Should I check user auth ( user name , password, device token) in webservice every time when my mobile application is launch?

Question

Should I check user auth ( user name , password, device token) in webservice every time when my mobile application is launch?

I currently developing an ios application that will need user to login with their username and password ( for the first time of application launch). After that user information will save in app local data and user no need to key in username and password again.

My idea is to check if the user is still active-user by calling the web service whenever the application is launch.

My question is , is that necessary to check whenever the app is launch .?

And is there any design pattern to control the user auth for ios app.?

Answer 1

1. Generally, you should not store username and password locally, but if you MUST, then store it in iOS keychain and not in local app db. (If you are not familiar with keychain follow this tutorial)

2. To be able to 'not' save username and password in the app, you need to implement an authentication mechanism (like OAuth 2 : check this tutorial) which handles authentication via web view and needs client to only use the authorized token.

3. To refresh the token, you need a 'refresh token' api which can check if the token is valid and if expired you can prompt user to enter credentials or use the ones store in keychain to refresh the token automatically.

Note : you can find many more such tutorials on https://www.raywenderlich.com and elsewhere if you just google it.

Note 2 : Although OAuth 2 is more centered around giving access to 'third party', it is a good enough model for normal authentication mechanism. Please spare all the hate in comments for suggesting OAuth 2 for normal authentication.