Anyone used epicshaggy / capacitor-native-biometric plugin and have been able to make it work. I have just been able to trigger the NativeBiometric.verifyIdentity( function and make it recognize my biometrics, but that's about it.
I've crawled the internet and haven't found a complete example of how to use it. To summarize, i just want to understand how can i use biometrics to login a user. How do i make my server uniquely identify a user and provides login token.
According to the CapacitorJs docs, and epicshaggy/capacitor-native-biometric, the correct way to work with user credentials is with the provided methods:
NativeBiometric.setCredentials()
NativeBiometric.getCredentials()
NativeBiometric.deleteCredentials()
These methods
Securely stores user's credentials in Keychain (iOS) or encypts them using Keystore (Android)
These methods are also only available on native devices, hence "method not implemented" when attempting to run in a browser, and must be behind Capacitor.isNativePlatform().
Providing an updated answer because this is still a top result when trying to implement biometrics with CapacitorJs
did you found any solution to this so far? I think your own problem is how to recognize a user? there is actually how I used to do this in react native. First of. you need to have some kind of extra "local storage key" that stored values or user credentials when they log in through the inputs. keep in mind that you are not clearing the "key" even if the user "log out" of the app. so in that case. before they could be able to use biometrics users need to sign in the proper way with the inputs so you could save their credentials like email or any unique values or whatever to use later.
Now, my problem is all the functions are not even working for me ah. it keeps saying "method not implemented"
Related
I found a previous question very similar to mine, however the other developper needed to write to Firebase and I don’t, hence this near duplicate question:
I have a very simple database with about 150 documents and the users don’t need to authenticate to use my app. Authentication just don’t make sense for what the app does and users only read the database, they don’t write.
My current rules are read allow only which of course triggers the Firebase rule warning daily.
1) Is there a way to set rules similar to “only requests coming from my app can access it”. Given that the app is linked to firebase one would think it’s possible?
2) If I must use authentification, is there a way that I can do this behind the scenes so that the user is unaware of that? Maybe by using a UUID to identify a user and no password or something like that. I want to avoid showing a log in screen at all cost. Think of it as asking to log in to check gas prices...
** This is an iOS app
No, it's not possible.
You can use anonymous authentication to create a user account without requiring a sign-in.
I'm building an app with Phonegap. It simply reads xml feeds to display latest articles uploaded by a school for parents to read.
There will be an option where each user of the app can decide whether they want to receive Push Notifications or not. I have a simple database table where the device's registration i.d. from Google Cloud Console is stored. When the user clicks "yes", the registration i.d. is generated and stored on the server. If they then click "no", it's deleted. I want to secure these call to the server with basic HTTP authentification.
Any documentation I have seen on basic authentification describes the sending of username and passwords. But with my application, there is no username or password as the users do not need to sign up. What do I send to authenticate the client? Would there be a key hard-coded on the client side and sent with each request? Couln't this be easily exposed by unpacking the .apk?
I object to the premise of the question. I actually see this as less a security issue and more a preferences issue. Understanding the distinction makes the development of your feature much easier.
Simply modify your application to allow the user to configure what he or she wants to see in the settings and then store the preferences wherever you want on the client (like local storage). The server can then push as before, but the app should simply refuse to render those pushes that the user doesn't want to see.
If you want to simply disseminate non-sensitive content to the users who want to see it, this is a preferences issue and/or a publish/subscribe issue. But it is not a security issue.
Since you have access to server side, you have the control of the whole process. So, in order to handle that, you may think about something like session cookies that a web server creates in case of normal authentication.
I have done something similar and what I've done is to generate a kind of token server side that is stored in the cookies of the device or the localStorage.
So the process flow should be something like this :
Generate a token and store it on the device (cookies or local storage).
For each request, send this value in a http header
From server side, you may identify the user from that token.
For example : you maintain a table that identifies device/token.
That's it
In addition to what the other answers said you can pass a custom useragent string as part of the requests, and validate it matches what you expect. It's not a sure way to 'secure' requests, but along with a (simple) token system and HTTPS this could be enough for your needs.
I'm trying to implement SSO using Atlassian Crowd, and there's a surprising lack of good documentation or even examples out there.
So far, I authenticate a user using CrowdClient.authenticateSSOUser, and get back a SSO Token (String) if successful. Then, I take this token and stuff it in the cookies myself (via HttpServletResponse). On subsequent page visits, I grab all the cookies, search for this one, and then call the CrowdClient.validateSSOAuthentication method on it.
My question is this: Am I supposed to be using more Crowd code for SSO? I seem to be doing more manually than I'd expect.
...I DO see hints of other possibilities out there... For example:
In crowd.properties, you can specify a crowd.token_key, which is apparently what name the app should use store the token in a cookie (though setting this value doesn't magically make that happen).
Things like the CrowdHttpTokenHelper exist in the latest version - yet seem to have no easily-found related examples (or documentation other than JavaDoc).
Yes, there are possibilities out there that will hopefully help or at least serve as reference.
For a readily available implementation, you might want to look into Integrating Crowd with Spring Security.
If you need finer control, use a CrowdHttpAuthenticator. It will allow you to authenticate a request with a username and password as well as check if a session has an existing session cookie. (Its concrete implementation will accept properties and uses crowd.token_key.)
CrowdClient is available if these don't fit your needs, but it's not the only option.
On my iPhone Facebook app I think I've only logged into it once.
On my Mint financial app, I've logged in once. whenever I load it back up, I give a four digit PIN number which was setup in the app, and I never have to log in again.
I'm building an application right now where this type of behavior would be highly beneficial.
Do they just set an auth cookie of some sort and just set it to expire way into the future? Or is there another way of handling this?
Thanks!
You can use the iOS KeyChain to securely store credentials as well. This can be simplified by using this code found on github ( https://github.com/ldandersen/scifihifi-iphone/tree/master/security/ ) , with some basic instructions found at http://gorgando.com/blog/tag/sfhfkeychainutils
That depends on the context of your application. If you authenticate against another API, the supplier of the API usually provides you with some sort of authentication key which might expire after a certain time. You would store this key in your application once the user performs the authentication step and reuse it for every request.
Basically, the data you have to store and the time before your user has to re-authenticate (if ever) depends on the supplier of the API you're using.
I can't speak for Facebook or Mint, but the simplest approach is to use a cookie / token and store it in NSUserDefaults.
When the application is launched, see if token is still valid. If not valid, force the user to sign in again.
I am taking a stab in the dark here, but:
I am assuming the login information is encrypted and then stored on the device somewhere. Upon creating a new instance of the app this data is sent to the site for all of the oauth/login/etc stuff. Once this is done the Facebook app stays on until: 1) the device is turned off, or 2) you manually quit the application.
Maybe this will start to help you, but I am sure better answers will come.
I'm building an iOS app which will communicate with a set of .NET WebServices. I'm trying to find a way to ensure on the WS side that the calls being sent actually came from the iOS app.
There is, of course, a "login" method which requires a username/password combination. I would like to add a "security token" to this method, which I can use to validate that the request is coming from the iOS app.
Since this is a parameter to the login method, is must be something known by the app and the web service BEFORE a valid login occurs. Additionally, it should be something which is impossible (difficult?) for another application to fake.
Are their any best practices / standard methods for this sort of exchange? Am I even thinking about the problem in the correct way?
Thanks in advance!
Take a look at the oAuth specification (used by Twitter) it requires that a user is verified first, during the process a series of tokens are exchanged, and then the token is used to sign the data during subsequent data exchanges.
It works on the principals of public/private matched keys, so you have one key that is always kept a secret.