A
A
Anton2022-01-22 13:38:15
Android
Anton, 2022-01-22 13:38:15

How to properly implement authorization on Android and backend?

I am making an application with the possibility of authorization using VK.
Can someone describe or correct? There are a few points that are not entirely clear.
At the moment, the login scheme is as follows:
1. The user in the application presses "Login using VK"
2. After that, he confirms the login.
3. Next, using the VK SDK library in the application, we collect data (accessToken, expiresIn, userId, email, state).
4. Send a backend POST request with data (accessToken, userId, email)
5. Using the received accessToken, on the back we try to get the profile of the user in VK (using the vk sdk) to make sure the token is valid. In the case of a valid token, we create a user in the database / check if the user exists according to the userId received from the VK profile. In the case of an invalid token, the backend throws some kind of 401 Error.

But further it is not entirely clear what to do. There are user and user_token tables in the backend database .
The table schema is as follows:
user: id, email
user_token: id, user_id (connection to the id column from the user table), accessToken, refreshToken, created_at, expires_in_access_token, expires_in_refresh_token.

We create accessToken and refreshToken for the user.
We determine the lifetime of the token:
the fields expires_in_access_token and expires_in_refresh_token are timestamp, and have a lifetime of 1 and 30 days, respectively.

Next, the backend should return a response in json format (accessToken, refreshToken, expiresInAccessToken, expiresInRefreshToken).

We save all this data in the application. Let's say sharedPrefs or Room.

If the API handle on the server requires a token, then we take it from the application and send it in the request along with headers.

Backend checks the token in the database and either responds successfully (200 OK) and returns the user content, or throws an error that the token is not valid or its lifetime has expired?

The application should then handle the error, if any:
1. If the token is invalid, do we clean the access token and refresh token in the application and send the user to log in via VK on a new one from the very beginning?
2. If the access token expires, send a POST request with a refresh token to the backend and check its validity and that the refreshToken has not yet expired. If the refreshToken is rotten, the backend should send an error about this and send the user to log in via VK on a new one.

If refreshToken is alive, do we generate a new pair of accessToken and refreshToken, having previously erased the old entry in the database? And then we return json to the user with new data (accessToken, refreshToken), save them in the application.

Is the described user login process correct, or did something go wrong somewhere and should be done differently?

Answer the question

In order to leave comments, you need to log in

1 answer(s)
A
Alexander Prokhorovich, 2022-01-23
@alexgp13

Everything seems to be right) Do it, test it.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question