login: Use Apple API for web auth on iOS, ASWebAuthenticationSession #611
Labels
a-first-hour
Issues specific to using the app for the first time
a-iOS
Issues specific to iOS, or requiring iOS-specific work
a-login
Milestone
This is a followup to:
In the version we merged as #600, web auth works great (as far as we've seen) on Android, and it works great on iOS… if you don't have the legacy zulip-mobile app installed.
If you do have the legacy app installed (or any other app that offers to handle
zulip:
URLs) then when you complete the server side of the auth flow and it tries to send you back to the app with your credentials, iOS may choose to have the other app handle it instead. There's no security issue here — the credentials are encrypted with a one-time pad the app generates and holds in memory — but it defeats your attempt to log in. And there's nothing the app can do about it, or that you can do about it short of uninstalling the other app.To fix this, Apple offers a specialized API for this use case,
ASWebAuthenticationSession
. Docs here:https://developer.apple.com/documentation/authenticationservices/aswebauthenticationsession
https://developer.apple.com/documentation/authenticationservices/authenticating_a_user_through_a_web_service
So we'd like to use that.
It doesn't appear there's a suitable package for this off the shelf. So we'll wrap the API ourselves, with Pigeon.
(Depending how that looks, we may in the future polish that wrapper up as a plugin package on pub.dev for other people to use. But that's out of scope for this issue.)
The text was updated successfully, but these errors were encountered: