I want to implement the app in worklight using JsonStore protection i want to store password based on logined user and add those password to options in WL.JSONStore.init(collections,options)
. The rest of the details in data object data={}
;
and how do i extract the password saved WL.JSONStore.init(collections,options)
options object for making api calls for rest of the functions?
My take on the question:
Storing the password in the device is indeed not a good practice to follow.
There is also the additional question of where the username and password are coming from originally? When does the sign-up (rather than log-in) happens? This is IMO crucial information.
In one of my applications I have initialized a JSONStore and encrypted it using the user's password and in the collection I saved the username.
This way, the next time the user tries to open the JSONStore (read: "to log-in"), it will try to do so with the inputted password. If this step is successful, it will then compare the inputted username with the stored username. If this step is successful as well, valid login credentials can be assumed.
Note that the above code is a bit abstract and "generic", and you will need to handle all sort of edge cases.
I highly recommend to thoroughly read all of the JSONStore documentation and training modules.
You have two options (though I am not a security expert):
Ask to user that uses the app (and therefore the JSONStore) to enter the password each time you open the app and then in the WL.JSONStore.init method check the password (if the password is correct, the store will open, otherwise, the method will fail).
Store the password in a secure storage - Keychains. For iOS see this link. For Android, I think this is the equivalent link.
So, the first time the user opens the app, you store the password and each time the user opens the app, you retrieve the password and pass it to WL JSONStore. If the user wants to update the password (e.g. you have security policy to follow), you have to update the password in the Keychain.
Of course, if you go hybrid, you will need some sort of Cordova plugin that add, reads, updates, resets the password in the keychain so you can make these actions from JavaScript.
Hope it helps!