How am I supposed to save something like auth cred...
# multiplatformm
Marc
09/04/2023, 10:01 PMHow am I supposed to save something like auth credentials or JWT tokens in a kmm app?
👀 1
p
Patrick Cavanagh
09/04/2023, 10:39 PMDefine an expect class and actual implementations per platform that you support which allow you to securely save credentials.
Would suggest using https://developer.android.com/jetpack/androidx/releases/security for Android and the keychain on iOS (various decent libraries out there) to actually save something like a JWT to disk.
k
Kirill Zhukov
09/05/2023, 5:09 AMmultiplatform-settingsKirill Zhukov
09/05/2023, 5:10 AMuses keychain on iOS, on Android you pass in encrypted shared prefs
m
Marc
09/05/2023, 1:28 PMSo I should store JWT also in sharedprefs or keychain?
Marc
09/05/2023, 1:30 PMAnd how do I handle smth. like JWT expiration?
Should I just put the validate request into an usecase and pass it down to every viewmodel which needs this authentication, and if JWT is no longer valid just navigate to the splash screen which does the login from sharedprefs/keychain?
k
Kirill Zhukov
09/05/2023, 3:14 PMMakes sense to store tokens in encrypted prefs and keychain to me.
Kirill Zhukov
09/05/2023, 3:15 PMExpiration and token refreshing is a bit orthogonal to storage problem
Kirill Zhukov
09/05/2023, 3:16 PMOne thing you can do is abstract token refreshing behind your service/network client implementation
Kirill Zhukov
09/05/2023, 3:18 PMKtor Client provides neat Bearer authentication & authorization plugin
https://ktor.io/docs/bearer-client.html#configure
Kirill Zhukov
09/05/2023, 3:19 PMHave you http client handle setting up that plugin and calling to logic for reading access token, refreshing and storing it if needed
Kirill Zhukov
09/05/2023, 3:21 PMAnd if refresh token is expired, then yeah you would redo login - maybe have your auth plugin return an error and let caller handle it, navigate to the login
m
Marc
09/05/2023, 3:49 PMThe problem is, that the API I have to use has a very weird auth system.
In fact, I don't think its a jwt at all. It's called JSESSIONID and has to be set via cookie header
Marc
09/05/2023, 3:50 PMSo I can kinda add this logic to the httpclient directly?
so it checks everytime if token is valid?
Marc
09/09/2023, 10:10 AMI tried storing with the kmm settings repo @Patrick Cavanagh sent here but it does not seem like its storing the credentials encryped tho.
Do I have to use a special implementatino for it? readme does not say anything about it
p
Patrick Cavanagh
09/09/2023, 11:15 AMI've never used that Multiplatform settings library. Are you passing it an instance of encrypted shared preferences on Android as @Kirill Zhukov suggested?
295 Views