Closed nazrinharris closed 10 months ago
How would I manage user sessions locally? Since I am planning to have both local/remote accounts available, I believe that I should have two different session management systems. I wanted to use JWT for local session management, (because when I introduce a new backend, I'd like to use JWT as well), but I'm unsure on how to store the secrets.
As of now, I'm using JWT for local auth. The key for JWT signing is kept in PecuniaSecrets
, but I don't really think it's a big issue, since it's local. Will probably use a more secure approach in the future.
Should be complete with 3a7a0a1 in #132
139 was merely meant to be a record of sorts. (Honestly might even remove if this is implemented correctly.) So I'm gonna need to implement a way for local user auth.
So I'll have the same interface for when the user registers, but they'll be able to toggle a button to choose whether they want to create a local account or remote account. Then, I'll store their uid (generated by uuidv4), email, username, and password in
flutter_secure_storage
. For their database, I'm using drift so I'll create a new database likepecunia_db_<uid>.db
. This'll contain their data of the app, but not the user data.When storing user data / session tokens in iOS (and I presume macOS?), the data persists. See: https://dev.to/isurujn/beware-of-fluttersecurestorage-on-ios-m6e for solution
Managing secrets and api keys: https://ricardo-castellanos-herreros.medium.com/storing-your-secret-keys-in-flutter-751645623d6a#:~:text=The%20most%20recommended%20approach%20I,were%20loading%20any%20other%20asset.&text=That%20is%20the%20shortest%20way,convert%20%2C%20and%20have%20your%20keys.
A new question emerges: How would I handle if the user forgets their password? There's a couple ways to proceed:
Here's the gist of it
PecuniaCrypto
class which handles the generation of salt and password hashingregisterWithEmailAndPassword()
andloginWithEmailAndPassword
forAuthLocalDS
.AuthSecuredStorageManager
to handle storing of user data.localLoginWithEmailAndPassword()
for local login forAuthRepo
.AuthLocalSessionManager
getLoggedInUser
andlogout
, because as of now, I am hard-assuming that there would only be one active session.