I have an iOS app using Swift that uses Core Data to store user data on thousands of objects. I also have FB Auth working. My question is, how do I make it so that the user data would persist even when they switch phones and log in using FB on a separate phone? It doesn't seem that FB will offer me such data persistence. I'm looking at making a server on Heroku with Vapor. Then I could use the user's e-mail as a way to identify the user... but it doesn't seem secure?
Any suggestions on easiest solution?
Checkout Firebase... Instead of using e-mail to authenticate users, you should deal with tokens. Firebase will provide you a great data flow in easiest manner.
Related
Stange question, I'm looking to create an app for the company I currently work for which will hold all passwords for the software and platforms we use. I would like to be able to create some kind of login or authentication without connecting to the internet or using a post to HTTP.
Is this kind of thing possible? Even if I was to keep it to one username and password across the board. Or is it going to be better to only distribute to people that I know?
The only reason I want to do this is so that when downloaded from the App Store it would be only engineers that could login.
Thanks in advance!
For this you can add json file that contain all the data of the users for initial state and for user registration you can use core data. But you want to syncing with registered data and json file you need to fire silent api call to server.
I’m new in iOS development and I want to create an application that a user needs to login to do payments and other actions that involves sensitive information, thus I want to know the best practices for storing user login credentials on data base. I know that when you use “Stripe” to do payments no credit card data is stored on your data base or app. But I have a doubt in storing other sensitive data such as passwords, directions and other info. I’ve looked in the internet for the best practices of storing this kind of information and came to the conclusion that I need to apply the following:
• Encrypting passwords in the Data Base
• Use Keychain
• Use HTTPS
I’m I in the correct path? Is there a standard way of doing this?
Google for something like 'salting password hashing'
Regarding Stripe, it should be okay to store the last4 digits of the credit card (but even this can be extracted from Stripe, using the customer-id or charge-id).
My goal is to prevent users of multiple login in. I do not want this to be client-side, with like the onDisconnect and onConnect values, but with a server check. I came across this answer:
How to prevent simultaneous logins of the same user with Firebase?
Which tells me to create a custom auth system. When I am following the docs (https://firebase.google.com/docs/auth/ios/custom-auth) I need to "Copy this file to your authentication server" (3c). How would I do this? I am just using Firebase and my little iOS app. I would like to manage everything on these 2 things, no server in between, is this possible? Or can this file only be uploaded through another server?
If above things are not possible, how can I server check if the user really signed in? I am using Cloud Functions, but I did not came across a trigger for a user signing in. Please no answers with onDisconnect/onConnect, I want it server side. A user may NOT login if he is already logged in. Thanks :)
Implementing custom authentication requires that you have a secure place to mint the custom token that identifies each of your users. You cannot do this securely with only client-side code, because that would mean everyone could claim to be whoever they want.
While you can use Cloud Functions for Firebase to implement a secure back-end without spinning up your own server, I highly recommend against doing that just for the purpose of preventing a user to sign in from multiple locations.
It's important when talking about security to split these two steps:
Authentication - a user proving to be who they are
Authorization - the authenticated user being able to use your app
There very seldom is a reason to keep a user from proving who they are. Your concern seems to fall onto keeping them from using the app from multiple locations. To do that, it's probably easier to track for each user where they are using the app from already using Firebase Database's presence system.
Also see:
How to handle multiple connections of the same user on Firebase?
Android - How to detect same user from multiple devices?
How to prevent same user logging in from different devices ? My app is paid , so I dont want credentials to be shared
I'm building an iOS (Swift) app that needs realtime chat as part of the functionality. While Parse works well for push, data storage, etc..., it doesn't support realtime. I would like to use Firebase for the realtime support, but need help authenticating to Firebase using a Parse user. I really don't know where to start with this. Any help would be greatly appreciated.
The question is pretty vague so a definitive answer is not possible: here's a thought.
Firebase and Parse are two different companies and therefore require separate authentications.
If your users have a username/password type authentication in Parse, you could use the same data in Firebase and authenticate through code. i.e. User creates a new account in Parse, and an account is created in Firebase via code. When the user authenticates to Parse, it also authenticates to Firebase via code.
There are a LOT of design elements to consider in going this route: how do you create a firebase user (in code) without your app authenticating itself as a 'super' user? Hard code credentials? That may be a security issue.
Are you going to keep two sets of user data? One in Parse and one in Firebase? What if a user needs to reset their password or account. As you can see, it can get out of control rather quickly.
You may want to consider sticking with one platform to simplify the entire process. By the sound of at least one of the requirements, Firebase can do much of what Parse can do but also give the real-time updates you need.
I'm working on an iPhone app that is logging into a webservice and it's been asked of me to get the account login management into the settings page (i.e. next to Twitter, Facebook and Vimeo). From what I've been reading about the accounts framework, it appears that only those few companies have that ability.
I currently have it set up and working asking for login info periodically and polling the webservice for validation, but we're trying to move toward supporting moderately offline use, which means we need to have some sort of account info managed on the phone itself.
Can I use the built-in account framework for our own login credentials or is that not something that's available to a regular dev and I'll have to look for another way to do it on my own? Is that something that the keychain would be better for?
Using the keychain to securely store the users credentials is a good idea to start.
If I am understanding your question about a "built-in account framework", I don't believe there is a local framework for account management on the device itself that I am aware of that would be useful in this circumstance.
I've had to build an app that needed to authenticate to a web service that also needed to have some offline access. I ended up recording the validated authentication date and time in the NSUserDefaults and would let the user use the app for a 48 hours period before they had to re-authenticate. Their data was queued locally and when they had online access again, I would re-authenticate and then sync the data. Not the most elegant solution but it fit the project.
I used AFNetworking (http://afnetworking.com) to track the changes in network access and used to blocks to respond to the changes.