wolfiton

wolfiton

Can JSON WEB Tokens be used safelly for a long period of time when offline?

Hi everyone,

Can JSON WEB Tokens be used safely for a long period of time when offline?

What are the best practices regarding PWA with offline support?

What libraries would you recommend for offline data storage and sync when online?

Thanks in advance

Most Liked

LostKobrakai

LostKobrakai

But why do you even need the JWT token when offline? Just let it expire and the next time the client is online refresh it.

LostKobrakai

LostKobrakai

Granted this is going off-topic, but the fact that there’s a technical requirement for IPs (or any kind of data affected) doesn’t make the gdpr rules less needed and useful. Me visiting a website does implicitly give the owner the right to use the IP to handle the request. It doesn’t automatically give them the right to store my IP at hearts desire.

Privacy is not about preventing use of certain data, but about guarding its use to reasonable lengths and also to ensure the subject of the data is informed about the usage and can take educated actions.

Point being: One needs to make conscious decisions about which data to handle/store, document those and inform any affected people about those decisions. You can still data-mine the hell out of your users if you inform them upfront and – depending on your justifications and further laws – asked for concent beforehand.

LostKobrakai

LostKobrakai

When talking about (offline) PWAs you’ll need to accept that once data hits the client you loose a certain amount of control.

In general all the data stored on the computer of someone else can be accessed by anyone with access to that computer, unless you encrypt it, but don’t hand out the key for the encryption.

JWT in the context of webapps usually means that it gives access to resources you hold (on a server) and by setting a small ttl for the validity you lessen the risk of malicious access if the JWT gets into someones hands it shouldn’t have been.

Applying that to a PWA you can see that the addition of “while offline” essentially makes that discussion obsolete. When offline there’s no connection to resources a JWT could control access to anyways.

Everything you send the client is by definition no longer securable by a token you generate. Once offline the only way to prevent access to data stored on the client-side is by having a secret known to the user (e.g. password), by which data would be encrypted.

But you’ll need to ask yourself how much you need to protect users with access to the PWA from accessing data stored by the PWA. Most often the data stored on the device for offline usage is already content of the user itself, so no access control or a password to “unlock” might actually be enough. You don’t stay logged in social media as well if it’s not your own device you physically control access to.

If the content stored on the PWA is subject to access-control demands of a third parts it get’s tricky. If the third party comes to you and tells you to revoke access to a certain piece of data your hands are tied if the device you put the data on is offline. If the client can read the data once it can read it for as long as your app doesn’t delete the data.

This was about read access. If you’re talking about write access you’ll have the same problem. You can make it difficult, but you cannot prevent write access for a fully client side app. Your only option is to assert write access again, if changes are moved to a computer you control (a.k.a. your server).

The degree by how much you make it difficult to do something you don’t want to happen on the client depends on how much need there is to mitigate the risk of misuse.

Where Next?

Popular in Questions Top

sen
Hi All, I set a environment variables in dev.exs , like below code. when i start server, how can i set the ${enable} value? thanks. d...
New
aadeshere1
I have a another noob question about loop. Since elixir is immutable, while loop is not directly possible. total = 10 while total != 0 ...
New
marius95
Hello everyone, I try to use an Javascript Event Handler in my root.html.leex file. Therefore I created a function in the app.js file: ...
New
Patoshizzle
After calling mix ecto.create I get this error: 17:00:32.162 [error] GenServer #PID<0.412.0> terminating ** (Postgrex.Error) FATAL...
New
shahryarjb
Hello, I have map which I want to convert it to string like this: the map: %{last_name: "tavakkoli", name: "shahryar"} the string I ne...
New
vac
Hi, I’m quite new in Elixir and I’m trying to format a string to a PEM format. I have the certificate value like MIIDBTCCAe2...... and I...
New
stefanluptak
Hello everybody, usually, I use a 29" ultra-wide monitor for VSCode which can easily accomodate explorer (files panel) + file with code ...
New
stefanchrobot
What’s the safe way to decode a JSON string into a struct? I want to avoid calling String.to_atom. Jason.decode can give me a map with st...
New
romenigld
I am trying to run a deploy with docker and I successfully runned with this command: docker build -t romenigld/blog-prod . but when I t...
New
PeterCarter
There are pre-rolled solutions for other frameworks that do work. However, Phoenix does not seem to have these. Have people had good expe...
New

Other popular topics Top

mcarvalho
What is the difference between System.get_env and Application.get_env? For example, what are best practices to use one versus another.
New
Patoshizzle
After calling mix ecto.create I get this error: 17:00:32.162 [error] GenServer #PID<0.412.0> terminating ** (Postgrex.Error) FATAL...
New
msaraiva
Surface is an experimental library built on top of Phoenix LiveView and its new LiveComponent API that aims to provide a more declarative...
564 43757 214
New
jay1
Why is it that the mnesia database isn’t the most preferred database for use in Elixir/Phoenix?
New
jason.o
In the code below, if the create action is not set to accept “extra_key” as an input, it errors out with a message shown above. Is there ...
New
bsollish-terakeet
Credo is smart enough to check for (something like) this: assert length(the_list) == 0 with this response: Checking if an enum is empt...
New
Brian
What is the proper way to load a module from a file in to IEX? In the python world, doing something like this pretty standard: from ....
New
hariharasudhan94
Lets say I have map like this fetching from my database %{"_id" => #BSON.ObjectId<58eb1a7a9ad169198c3dXXXX>, "email" => ...
New
dokuzbir
I want to highlight html closing tags when i click a html tag. That works in .html files but doesnt work for html.eex templates. How can...
New
svb
Hi! Currently I want to submit a form by pressing the Enter key. However, since my input field is of type “textarea” this is just adds a...
New

We're in Beta

About us Mission Statement