Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Keychain is NOT being used to store user Access Token - BUG #26

Open
Supertecnoboff opened this issue Mar 14, 2017 · 0 comments
Open

Keychain is NOT being used to store user Access Token - BUG #26

Supertecnoboff opened this issue Mar 14, 2017 · 0 comments

Comments

@Supertecnoboff
Copy link

Supertecnoboff commented Mar 14, 2017
edited
Loading

While I was looking into the [VLSessionManager loggedIn] (#25) issue, I found out that the VLSessionManager class, uses NSUserDefaults in order to save/use the user's OAuth 2.0 access token.

The following code saves the access token to the user defaults:

+ (void) vlLoginViewController:(VLLoginViewController *)loginController didLoginWithSession:(VLSession *)session {
    NSUserDefaults *defaults = [NSUserDefaults standardUserDefaults];
    [defaults setObject:session.accessToken forKey:VLSessionManagerCachedAccessTokenKey];
    [defaults synchronize];
    navigationController = nil;
    authCompletionBlock(session, nil);
}

And the below code checks if an access token is available:

+ (VLSession *) currentSession {
    NSUserDefaults *defaults = [NSUserDefaults standardUserDefaults];
    NSString *accessToken = [defaults stringForKey:VLSessionManagerCachedAccessTokenKey];
    return (accessToken == nil) ? nil : [[VLSession alloc] initWithAccessToken:accessToken];
}

Issues

  1. Obviously this is not a secure solution, you should be using Apple's built in iOS keychain, in order to safely store the access token. (Keychain takes care of the encryption for you. There are plenty of easy to use wrapper classes online, that can be used to implement keychain into Vinli).

  2. The second problem is in relation to issue [VLSessionManager loggedIn] does NOT work #25, if the user revokes app access, the + (VLSession *) currentSession method, will still return a non null object. Thus the if statement check if ([VLSessionManager loggedIn]), thinks the user is logged in even though they aren't. Therefore the + (VLSession *) currentSession method needs to perform an online check, to see if the user has revoked access (if an access token is available locally). Check out the below example:

+ (VLSession *) currentSession {
    NSUserDefaults *defaults = [NSUserDefaults standardUserDefaults];
    NSString *accessToken = [defaults stringForKey:VLSessionManagerCachedAccessTokenKey];
    
    if (accessToken == nil) {
        return nil;
    } else {
        
        [self checkAppAccountAccess:^(BOOL access) {
            
            if (access) {
                return [[VLSession alloc] initWithAccessToken:accessToken];
            } else {
                return nil;
            }
        }];
    }
}

The checkAppAccountAccess method will perform a simple POST request to the Vinli API, to find out if the user has revoked access.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Supertecnoboff