wolfiton
Can JSON WEB Tokens be used safelly for a long period of time when offline?
Hi everyone,
Can JSON WEB Tokens be used safely for a long period of time when offline?
What are the best practices regarding PWA with offline support?
What libraries would you recommend for offline data storage and sync when online?
Thanks in advance
Most Liked
LostKobrakai
But why do you even need the JWT token when offline? Just let it expire and the next time the client is online refresh it.
LostKobrakai
Granted this is going off-topic, but the fact that there’s a technical requirement for IPs (or any kind of data affected) doesn’t make the gdpr rules less needed and useful. Me visiting a website does implicitly give the owner the right to use the IP to handle the request. It doesn’t automatically give them the right to store my IP at hearts desire.
Privacy is not about preventing use of certain data, but about guarding its use to reasonable lengths and also to ensure the subject of the data is informed about the usage and can take educated actions.
Point being: One needs to make conscious decisions about which data to handle/store, document those and inform any affected people about those decisions. You can still data-mine the hell out of your users if you inform them upfront and – depending on your justifications and further laws – asked for concent beforehand.
LostKobrakai
When talking about (offline) PWAs you’ll need to accept that once data hits the client you loose a certain amount of control.
In general all the data stored on the computer of someone else can be accessed by anyone with access to that computer, unless you encrypt it, but don’t hand out the key for the encryption.
JWT in the context of webapps usually means that it gives access to resources you hold (on a server) and by setting a small ttl for the validity you lessen the risk of malicious access if the JWT gets into someones hands it shouldn’t have been.
Applying that to a PWA you can see that the addition of “while offline” essentially makes that discussion obsolete. When offline there’s no connection to resources a JWT could control access to anyways.
Everything you send the client is by definition no longer securable by a token you generate. Once offline the only way to prevent access to data stored on the client-side is by having a secret known to the user (e.g. password), by which data would be encrypted.
But you’ll need to ask yourself how much you need to protect users with access to the PWA from accessing data stored by the PWA. Most often the data stored on the device for offline usage is already content of the user itself, so no access control or a password to “unlock” might actually be enough. You don’t stay logged in social media as well if it’s not your own device you physically control access to.
If the content stored on the PWA is subject to access-control demands of a third parts it get’s tricky. If the third party comes to you and tells you to revoke access to a certain piece of data your hands are tied if the device you put the data on is offline. If the client can read the data once it can read it for as long as your app doesn’t delete the data.
This was about read access. If you’re talking about write access you’ll have the same problem. You can make it difficult, but you cannot prevent write access for a fully client side app. Your only option is to assert write access again, if changes are moved to a computer you control (a.k.a. your server).
The degree by how much you make it difficult to do something you don’t want to happen on the client depends on how much need there is to mitigate the risk of misuse.
Popular in Questions
Other popular topics
Categories:
Sub Categories:
Forums
Popular Tags
- #ecto
- #liveview
- #troubleshooting
- #learning-elixir
- #deployment
- #library
- #erlang
- #testing
- #genserver
- #mix
- #absinthe
- #remote-other
- #otp
- #plug
- #how-to-question
- #macros
- #postgres
- #channels
- #elixirconf
- #exunit
- #discussion
- #code-sync
- #javascript
- #podcasts
- #onsite
- #dialyzer
- #docker
- #authentication
- #umbrella
- #full-time-contract
- #podcasts-by-brainlid
- #ecto-query
- #elixir-ls
- #phoenix_html
- #iex
- #blog-post
- #graphql
- #genstage
- #ai
- #websockets
- #supervisor
- #advent-of-code
- #elixirconf-us
- #distillery
- #processes
- #forms
- #api
- #metaprogramming
- #security
- #performance









