Merge pull request #434 from FormidableLabs/chore/add-token-storage-info

Kadi Kraman · web-flow · commit 968daa391e51 · 2020-01-08T15:56:19.000Z
Add token storage recommendations
diff --git a/README.md b/README.md
@@ -416,7 +416,10 @@ Some authentication providers, including examples cited below, require you to pr
 > [strongly recommend](https://github.com/openid/AppAuth-Android#utilizing-client-secrets-dangerous) you avoid using static client secrets in your native applications whenever possible. Client secrets derived via a dynamic client registration are safe to use, but static client secrets can be easily extracted from your apps and allow others to impersonate your app and steal user data. If client secrets must be used by the OAuth2 provider you are integrating with, we strongly recommend performing the code exchange step on your backend, where the client secret can be kept hidden.
 
 Having said this, in some cases using client secrets is unavoidable. In these cases, a `clientSecret` parameter can be provided to `authorize`/`refresh` calls when performing a token request.
-g
+
+#### Token Storage
+
+Recommendations on secure token storage can be found [here](./docs/token-storage.md).
 
 #### Maintenance Status
 
diff --git a/docs/token-storage.md b/docs/token-storage.md
@@ -0,0 +1,26 @@
+## Token Storage
+
+Once the user has successfully authenticated, you'll have a JWT and possibly a refresh token that should be stored securely.
+
+❗️ __Do not use Async Storage for storing sensitive information__
+
+Async Storage is the simplest method of persisting data across application launches in React Native. However, it is an _unencrypted_ key-value store and should therefore not be used for token storage.
+
+✅ __DO use Secure Storage__
+
+React Native does not come bundled with any way of storing sensitive data, so it is necessary to rely on the underlying platform-specific solutions.
+
+### iOS - Keychain Services
+Keychain Services allows you to securely store small chunks of sensitive info for the user. This is an ideal place to store certificates, tokens, passwords, and any other sensitive information that doesn’t belong in Async Storage.
+
+### Android - Secure Shared Preferences
+Shared Preferences is the Android equivalent for a persistent key-value data store. Data in Shared Preferences is not encrypted by default. Encrypted Shared Preferences wraps the Shared Preferences class for Android, and automatically encrypts keys and values.
+
+In order to use iOS's Keychain services or Android's Secure Shared Preferences, you either can write a JS<->native interface yourself or use a library which wraps them for you. Some even provide a unified API.
+
+## Related OSS libraries
+
+- [react-native-keychain](https://github.com/oblador/react-native-keychain) - we've had good experiences using this on projects
+- [react-native-sensitive-info](https://github.com/mCodex/react-native-sensitive-info) - secure for iOS, but uses Android Shared Preferences for Android (which is not secure). There is however a fork that uses [Android Keystore](https://github.com/mCodex/react-native-sensitive-info/tree/keystore) which is secure
+- [redux-persist-sensitive-storage](https://github.com/CodingZeal/redux-persist-sensitive-storage) - wraps `react-native-sensitive-info`, see comments above
+- [rn-secure-storage](https://github.com/talut/rn-secure-storage)
