The latest articles on DEV Community by Muhammad Saad Bin Nadeem (@muhammad_saadbinnadeem_). https://dev.to/muhammad_saadbinnadeem_ https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3849943%2F78936a9f-4c3d-46f6-be44-56ba91196464.jpg https://dev.to/muhammad_saadbinnadeem_ en Muhammad Saad Bin Nadeem Sun, 05 Apr 2026 06:04:42 +0000 https://dev.to/muhammad_saadbinnadeem_/beyond-jwts-preventing-api-replay-attacks-in-react-native-net-financial-grade-security-1098 https://dev.to/muhammad_saadbinnadeem_/beyond-jwts-preventing-api-replay-attacks-in-react-native-net-financial-grade-security-1098 <p>When building mobile applications—especially in the fintech, maritime, or ERP sectors—most developers think security stops at JWT Authentication and HTTPS.</p> <p>But what happens if a malicious user or a compromised network proxy intercepts a perfectly valid POST request? For example:<br> POST /api/wallet/transfer { "amount": 100, "to": "user_b" }</p> <p>Even with a valid JWT, the attacker can capture this payload and "replay" (resend) it 100 times, draining the victim's wallet. Your backend will process it because the token is technically valid.</p> <p>To prevent this, enterprise systems use HMAC (Hash-based Message Authentication Code) Signatures combined with strict Timestamps. Here is how to implement this end-to-end between React Native and .NET Core.</p> <p>The Concept<br> The Client (React Native) takes the request body, adds the current timestamp, and hashes it using a secret key. It sends this hash in the headers.</p> <p>The Server (.NET) receives the request. First, it checks if the timestamp is older than 60 seconds (if yes, it rejects it immediately to prevent old replays). Then, the server hashes the body and timestamp using the same secret key.</p> <p>If the server's hash matches the client's hash, the request is untouched and fresh.</p> <p>Step 1: The React Native Implementation (Axios)<br> First, install a crypto library: npm install crypto-js.<br> Then, we use an Axios Interceptor to automatically sign every outgoing POST, PUT, or PATCH request.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="nx">axios</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">axios</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="nx">CryptoJS</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">crypto-js</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">api</span> <span class="o">=</span> <span class="nx">axios</span><span class="p">.</span><span class="nf">create</span><span class="p">({</span> <span class="na">baseURL</span><span class="p">:</span> <span class="dl">'</span><span class="s1">https://api.yourdomain.com</span><span class="dl">'</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">CLIENT_SECRET</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">EXPO_PUBLIC_HMAC_SECRET</span><span class="p">;</span> <span class="c1">// Must match the backend</span> <span class="nx">api</span><span class="p">.</span><span class="nx">interceptors</span><span class="p">.</span><span class="nx">request</span><span class="p">.</span><span class="nf">use</span><span class="p">((</span><span class="nx">config</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// Only sign requests that modify data</span> <span class="k">if </span><span class="p">([</span><span class="dl">'</span><span class="s1">post</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">put</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">patch</span><span class="dl">'</span><span class="p">].</span><span class="nf">includes</span><span class="p">(</span><span class="nx">config</span><span class="p">.</span><span class="nx">method</span> <span class="o">??</span> <span class="dl">''</span><span class="p">))</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">timestamp</span> <span class="o">=</span> <span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">().</span><span class="nf">toString</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">bodyString</span> <span class="o">=</span> <span class="nx">config</span><span class="p">.</span><span class="nx">data</span> <span class="p">?</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">config</span><span class="p">.</span><span class="nx">data</span><span class="p">)</span> <span class="p">:</span> <span class="dl">''</span><span class="p">;</span> <span class="c1">// Create the signature payload: Timestamp + Body</span> <span class="kd">const</span> <span class="nx">payloadToSign</span> <span class="o">=</span> <span class="s2">`</span><span class="p">${</span><span class="nx">timestamp</span><span class="p">}</span><span class="s2">:</span><span class="p">${</span><span class="nx">bodyString</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> <span class="c1">// Hash it using HMAC-SHA256</span> <span class="kd">const</span> <span class="nx">signature</span> <span class="o">=</span> <span class="nx">CryptoJS</span><span class="p">.</span><span class="nc">HmacSHA256</span><span class="p">(</span><span class="nx">payloadToSign</span><span class="p">,</span> <span class="nx">CLIENT_SECRET</span><span class="p">).</span><span class="nf">toString</span><span class="p">(</span><span class="nx">CryptoJS</span><span class="p">.</span><span class="nx">enc</span><span class="p">.</span><span class="nx">Hex</span><span class="p">);</span> <span class="c1">// Attach to headers</span> <span class="nx">config</span><span class="p">.</span><span class="nx">headers</span><span class="p">[</span><span class="dl">'</span><span class="s1">X-Request-Timestamp</span><span class="dl">'</span><span class="p">]</span> <span class="o">=</span> <span class="nx">timestamp</span><span class="p">;</span> <span class="nx">config</span><span class="p">.</span><span class="nx">headers</span><span class="p">[</span><span class="dl">'</span><span class="s1">X-Request-Signature</span><span class="dl">'</span><span class="p">]</span> <span class="o">=</span> <span class="nx">signature</span><span class="p">;</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">config</span><span class="p">;</span> <span class="p">});</span> <span class="k">export</span> <span class="k">default</span> <span class="nx">api</span><span class="p">;</span> </code></pre> </div> <p>Step 2: The .NET 9 Backend Implementation<br> Instead of polluting our controllers, we write a clean, reusable ActionFilterAttribute in C# to intercept requests before they even hit our endpoints.</p> <p>Create a file called ValidateHmacSignatureAttribute.cs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="k">using</span> <span class="nn">Microsoft.AspNetCore.Mvc</span><span class="p">;</span> <span class="k">using</span> <span class="nn">Microsoft.AspNetCore.Mvc.Filters</span><span class="p">;</span> <span class="k">using</span> <span class="nn">System.Security.Cryptography</span><span class="p">;</span> <span class="k">using</span> <span class="nn">System.Text</span><span class="p">;</span> <span class="k">public</span> <span class="k">class</span> <span class="nc">ValidateHmacSignatureAttribute</span> <span class="p">:</span> <span class="n">ActionFilterAttribute</span> <span class="p">{</span> <span class="k">private</span> <span class="k">const</span> <span class="kt">int</span> <span class="n">MaxAgeInSeconds</span> <span class="p">=</span> <span class="m">60</span><span class="p">;</span> <span class="k">public</span> <span class="k">override</span> <span class="k">async</span> <span class="n">Task</span> <span class="nf">OnActionExecutionAsync</span><span class="p">(</span><span class="n">ActionExecutingContext</span> <span class="n">context</span><span class="p">,</span> <span class="n">ActionExecutionDelegate</span> <span class="n">next</span><span class="p">)</span> <span class="p">{</span> <span class="kt">var</span> <span class="n">request</span> <span class="p">=</span> <span class="n">context</span><span class="p">.</span><span class="n">HttpContext</span><span class="p">.</span><span class="n">Request</span><span class="p">;</span> <span class="c1">// 1. Extract Headers</span> <span class="k">if</span> <span class="p">(!</span><span class="n">request</span><span class="p">.</span><span class="n">Headers</span><span class="p">.</span><span class="nf">TryGetValue</span><span class="p">(</span><span class="s">"X-Request-Timestamp"</span><span class="p">,</span> <span class="k">out</span> <span class="kt">var</span> <span class="n">timestampValues</span><span class="p">)</span> <span class="p">||</span> <span class="p">!</span><span class="n">request</span><span class="p">.</span><span class="n">Headers</span><span class="p">.</span><span class="nf">TryGetValue</span><span class="p">(</span><span class="s">"X-Request-Signature"</span><span class="p">,</span> <span class="k">out</span> <span class="kt">var</span> <span class="n">signatureValues</span><span class="p">))</span> <span class="p">{</span> <span class="n">context</span><span class="p">.</span><span class="n">Result</span> <span class="p">=</span> <span class="k">new</span> <span class="nf">UnauthorizedObjectResult</span><span class="p">(</span><span class="s">"Missing security headers."</span><span class="p">);</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="kt">var</span> <span class="n">timestampStr</span> <span class="p">=</span> <span class="n">timestampValues</span><span class="p">.</span><span class="nf">ToString</span><span class="p">();</span> <span class="kt">var</span> <span class="n">clientSignature</span> <span class="p">=</span> <span class="n">signatureValues</span><span class="p">.</span><span class="nf">ToString</span><span class="p">();</span> <span class="c1">// 2. Prevent Replay Attacks via Timestamp Validation</span> <span class="k">if</span> <span class="p">(!</span><span class="kt">long</span><span class="p">.</span><span class="nf">TryParse</span><span class="p">(</span><span class="n">timestampStr</span><span class="p">,</span> <span class="k">out</span> <span class="kt">long</span> <span class="n">timestampMs</span><span class="p">))</span> <span class="p">{</span> <span class="n">context</span><span class="p">.</span><span class="n">Result</span> <span class="p">=</span> <span class="k">new</span> <span class="nf">BadRequestObjectResult</span><span class="p">(</span><span class="s">"Invalid timestamp format."</span><span class="p">);</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="kt">var</span> <span class="n">requestTime</span> <span class="p">=</span> <span class="n">DateTimeOffset</span><span class="p">.</span><span class="nf">FromUnixTimeMilliseconds</span><span class="p">(</span><span class="n">timestampMs</span><span class="p">);</span> <span class="k">if</span> <span class="p">((</span><span class="n">DateTimeOffset</span><span class="p">.</span><span class="n">UtcNow</span> <span class="p">-</span> <span class="n">requestTime</span><span class="p">).</span><span class="n">TotalSeconds</span> <span class="p">&gt;</span> <span class="n">MaxAgeInSeconds</span><span class="p">)</span> <span class="p">{</span> <span class="n">context</span><span class="p">.</span><span class="n">Result</span> <span class="p">=</span> <span class="k">new</span> <span class="nf">UnauthorizedObjectResult</span><span class="p">(</span><span class="s">"Request expired. Replay attack detected."</span><span class="p">);</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// 3. Rebuild the payload and validate signature</span> <span class="n">request</span><span class="p">.</span><span class="nf">EnableBuffering</span><span class="p">();</span> <span class="k">using</span> <span class="nn">var</span> <span class="n">reader</span> <span class="p">=</span> <span class="k">new</span> <span class="nf">StreamReader</span><span class="p">(</span><span class="n">request</span><span class="p">.</span><span class="n">Body</span><span class="p">,</span> <span class="n">Encoding</span><span class="p">.</span><span class="n">UTF8</span><span class="p">,</span> <span class="n">leaveOpen</span><span class="p">:</span> <span class="k">true</span><span class="p">);</span> <span class="kt">var</span> <span class="n">body</span> <span class="p">=</span> <span class="k">await</span> <span class="n">reader</span><span class="p">.</span><span class="nf">ReadToEndAsync</span><span class="p">();</span> <span class="n">request</span><span class="p">.</span><span class="n">Body</span><span class="p">.</span><span class="n">Position</span> <span class="p">=</span> <span class="m">0</span><span class="p">;</span> <span class="c1">// Reset stream for the controller</span> <span class="kt">var</span> <span class="n">payloadToSign</span> <span class="p">=</span> <span class="s">$"</span><span class="p">{</span><span class="n">timestampStr</span><span class="p">}</span><span class="s">:</span><span class="p">{</span><span class="n">body</span><span class="p">}</span><span class="s">"</span><span class="p">;</span> <span class="c1">// In a real app, inject this secret via IConfiguration</span> <span class="kt">var</span> <span class="n">serverSecret</span> <span class="p">=</span> <span class="s">"YOUR_SHARED_SECRET_KEY"</span><span class="p">;</span> <span class="k">using</span> <span class="nn">var</span> <span class="n">hmac</span> <span class="p">=</span> <span class="k">new</span> <span class="nf">HMACSHA256</span><span class="p">(</span><span class="n">Encoding</span><span class="p">.</span><span class="n">UTF8</span><span class="p">.</span><span class="nf">GetBytes</span><span class="p">(</span><span class="n">serverSecret</span><span class="p">));</span> <span class="kt">var</span> <span class="n">hashBytes</span> <span class="p">=</span> <span class="n">hmac</span><span class="p">.</span><span class="nf">ComputeHash</span><span class="p">(</span><span class="n">Encoding</span><span class="p">.</span><span class="n">UTF8</span><span class="p">.</span><span class="nf">GetBytes</span><span class="p">(</span><span class="n">payloadToSign</span><span class="p">));</span> <span class="kt">var</span> <span class="n">serverSignature</span> <span class="p">=</span> <span class="n">Convert</span><span class="p">.</span><span class="nf">ToHexString</span><span class="p">(</span><span class="n">hashBytes</span><span class="p">).</span><span class="nf">ToLower</span><span class="p">();</span> <span class="c1">// 4. Compare</span> <span class="k">if</span> <span class="p">(</span><span class="n">serverSignature</span> <span class="p">!=</span> <span class="n">clientSignature</span><span class="p">.</span><span class="nf">ToLower</span><span class="p">())</span> <span class="p">{</span> <span class="n">context</span><span class="p">.</span><span class="n">Result</span> <span class="p">=</span> <span class="k">new</span> <span class="nf">UnauthorizedObjectResult</span><span class="p">(</span><span class="s">"Payload tampering detected. Invalid signature."</span><span class="p">);</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="k">await</span> <span class="nf">next</span><span class="p">();</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Step 3: Secure Your Endpoints<br> Now, to protect any financial transaction in your API, you simply add the attribute to the controller:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="p">[</span><span class="nf">HttpPost</span><span class="p">(</span><span class="s">"transfer"</span><span class="p">)]</span> <span class="p">[</span><span class="n">ValidateHmacSignature</span><span class="p">]</span> <span class="c1">// BOOM. Replay attacks are dead.</span> <span class="k">public</span> <span class="n">IActionResult</span> <span class="nf">TransferFunds</span><span class="p">([</span><span class="n">FromBody</span><span class="p">]</span> <span class="n">TransferDto</span> <span class="n">request</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Process the transaction safely</span> <span class="k">return</span> <span class="nf">Ok</span><span class="p">(</span><span class="k">new</span> <span class="p">{</span> <span class="n">Message</span> <span class="p">=</span> <span class="s">"Funds transferred securely."</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <p>Conclusion<br> By combining timestamps with HMAC signatures, we ensure two things:</p> <p>The payload was not altered in transit.</p> <p>The request is fresh and cannot be intercepted and replayed later.</p> <p>If you are building fintech apps, ERP systems, or anything handling real money, this level of security is non-negotiable.</p> <p>What other advanced security layers do you guys implement in your mobile architectures? Let's discuss in the comments!</p> <p>(P.S. Make sure to follow my profile for more deep dives into enterprise-grade .NET and React Native architecture!)</p> api dotnet reactnative security Muhammad Saad Bin Nadeem Sun, 05 Apr 2026 06:01:27 +0000 https://dev.to/muhammad_saadbinnadeem_/stop-re-writing-this-how-to-build-a-reusable-password-input-in-react-native-5f9 https://dev.to/muhammad_saadbinnadeem_/stop-re-writing-this-how-to-build-a-reusable-password-input-in-react-native-5f9 <p>If you are building a React Native app, you are going to need a Login screen, a Registration screen, and probably a "Change Password" screen.</p> <p>The biggest mistake I see developers make is re-writing the same useState logic to toggle the secureTextEntry (the eye icon) on every single one of these screens. It makes your code messy and violates the DRY (Don't Repeat Yourself) principle.</p> <p>Instead, we should build a single, beautiful component that handles its own internal state, and just reuse it everywhere.</p> <p>Here is exactly how to build it using standard React Native components and Expo vector icons.</p> <ol> <li>The Component Code Create a new file called CustomPasswordInput.tsx in your components folder. We will use @expo/vector-icons for the eye graphic (which comes pre-installed in Expo). </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="k">import</span> <span class="nx">React</span><span class="p">,</span> <span class="p">{</span> <span class="nx">useState</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">react</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">View</span><span class="p">,</span> <span class="nx">TextInput</span><span class="p">,</span> <span class="nx">TouchableOpacity</span><span class="p">,</span> <span class="nx">StyleSheet</span><span class="p">,</span> <span class="nx">TextInputProps</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">react-native</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Ionicons</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@expo/vector-icons</span><span class="dl">'</span><span class="p">;</span> <span class="c1">// We extend standard TextInputProps so we can pass things like 'placeholder' or 'onChangeText'</span> <span class="kr">interface</span> <span class="nx">CustomPasswordInputProps</span> <span class="kd">extends</span> <span class="nx">TextInputProps</span> <span class="p">{}</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">CustomPasswordInput</span><span class="p">:</span> <span class="nx">React</span><span class="p">.</span><span class="nx">FC</span><span class="o">&lt;</span><span class="nx">CustomPasswordInputProps</span><span class="o">&gt;</span> <span class="o">=</span> <span class="p">({</span> <span class="p">...</span><span class="nx">props</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// Internal state to track if the password is hidden or visible</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">isSecure</span><span class="p">,</span> <span class="nx">setIsSecure</span><span class="p">]</span> <span class="o">=</span> <span class="nf">useState</span><span class="p">(</span><span class="kc">true</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">toggleVisibility</span> <span class="o">=</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nf">setIsSecure</span><span class="p">(</span><span class="o">!</span><span class="nx">isSecure</span><span class="p">);</span> <span class="p">};</span> <span class="k">return </span><span class="p">(</span> <span class="p">&lt;</span><span class="nc">View</span> <span class="na">style</span><span class="p">=</span><span class="si">{</span><span class="nx">styles</span><span class="p">.</span><span class="nx">container</span><span class="si">}</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">TextInput</span> <span class="na">style</span><span class="p">=</span><span class="si">{</span><span class="nx">styles</span><span class="p">.</span><span class="nx">input</span><span class="si">}</span> <span class="na">secureTextEntry</span><span class="p">=</span><span class="si">{</span><span class="nx">isSecure</span><span class="si">}</span> <span class="c1">// Toggles the masking</span> <span class="na">placeholderTextColor</span><span class="p">=</span><span class="s">"#999"</span> <span class="si">{</span><span class="p">...</span><span class="nx">props</span><span class="si">}</span> <span class="p">/&gt;</span> <span class="p">&lt;</span><span class="nc">TouchableOpacity</span> <span class="na">style</span><span class="p">=</span><span class="si">{</span><span class="nx">styles</span><span class="p">.</span><span class="nx">iconContainer</span><span class="si">}</span> <span class="na">onPress</span><span class="p">=</span><span class="si">{</span><span class="nx">toggleVisibility</span><span class="si">}</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">Ionicons</span> <span class="na">name</span><span class="p">=</span><span class="si">{</span><span class="nx">isSecure</span> <span class="p">?</span> <span class="dl">"</span><span class="s2">eye-off</span><span class="dl">"</span> <span class="p">:</span> <span class="dl">"</span><span class="s2">eye</span><span class="dl">"</span><span class="si">}</span> <span class="na">size</span><span class="p">=</span><span class="si">{</span><span class="mi">24</span><span class="si">}</span> <span class="na">color</span><span class="p">=</span><span class="s">"#666"</span> <span class="p">/&gt;</span> <span class="p">&lt;/</span><span class="nc">TouchableOpacity</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nc">View</span><span class="p">&gt;</span> <span class="p">);</span> <span class="p">};</span> <span class="kd">const</span> <span class="nx">styles</span> <span class="o">=</span> <span class="nx">StyleSheet</span><span class="p">.</span><span class="nf">create</span><span class="p">({</span> <span class="na">container</span><span class="p">:</span> <span class="p">{</span> <span class="na">flexDirection</span><span class="p">:</span> <span class="dl">'</span><span class="s1">row</span><span class="dl">'</span><span class="p">,</span> <span class="na">alignItems</span><span class="p">:</span> <span class="dl">'</span><span class="s1">center</span><span class="dl">'</span><span class="p">,</span> <span class="na">backgroundColor</span><span class="p">:</span> <span class="dl">'</span><span class="s1">#F5F5F5</span><span class="dl">'</span><span class="p">,</span> <span class="na">borderRadius</span><span class="p">:</span> <span class="mi">8</span><span class="p">,</span> <span class="na">borderWidth</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="na">borderColor</span><span class="p">:</span> <span class="dl">'</span><span class="s1">#E0E0E0</span><span class="dl">'</span><span class="p">,</span> <span class="na">paddingHorizontal</span><span class="p">:</span> <span class="mi">15</span><span class="p">,</span> <span class="na">height</span><span class="p">:</span> <span class="mi">50</span><span class="p">,</span> <span class="na">marginBottom</span><span class="p">:</span> <span class="mi">15</span><span class="p">,</span> <span class="p">},</span> <span class="na">input</span><span class="p">:</span> <span class="p">{</span> <span class="na">flex</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="c1">// Takes up remaining space</span> <span class="na">fontSize</span><span class="p">:</span> <span class="mi">16</span><span class="p">,</span> <span class="na">color</span><span class="p">:</span> <span class="dl">'</span><span class="s1">#333</span><span class="dl">'</span><span class="p">,</span> <span class="p">},</span> <span class="na">iconContainer</span><span class="p">:</span> <span class="p">{</span> <span class="na">padding</span><span class="p">:</span> <span class="mi">5</span><span class="p">,</span> <span class="p">}</span> <span class="p">});</span> </code></pre> </div> <ol> <li>Why this approach is better Encapsulation: The Login screen doesn't need to know how the eye icon works. It just needs the final typed text.</li> </ol> <p>Flexibility: Because we spread {...props} onto the TextInput, you can still pass standard props like onChangeText, value, or onBlur from the parent screen without having to manually define them all.</p> <ol> <li>How clean it looks in your Login Screen Now, look at how incredibly clean your actual Login Screen becomes. No messy state variables tracking the eye icon! </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="k">import</span> <span class="nx">React</span><span class="p">,</span> <span class="p">{</span> <span class="nx">useState</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">react</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">View</span><span class="p">,</span> <span class="nx">Button</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">react-native</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">CustomPasswordInput</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../components/CustomPasswordInput</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="kd">function</span> <span class="nf">LoginScreen</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">password</span><span class="p">,</span> <span class="nx">setPassword</span><span class="p">]</span> <span class="o">=</span> <span class="nf">useState</span><span class="p">(</span><span class="dl">''</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">handleLogin</span> <span class="o">=</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">Logging in with: </span><span class="dl">"</span><span class="p">,</span> <span class="nx">password</span><span class="p">);</span> <span class="p">};</span> <span class="k">return </span><span class="p">(</span> <span class="p">&lt;</span><span class="nc">View</span> <span class="na">style</span><span class="p">=</span><span class="si">{</span><span class="p">{</span> <span class="na">padding</span><span class="p">:</span> <span class="mi">20</span> <span class="p">}</span><span class="si">}</span><span class="p">&gt;</span> <span class="si">{</span><span class="cm">/* Our clean, reusable component! */</span><span class="si">}</span> <span class="p">&lt;</span><span class="nc">CustomPasswordInput</span> <span class="na">placeholder</span><span class="p">=</span><span class="s">"Enter your password"</span> <span class="na">value</span><span class="p">=</span><span class="si">{</span><span class="nx">password</span><span class="si">}</span> <span class="na">onChangeText</span><span class="p">=</span><span class="si">{</span><span class="nx">setPassword</span><span class="si">}</span> <span class="p">/&gt;</span> <span class="p">&lt;</span><span class="nc">Button</span> <span class="na">title</span><span class="p">=</span><span class="s">"Login"</span> <span class="na">onPress</span><span class="p">=</span><span class="si">{</span><span class="nx">handleLogin</span><span class="si">}</span> <span class="p">/&gt;</span> <span class="p">&lt;/</span><span class="nc">View</span><span class="p">&gt;</span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>By extracting UI elements into smart components, you can assemble complex screens in seconds instead of hours.</p> <p>Did you find this helpful? I build full-stack architectures and post weekly about React Native, .NET Core, and writing cleaner code. Make sure to follow my profile so you don't miss the next UI component breakdown!</p> <h1> reactnative, #javascript, #webdev, #ui </h1> react reactnative tutorial typescript Muhammad Saad Bin Nadeem Sun, 05 Apr 2026 05:58:17 +0000 https://dev.to/muhammad_saadbinnadeem_/why-your-react-native-app-cant-connect-to-your-local-net-api-and-how-to-fix-it-1hej https://dev.to/muhammad_saadbinnadeem_/why-your-react-native-app-cant-connect-to-your-local-net-api-and-how-to-fix-it-1hej <p>You just built a beautiful .NET Core Web API. You test it in Swagger or Postman, and it works perfectly. It returns data instantly.</p> <p>So, you open up your React Native Expo app, write a simple axios.get('<a href="http://localhost:5257/api/users'" rel="noopener noreferrer">http://localhost:5257/api/users'</a>), press save, and... 💥 Network Error.</p> <p>If you are testing on an Android emulator or a physical device, this error will drive you crazy. Here is exactly why it happens and how to set up your environment variables to fix it forever.</p> <p>The Problem: What is "Localhost"?<br> When you type localhost inside your React Native code, the code is running inside the mobile device (or emulator).</p> <p>To your computer, localhost means the computer itself.</p> <p>To your Android emulator, localhost means the Android device's internal loopback network.</p> <p>The emulator is literally looking inside itself for a .NET server that doesn't exist, failing, and throwing a Network Error.</p> <p>The Solution: The Magic IP Addresses<br> To fix this, you need to point your mobile app to your computer's actual network address, depending on what you are testing on.</p> <ol> <li>Testing on the iOS Simulator (Mac) Apple made this easy. The iOS simulator shares the host machine's network.</li> </ol> <p>URL to use: <a href="http://localhost:" rel="noopener noreferrer">http://localhost:</a></p> <ol> <li>Testing on the Android Emulator Google built the Android emulator to run on an isolated virtual router. To break out of that router and talk to your computer's localhost, they provide a specific alias IP.</li> </ol> <p>URL to use: <a href="http://10.0.2.2:" rel="noopener noreferrer">http://10.0.2.2:</a></p> <ol> <li>Testing on a Physical Device (iPhone or Android via Wi-Fi) If you are running the Expo app on your actual phone, neither localhost nor 10.0.2.2 will work. Your phone needs your computer's local Wi-Fi IP address.</li> </ol> <p>Open your terminal and type ipconfig (Windows) or ifconfig (Mac).</p> <p>Find your IPv4 address (it usually looks like 192.168.1.X or 10.0.0.X).</p> <p>URL to use: <a href="http://192.168.1.X:" rel="noopener noreferrer">http://192.168.1.X:</a><br> (Note: For this to work, you must ensure your .NET app is listening on your local IP, not just localhost. You can do this by running dotnet run --urls "<a href="http://0.0.0.0:" rel="noopener noreferrer">http://0.0.0.0:</a>")</p> <p>The Best Practice: Environment Configuration<br> Instead of manually changing your Axios URLs every time you switch from iOS to Android, set up a dynamic config.</p> <p>If you are using Expo, create a .env file at the root of your project:</p> <p>Code snippet<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Change this depending on your testing device!</span> <span class="c"># iOS Simulator</span> <span class="c"># EXPO_PUBLIC_API_URL=http://localhost:5257/api</span> <span class="c"># Android Emulator</span> <span class="nv">EXPO_PUBLIC_API_URL</span><span class="o">=</span>http://10.0.2.2:5257/api <span class="c"># Physical Device</span> <span class="c"># EXPO_PUBLIC_API_URL=http://192.168.1.45:5257/api</span> </code></pre> </div> <p>Then, configure your Axios instance once, and never touch it again:</p> <p>TypeScript<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="nx">axios</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">axios</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">api</span> <span class="o">=</span> <span class="nx">axios</span><span class="p">.</span><span class="nf">create</span><span class="p">({</span> <span class="na">baseURL</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">EXPO_PUBLIC_API_URL</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">Content-Type</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">application/json</span><span class="dl">'</span><span class="p">,</span> <span class="p">},</span> <span class="p">});</span> </code></pre> </div> <p>export default api;<br> Now, whenever you switch testing devices, you just uncomment the right line in your .env file, restart your Expo server with npx expo start -c (to clear the cache), and your API will connect flawlessly.</p> <p>I hope this saved you a few hours of debugging! I build full-stack architectures and post weekly about React Native, .NET Core, and mobile enterprise solutions. Make sure to follow my profile here on Dev.to so you don't miss the next architecture breakdown!</p> <h1> reactnative, #dotnet, #javascript, and #beginners </h1> dotnet networking reactnative tutorial Muhammad Saad Bin Nadeem Tue, 31 Mar 2026 19:36:44 +0000 https://dev.to/muhammad_saadbinnadeem_/how-to-fix-expo-secure-store-crashing-on-web-platform-agnostic-storage-in-react-native-2idb https://dev.to/muhammad_saadbinnadeem_/how-to-fix-expo-secure-store-crashing-on-web-platform-agnostic-storage-in-react-native-2idb <p>If you are building a universal React Native app using Expo, you’ve probably run into this incredibly frustrating issue when setting up your JWT Authentication.</p> <p>You install expo-secure-store to safely save your user's auth tokens. You test it on your iOS simulator, and it works flawlessly. You test it on Android, perfect.</p> <p>But the second you hit w in your terminal to test your app in a web browser, your app completely crashes with an error like:<br> TypeError: ExpoSecureStore.default.getValueWithKeyAsync is not a function</p> <p>Why does this happen?<br> expo-secure-store relies on the native hardware security of mobile devices (Keychain for iOS, Keystore for Android). Web browsers do not have this native hardware. When Expo tries to run native code inside Google Chrome, the browser panics and kills your API requests.</p> <p>The Solution: A Platform-Agnostic Storage Wrapper<br> Instead of littering your components with if (Platform.OS === 'web') statements every time you need to check a token, the cleanest enterprise-level solution is to create a centralized storage utility.</p> <p>This utility will automatically detect the environment. If the user is on a phone, it uses the highly secure SecureStore. If they are on the web, it gracefully falls back to standard localStorage.</p> <p>Create a file called storage.ts in your services folder:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">SecureStore</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">expo-secure-store</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Platform</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">react-native</span><span class="dl">'</span><span class="p">;</span> <span class="c1">// Save Token</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">setToken</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">key</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">value</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">Platform</span><span class="p">.</span><span class="nx">OS</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">web</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="nx">localStorage</span><span class="p">.</span><span class="nf">setItem</span><span class="p">(</span><span class="nx">key</span><span class="p">,</span> <span class="nx">value</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="k">await</span> <span class="nx">SecureStore</span><span class="p">.</span><span class="nf">setItemAsync</span><span class="p">(</span><span class="nx">key</span><span class="p">,</span> <span class="nx">value</span><span class="p">);</span> <span class="p">}</span> <span class="p">};</span> <span class="c1">// Get Token</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">getToken</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">key</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">Platform</span><span class="p">.</span><span class="nx">OS</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">web</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">localStorage</span><span class="p">.</span><span class="nf">getItem</span><span class="p">(</span><span class="nx">key</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="k">return</span> <span class="k">await</span> <span class="nx">SecureStore</span><span class="p">.</span><span class="nf">getItemAsync</span><span class="p">(</span><span class="nx">key</span><span class="p">);</span> <span class="p">}</span> <span class="p">};</span> <span class="c1">// Delete Token</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">deleteToken</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">key</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">Platform</span><span class="p">.</span><span class="nx">OS</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">web</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="nx">localStorage</span><span class="p">.</span><span class="nf">removeItem</span><span class="p">(</span><span class="nx">key</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="k">await</span> <span class="nx">SecureStore</span><span class="p">.</span><span class="nf">deleteItemAsync</span><span class="p">(</span><span class="nx">key</span><span class="p">);</span> <span class="p">}</span> <span class="p">};</span> </code></pre> </div> <p>How to use it in your Axios Interceptor<br> Now, instead of calling SecureStore directly, you just call your new smart utility. Here is how clean it looks inside an Axios interceptor:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="nx">axios</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">axios</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">getToken</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./storage</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">api</span> <span class="o">=</span> <span class="nx">axios</span><span class="p">.</span><span class="nf">create</span><span class="p">({</span> <span class="na">baseURL</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">EXPO_PUBLIC_API_URL</span><span class="p">,</span> <span class="p">});</span> <span class="nx">api</span><span class="p">.</span><span class="nx">interceptors</span><span class="p">.</span><span class="nx">request</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="k">async </span><span class="p">(</span><span class="nx">config</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// Works flawlessly on iOS, Android, AND Web!</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getToken</span><span class="p">(</span><span class="dl">'</span><span class="s1">userToken</span><span class="dl">'</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">token</span><span class="p">)</span> <span class="p">{</span> <span class="nx">config</span><span class="p">.</span><span class="nx">headers</span><span class="p">.</span><span class="nx">Authorization</span> <span class="o">=</span> <span class="s2">`Bearer </span><span class="p">${</span><span class="nx">token</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">config</span><span class="p">;</span> <span class="p">});</span> </code></pre> </div> <p>Gemini said<br> Here is the exact technical article to post on Dev.to.</p> <p>Because Dev.to is a platform strictly for developers, we are not going to make this look like an ad. We are going to teach them how to fix a very annoying React Native bug, and then soft-pitch your Gumroad link at the very end. This builds massive trust.</p> <p>Title: How to fix expo-secure-store crashing on Web (Platform-Agnostic Storage in React Native)</p> <p>Body:</p> <p>If you are building a universal React Native app using Expo, you’ve probably run into this incredibly frustrating issue when setting up your JWT Authentication.</p> <p>You install expo-secure-store to safely save your user's auth tokens. You test it on your iOS simulator, and it works flawlessly. You test it on Android, perfect.</p> <p>But the second you hit w in your terminal to test your app in a web browser, your app completely crashes with an error like:<br> TypeError: ExpoSecureStore.default.getValueWithKeyAsync is not a function</p> <p>Why does this happen?<br> expo-secure-store relies on the native hardware security of mobile devices (Keychain for iOS, Keystore for Android). Web browsers do not have this native hardware. When Expo tries to run native code inside Google Chrome, the browser panics and kills your API requests.</p> <p>The Solution: A Platform-Agnostic Storage Wrapper<br> Instead of littering your components with if (Platform.OS === 'web') statements every time you need to check a token, the cleanest enterprise-level solution is to create a centralized storage utility.</p> <p>This utility will automatically detect the environment. If the user is on a phone, it uses the highly secure SecureStore. If they are on the web, it gracefully falls back to standard localStorage.</p> <p>Create a file called storage.ts in your services folder:</p> <p>TypeScript<br> import * as SecureStore from 'expo-secure-store';<br> import { Platform } from 'react-native';</p> <p>// Save Token<br> export const setToken = async (key: string, value: string) =&gt; {<br> if (Platform.OS === 'web') {<br> localStorage.setItem(key, value);<br> } else {<br> await SecureStore.setItemAsync(key, value);<br> }<br> };</p> <p>// Get Token<br> export const getToken = async (key: string) =&gt; {<br> if (Platform.OS === 'web') {<br> return localStorage.getItem(key);<br> } else {<br> return await SecureStore.getItemAsync(key);<br> }<br> };</p> <p>// Delete Token<br> export const deleteToken = async (key: string) =&gt; {<br> if (Platform.OS === 'web') {<br> localStorage.removeItem(key);<br> } else {<br> await SecureStore.deleteItemAsync(key);<br> }<br> };<br> How to use it in your Axios Interceptor<br> Now, instead of calling SecureStore directly, you just call your new smart utility. Here is how clean it looks inside an Axios interceptor:</p> <p>TypeScript<br> import axios from 'axios';<br> import { getToken } from './storage';</p> <p>const api = axios.create({<br> baseURL: process.env.EXPO_PUBLIC_API_URL,<br> });</p> <p>api.interceptors.request.use(async (config) =&gt; {<br> // Works flawlessly on iOS, Android, AND Web!<br> const token = await getToken('userToken');</p> <p>if (token) {<br> config.headers.Authorization = <code>Bearer ${token}</code>;<br> }<br> return config;<br> });<br> Skip the Boilerplate<br> I got so tired of wiring up this storage utility, Axios interceptors, JWT handling, and .NET AuthControllers for every single new project that I finally packaged it all together.</p> <p>If you want to skip the 40 hours of tedious "infrastructure" setup and just start building your actual mobile app today, I released my full Enterprise Mobile Solution (React Native/Expo + .NET 9 API + SQLite).</p> <p>It has all of this built-in, plus premium UI components, for just $39.</p> <p>You can grab the full source code here: <a href="https://cutt.ly/rtAQiXmT" rel="noopener noreferrer">https://cutt.ly/rtAQiXmT</a></p> <p>Happy coding! Let me know if you handle your universal storage differently in the comments.</p> <h1> reactnative #dotnet #webdev #tutorial </h1> Muhammad Saad Bin Nadeem Sun, 29 Mar 2026 19:12:41 +0000 https://dev.to/muhammad_saadbinnadeem_/stop-building-authentication-from-scratch-a-full-stack-net-react-native-architecture-15di https://dev.to/muhammad_saadbinnadeem_/stop-building-authentication-from-scratch-a-full-stack-net-react-native-architecture-15di <p>We’ve all been there. You have a great idea for a mobile app, but before you can build a single feature, you have to wire up the "Big Three": Authentication, API Interceptors, and Secure Storage.</p> <p>In this post, I want to share the architecture I use for my Enterprise Mobile Solution.</p> <p>Key Architectural Decisions:</p> <p>The Interceptor Pattern: Using Axios interceptors to automatically attach Bearer tokens.</p> <p>Platform-Agnostic Storage: How to wrap expo-secure-store so your app doesn't break when testing in a Chrome browser.</p> <p>Themed Components: Moving away from inline styles to a centralized theme.ts for instant rebranding.</p> <p>I’ve packaged this entire architecture into a ready-to-go solution for anyone who wants to skip the boilerplate phase.</p> <p>Check out the full solution here: <a href="https://saadventure610.gumroad.com/l/EnterpriseMobileSolution-ReactNative-NETCore" rel="noopener noreferrer">https://saadventure610.gumroad.com/l/EnterpriseMobileSolution-ReactNative-NETCore</a></p> <h1> reactnative #dotnet #webdev #productivity </h1>