to ask the user for the password on signOut, if the data should be stored offline.

A project I planned to look into for this is https://github.com/calvinmetcalf/crypto-pouch. Maybe you can do some research on this topic? Happy to help as good as I can, but I'll have limited time the coming weeks.

[gr2m]

for reference: https://gist.github.com/jo/ebd5df97eb63df5e5abb

[gr2m]

I’m a commiter to crypto-pouch and contributed quite a bit to it lately. I’m quite sure that this is technically possible, but probably we will create a plugin for it in future. Happy to chat if you want to build it with the new Hoodie :) Closing in favor of hoodiehq/hoodie-client#84