The latest articles on DEV Community by Charles Etieve (@charlesetieve). https://dev.to/charlesetieve https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1059179%2F474d7852-6861-4689-8973-80dbce24c742.jpeg https://dev.to/charlesetieve en Charles Etieve Wed, 05 Apr 2023 06:28:18 +0000 https://dev.to/charlesetieve/store-jwt-token-with-coroutines-4bn5 https://dev.to/charlesetieve/store-jwt-token-with-coroutines-4bn5 <p>JWT (JSON Web Token) has become a popular standard for implementing stateless authentication in modern mobile apps. In order to maintain security and avoid session hijacking, it's important to store JWT tokens securely on the client-side.</p> <p>DataStore is a popular choice for storing tokens as it provides the advantages of shared preferences along with additional coroutines capabilities:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>// store token (must be called from suspend function) dataStore.edit { it[KEY_TOKEN] = token } // read token (returns a flow of token) dataStore.data.map { it[KEY_TOKEN] } </code></pre> </div> <p>One powerful use case is to navigate to the home or login view on wether the token exists or not:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>dataStore.data .map { it.contains(KEY_TOKEN) } .onEach { isAuthenticated -&gt; when(isAuthenticated) { true -&gt; navController.navigate("home") false -&gt; navController.navigate("login") } }.launchIn(scope) </code></pre> </div> <p>However <strong>DataStore lacks support for encryption</strong>, whereas shared preferences does. This means developers have to choose between the convenience of coroutines and the security of encryption when choosing a method to store their JWT tokens.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2mggwaymq3nqkfzwgm7c.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2mggwaymq3nqkfzwgm7c.png" alt="Meme about adroid developer choosing between coroutines and encryption for JWT Token"></a></p> <p>Fortunately, there is a library <strong><a href="https://github.com/osipxd/encrypted-datastore" rel="noopener noreferrer">Encrypted DataStore</a></strong> that <strong>extends DataStore and allows for easy encryption</strong>. While this solution is currently useful, it may become deprecated in the future once DataStore natively implements this functionality.</p> <p>Enough talk, let's dive into the code.</p> <p>First, import libraries in your build.gradle (app module):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>// datastore implementation("androidx.datastore:datastore-preferences:1.0.0") // extension for datastore to support encryption implementation("io.github.osipxd:security-crypto-datastore-preferences:1.0.0-alpha04") // utility library for datastore encryption implementation("androidx.security:security-crypto-ktx:1.1.0-alpha05") </code></pre> </div> <p>Then you will need to build your datastore to inject it in your AuthenticationService:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>val dataStore = PreferenceDataStoreFactory.createEncrypted{ EncryptedFile.Builder( context, // the file should have extension .preferences_pb dataStoreFile("filename.preferences_pb"), MasterKey .Builder(context) .setKeyScheme(MasterKey.KeyScheme.AES256_GCM) .build(), EncryptedFile.FileEncryptionScheme.AES256_GCM_HKDF_4KB ).build() } </code></pre> </div> <p>Finally you can add this service to your project:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>import androidx.datastore.core.DataStore import androidx.datastore.preferences.core.Preferences import androidx.datastore.preferences.core.edit import androidx.datastore.preferences.core.stringPreferencesKey import kotlinx.coroutines.flow.Flow import kotlinx.coroutines.flow.firstOrNull import kotlinx.coroutines.flow.map class AuthenticationService( private val dataStore: DataStore&lt;Preferences&gt; ) { // returns a flow of is authenticated state fun isAuthenticated(): Flow&lt;Boolean&gt; { // flow of token existence from dataStore return dataStore.data.map { it.contains(KEY_TOKEN) } } // store new token after sign in or token refresh suspend fun store(token: String) { // store token to dataStore dataStore.edit { it[KEY_TOKEN] = token } } // get token for protected API method suspend fun getToken(): String { return dataStore.data .map { it[KEY_TOKEN] } // get a flow of token from dataStore .firstOrNull() // transform flow to suspend ?: throw IllegalArgumentException("no token stored") } // to call when user logs out or when refreshing the token has failed suspend fun onLogout() { // remove token from dataStore dataStore.edit { it.remove(KEY_TOKEN) } } companion object { val KEY_TOKEN = stringPreferencesKey("key_token") } } </code></pre> </div> <p>In conclusion, there is now an efficient and secure data storage option available for your JWT tokens, so there's no excuse to settle for anything less! 😊</p> kotlin android security programming