#Using SecureStorage for API Token - where to authenticate on revisit?

Hey all, loving this so far. Very close to submitting to app store. I have a question that may make me seem like an idiot:

I'm authenticating to a laravel backend with sanctum and getting an api token. Currently I was storing that token in session in nativephp, however, i realize this is causing the user to get logged out (presumably when the local mobile session dies?).

Seems like i should instead store this token in SecureStorage, and then fetch this token when they visit the app and log them in again with it?

Setting to storage and retrieving from storage makes sense...but I'm too stupid to figure out where i need to add the ability to read from storage and authenticate the user again...

<?php

namespace App\Http\Middleware;

use Closure;
use Illuminate\Http\Request;
use Native\Mobile\Facades\SecureStorage;
use Symfony\Component\HttpFoundation\Response;

class HasSecureToken
{
/**
* Handle an incoming request.
*
* @param \Closure(\Illuminate\Http\Request): (\Symfony\Component\HttpFoundation\Response) $next
*/
public function handle(Request $request, Closure $next): Response
{
if (blank(SecureStorage::get('token'))) {
return redirect()->route('home');
}

    return $next($request);
}

}

we have this middleware in the kitchen sink, use it to protect routes

ah interesting. do you not even use the auth middleware/checks then? just store the token and then if they have one they are logged in? and on logout wipe the token?

It depends on where the verification takes place. Most of the time, you are running some sort of Laravel server that provides your app with a Sanctum token. You can use that token to verify yourself and retrieve data from your server app. You can store the token as Shane has shown in the example above.
Every time you reload your app, retrieve the token and send it to your server. Currently, I am using local storage for token storage. One thing that comes to mind—though I’m not entirely sure—is perhaps Shane can clarify this: using local storage to store a Sanctum token is wiped when the app is reinstalled or updated.
How does this work with secure storage? Since it uses iCloud Keychain, is the token persistent, and if so, until when?

thanks jerome and shane. i think this makes sense. i am using sanctum/token, but then was also relying on the normal laravel auth/session guard in the nativephp mobile app for 'logging a user in'. but this makes more sense to just disregard that entirely and just use the stored token as authed/not-authed

This is what im looking for! NICE! 💯

I’m dealing with the same situation, but I don’t have the paid SecureStorage plugin. What can I use instead?

I’ve already implemented middleware to store and retrieve the token. Also, is it true that SecureStorage doesn’t work on the iOS simulator?

Is there any way to achieve secure token storage without using the paid SecureStorage plugin? @kind creek @celest summit @violet linden

SecureStorage works on the simulator no problem and it is the right/best/only way to securely store api keys

@jade jay You would either need to buy the Storage plugin, or roll your own plugin to work with iOS and Android secure storage. For the latter, you are going to spend more developer hours than the cost of the plugin