Ensure that password isn't stored in AsyncStorage by default #2223
Comments
|
While we're in there, any - authPassword: types.optional(types.string, ""),
+ authPassword: "", |
|
I know that on the web, there isn't really a way to store passwords or secure tokens client side. The only way to do so is through a cookie, but that is because client side javascript cannot access a cookie. The alternative is storing a refresh token, which can be used to make a request to the server to get an access token and make auth requests. Is AsyncStorage accessible by other apps? |
|
Here are some relevant docs about storing sensitive info from the official React Native docs: https://reactnative.dev/docs/security#storing-sensitive-info |
|
Just opened a PR to address this. Do we want to add a way to store sensitive info like @joshuayoes mentioned? We used https://docs.expo.dev/versions/latest/sdk/securestore/ in our client project. I can open a separate ticket to file this as an issue if so. @jamonholmgren |
|
@kateinkim I checked the PR for this but it doesn't really solve the issue. Correct me if I'm wrong but I think I believe the solution is to clear these "before saving" into storage. Or maybe refactor the |
|
@lodev09 I am very sorry for the late reply. IR took a week off over the holidays and just realized that I should have replied back to you sooner! As I mentioned in the PR, I think we do actually want I also think you're right about always presenting the login screen with this update which is why I was suggesting something like https://docs.expo.dev/versions/latest/sdk/securestore/ so we can store the login credentials in the keychain instead of keeping it in the state tree at all. |
|
No worries @kateinkim . Happy new year! I think the easiest and safest solution is to just omit |
|
Just stumbled on this issue now with v8.5.1, the demo app didn't work the way I expected it to. I think the proper solution would be to store login with https://www.npmjs.com/package/react-native-keychain#setinternetcredentialsserver-username-password--accesscontrol-accessible-accessgroup-securitylevel- and to store the authToken with https://www.npmjs.com/package/react-native-keychain#setgenericpasswordusername-password--accesscontrol-accessible-accessgroup-service-securitylevel- |
|
Hello all! I talked to IR folks internally and we agreed that adding any sort of credential storing is beyond Ignite demo scope. If anybody needs a way to store this, they can add any necessary packages in their own projects and that might be the way going forward so that Ignite doesn't impose a particular solution here. Thanks for your contributions and suggestions 😄 |
|
🎉 This issue has been resolved in version 8.5.2 🎉 The release is available on: Your semantic-release bot 📦🚀 |
In the AuthenticationStore, the password prop is a normal text type:
ignite/boilerplate/app/models/AuthenticationStore.ts
Line 8 in 01c2a11
Which means it's persisted into AsyncStorage as plain text:
ignite/boilerplate/app/models/helpers/setupRootStore.ts
Line 43 in 7832f96
We should make sure it's not. I don't know for sure that it's a major problem, but it doesn't feel right.
The text was updated successfully, but these errors were encountered: