Hi Mohit, I am glad you brought it up. First, I would say offline mode is a great value addition to the community.
I had posted a question regarding logout as well which no replied to so I am going to go ahead and make some assumptions. Please note that this is an opinion piece and your PR will be subject to the reviewer's point of view. There is probably no official stance on what should be the default behavior. Different types of organizations using Fineract / MifosX will take different calls and prefer one over the other. Ex :- (1) Most security specs would say the default security profile shouldn't exist in it's current form. (2) Some security specs would say that no matter which security profile app is running on, idle sessions should expire on server side as per company / product policy. (3) Some security specs would say that the community app does not do a clean logout as token is not invalidated at server side through a common logout API for all profiles. I believe Alex has built a separate endpoint for 2FA token invalidation. I agree with you on usability perspective and it makes quite a bit of sense for self-service app, field officer app (only where BYOD policy is there) but not so much for the web app and shared devices from traditional security specifications perspective. At a glance, here are the efforts I see to make offline mode more secure :- - Offline mode should be configurable at user level, branch level and organization level so that organization can minimize risk. - Server side token invalidation through logout / timer should happen for all profiles. - Going back to online mode / syncing data with server should require re-authentication for all profiles. Having said all that, I am assuming that the default basicauth profile is for organizations who either does not care much about security or has plenty of other out of band protocols to feel safe enough or uses Fineract APIs internally; so I guess seamless offline / online transition is okay for current default / oauth implementation but it will probably break for 2FA mode once Alex's code gets merged. Banks would insist even offline mode inactivity to have client side expiry and usage of PIN to log back in offline mode. Regards, Avik. On Thu, Aug 24, 2017 at 6:47 PM, Mohit Bajoria <mohitbaj...@gmail.com> wrote: > Hello Community > > I have been implementing Offline Functionality to Mifos Community app using > using Service workers API and its multiple libraries as my Google Summer of > Code project > > Community app currently logs out if the browser is closed and if the user > is idle for some time, everytime we have to input username/password to > authenticate the user back again and this is bad UX according to my > experience. User should always be signed In seamlessly, making sure user is > secured. > > In community app, all the logic is already written, we are storing data in > localStorage , you all can see in local storage section in the developer > tools. We are storing the user data in encrypted form in Local storage. > > In MainController.js (L- 137), code written is that whenever users closes > the browser or sits idle, it logs out the browser which i think can be > commented out to gain the offline functionality to the user. By this way we > can direct navigate user to their home page even if the user is offline and > user will be securely authenticated also. > > I want the view points of Nazeer and mentors, Going this way will there be > a security threat, will user will be secured ? > > This way also ensures a seamless sign in flow without any hassle to the > user, let me know all your thoughts ? > > Regards > Mohit > -- > > *Regards* > *Mohit Kumar Bajoria* > *http://mohitbajoria.com <http://mohitbajoria.com>* >
