Home > Back-end >  How to handle anonymous user's expired token
How to handle anonymous user's expired token

Time:10-24

I want to allow users of my app to sign in anonymously (that will create an account for them with a randomly generated email & password), and if and when they'll want to create a permanent account, they will be able to simply bind an email & password.

I work with tokens, access and refresh, which means the regular tokens flow is the same for both anonymous and authenticated users.

The problem with anonymous users is what if a user didn't logged in to the app for a long amount of time (that is larger than the refresh token) which means that now the refresh token is expired and invalid.

How could I handle such case? I couldn't ask them for a reauthentication as usual because they don't know they're credentials, and I can't risk to lose the user's data.

Only thing I could think of is to try and save their credentials securely with encryption using local preferences such as DataStore/SharedPreferences combined with KeyStore, and when such case does happens, I'll simply relogin them. But I'm not sure if that's good enough.

Any suggestions are much appreciated!

CodePudding user response:

It seems like the thing you want to implement is ignoring JWT token's exp field. Omitting it or setting to a value which is years after iat would solve the issue.

But this means you'll have to tune token acquiring mechanism and it won't be identical to both anonymous and signed up users.

Edit

Refresh token is not valid forever in any case. You should validate it with a secret (randomly generated string that is unique for every user in the database). This secret must be regenerated on every password change (via app or forgot password flow) and every "Log off from all devices" action. It is used for every access token acquiring.

As for anonymous auth - it is not what considered a standard approach when working with JWT tokens. You should not treat these users the same as authenticated ones and should restrict their access to app contents. Usually you would keep as much info as possible on the client rather than storing it on the server.

What I wanted to say is that you just cannot make your anonymous users as secure as authenticated ones, as you just ommit one (and the most important) level of protection by not asking for email and password.

Having access to refresh token is almost the same as having access to user's password. When password changes - the refresh token does so too. The only difference is that refresh token has an expiration date. As password is not stored anywhere on the device and only the user knows it, it actually adds an additional layer of security - attacker won't be able to relogin as he does not know the password.

The thing is that you want to store credentials on the device. This is identical to storing refresh token with no expiration, as an attacker would be able to read credentials from the storage and relogin forever. Thats the point.

You should look at How to securely store access token and secret in Android? for some info on storing tokens.

In sum, I would never bother about security of anonymous users and design the system keeping that in mind

  • Related