joshheinrichs
commented
8 years ago A common recommendation is to store the user's password hash locally, so you're essentially performing a local authentication process when the user tries to log in, comparing their submitted password to a md5 hash or whatever.
I suppose another issue that should be looked at is encrypting client side storage (whether we use localStorage or indexedDB), since if a phone is stolen, we don't want their purchases to be visible. This page covers some of the structure I was considering.
On the other hand, this site provides a decent argument for not implementing local encryption (search for "Securing offline data"). Encryption doesn't seem like it's 100% necessary, but is probably a good idea.
This might be a bit of a stretch goal, but if we attempt to add offline support, there are some unique problems that need investigation, namely:
I don't think syncing would be too hard, you'd just have to store some sort of queue of data to be sent to the server, and then send it once you reconnect. Offline login might be pretty complicated, I don't really know enough about the process to be sure though.