Menu
I am looking at storing a user access token within a React Native application. Initially I have been looking at Redux but instead I noticed that RN has AsyncStorage, now I am assuming that this in the case of IOS is the equivalent of NSUserDefaults. I may be wrong.
Would this be a good way to store the access token? I don't really want to go through the process of using Redux if I can help it for simple data storage.
974
Option 1: Store your access token in localStorage : prone to XSS. Option 2: Store your access token in httpOnly cookie: prone to CSRF but can be mitigated, a bit better in terms of exposure to XSS. Option 3: Store your refresh token in httpOnly cookie: safe from CSRF, a bit better in terms of exposure to XSS.
According to official RN docs, AsyncStorage is an asynchronous and unencrypted key-value store. Because it is unencrypted, nothing persisted in AsyncStorage should be considered as secured.
There is no need to store it. You can validate it and get the data from it that you required. If your app needs to call APIs on behalf of the user, access tokens and (optionally) refresh tokens are needed. These can be stored server-side or in a session cookie.
Deprecated. Use one of the community packages instead. AsyncStorage is an unencrypted, asynchronous, persistent, key-value storage system that is global to the app. It should be used instead of LocalStorage.
AsyncStorage may not be the good solution, depend how your server handle your request.
However you can use Redux, and Redux-persist, using the transform parameter you can encrypt your data,
https://github.com/rt2zz/redux-persist#transforms
key encryption : https://github.com/maxdeviant/redux-persist-transform-encrypt
You will still use AsyncStorage, but this time with encryption layer, to protect your data
140
Redux is about data flow control. Not necessarily long term storage. If you want to persist redux data you will end up using AsyncStorage to do so.
AsyncStorage is sandboxed on non-jailbroken iOS devices. However, the data is not encrypted in any way.
A more secure solution for both platforms seems to be https://github.com/pradeep1991singh/react-native-secure-key-store
42
AsyncStorage is not safe for sensitive information. Read more here
In you use case, It will be better to use Firebase services to get token. When app starts , you can do something like
var auth = firebase.auth().onAuthStateChanged(function(user) {
if (user) {
user.getIdToken().then(function(data) {
console.log(data)
// Save it redux, or component state(in that case you need to do this in every component where token will be used
// Unsubscribe from listener
auth()
});
} else {
// User is not authenticated
// Unsubscribe from listener
auth()
}
});
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
