5

I have application that have username and password, so that user logs to the app. Some (less important) functionality is still as web page.

But to be user friendly, it is annoying for user to login again after already logging in.

I am looking at the SFSafariViewController and it looks promising, but I am trying to set the Authorization header when calling the URL. I already know the user token, but it needs to be set as Authorization headers.

So the flow it would be:

User log in inside App -> get token -> set this token as Authorization header -> call my web app url

Is this possible with this controller?

Marko Zadravec
  • 8,298
  • 10
  • 55
  • 97
  • @Jeff, the site you are browsing is controlled by you or not? If yes then you should just be able to do this using cookies? SFSafariViewController will share cookies with Safari. Also see if this helps by anyway https://github.com/MrCaiWH/HHDemo/blob/825a378d03c4f89e208e128a71d4bf5060747e87/HHDemo/HHDemo/Classes/Modules/Encoded/Controller/HHEncodedVC.m – Tarun Lalwani Apr 23 '18 at 16:13
  • Hi @TarunLalwani, (@Jeff didn't' post the question :D ). Yes the site is under my control, and yes, I could do it with cookies. But, as I remember you can't set your own cookie with code in SFSafariViewController. I know that it could share cookie store with Safari, but I don't want to login with Safari first, but inside my application... – Marko Zadravec Apr 23 '18 at 18:33
  • You can navigate to a url in SFSafariViewController which is sets the cookies itself? And since your control the site, creating such a url should still be possible? – Tarun Lalwani Apr 23 '18 at 18:35
  • So if I understand correctly, you suggest that I create new endpoint on web site, where you put username and password inside url and if correct set the cookies. On button than I open firstly this endpoint and then the original one when the cookie will be set? How would I know when I need to call original site? Do you have any example of calling one site one after another... – Marko Zadravec Apr 23 '18 at 19:15
  • So you will redirect to first url itself, which should check if cookie is set, if not it redirects to login, where user logins and after successful login, you redirect back to the first url which now works. Next time when you come Safari will have your cookies stored, so login page will not be shown till the cookies is valid. And in case you need to set the token in headers you will use `axios` middleware to automatically add auth headers to request. So eventually it can all be handled with web itself. Any information you need to communicate from your app can go to special url as query params – Tarun Lalwani Apr 23 '18 at 19:26
  • 1
    Please read my question again : "But to be user friendly, it is annoying for user to login again after already logging in." First login is inside application and not web page. So user logs inside my application, and then some of them would like to open web page. It is impractical to log in again inside web page,... this is the whole point of the question... – Marko Zadravec Apr 23 '18 at 19:31
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/169618/discussion-between-tarun-lalwani-and-marko-zadravec). – Tarun Lalwani Apr 23 '18 at 19:31

1 Answers1

1

As discussed this what you should do

When you login from the app you receive a token. Next you should create an extra endpoint for login, say loginWithToken. The format of the same could be something like

https://example.com/loginWithToken?token=xyz&returnURL=def

From your app you will navigate this URL and then it would do the same thing a login page would have done. Store this token wither in cookies or localStorage. Once done the page should redirect to the returnURL

This way the app will without any re-login required from the SFSafariViewController

Tarun Lalwani
  • 142,312
  • 9
  • 204
  • 265
  • 1
    Is there any possible security issues with the token passed on the URL? I guess not but it's good to get more opinions. – Leonardo Nov 23 '18 at 11:49
  • I don't think this should have a security issue. I have seen this approach in few places – Tarun Lalwani Nov 24 '18 at 13:45
  • 5
    This is absolutely a security issue. The user may tap the Share button before the page loads, and unwittingly share the URL (with their token included) on social media. – Jason Feb 14 '19 at 13:51
  • @jason, you can use JWT to timeout the token. And that time can be as short as you want – Tarun Lalwani Feb 15 '19 at 14:32
  • 1
    Correct, and that's a mitigation of someone logging in as another user. However, the JWT may have other PII encoded such as a name or email. You must be very careful with this approach. – Jason Feb 15 '19 at 19:53