Auto log-in user on PWA app

Hmm .. I am not sure if I understand this suggestion.

So far my workflow is:
  1. Start a browser (usually Chrome) on my smartphone
  2. Log into a XenForo and make sure checkbox "Stay logged in" is checked
  3. Click "Install the app" in the burger menu
  4. Close the browser
At this point the PWA is installed, I can lauch it from my homescreen / apps menu and I am logged in.

Why would I need a token to log me in, what would be the benefit?
 
Last edited:
Kirby said:
Hmm .. I am not sure if I understand this suggestion.

So far my workflow is:
  1. Start a browser (usually Chrome) on my smartphone
  2. Log into a XenForo and make sure checkbox "Stay logged in" is checked
  3. Click "Install the app" in the burger menu
  4. Close the browser

At this point the PWA is installed, I can lauch it from my homescreen / apps menu and I am logged in.

Why would I need a token to log me in, what would be the benefit?
Click to expand...
Because on iOS when you install the PWA, you end up with an app that you aren't logged into. Probably something to do with iOS keeping "apps" isolated from each other (a PWA app isn't going to be sharing cookies with a browser app for example). Just a guess on the "why", but that makes sense to me knowing how iOS sandboxes apps and their data from each other (a PWA isn't going to inherit any cookies from a browser [and vice versa] because an app can't read another app's data).
 
Thanks for the explanation :)

In this case a one-time token would indeed make sense, though I wouldn't feel comfortable if the token could be used more than once.
 
Kirby said:
Thanks for the explanation :)

In this case a one-time token would indeed make sense, though I wouldn't feel comfortable if the token could be used more than once.
Click to expand...
Ya would definitely need to be single use and expiring as well. Basically just a mechanism to do the initial login is all. After that, the PWA has its own user/session cookies.
 
It’s been a while since I’ve looked at the specifics, but I’m not sure we can vary the manifest for users because I think the WebAPK build/update process for Android expects it to be static. This is why we pull values from the default style and language rather than the visitor's selected style.
 
Last edited:
Was literally just coming here to post that...

Safari on iOS 14 and iPadOS 14 for PWA and Web Developers-firt.dev

New APIs, abilities, bugs, and challenges for Safari and PWAs running in iOS 14 and iPadOS 14 including FaceID and TouchID, Service Worker changes, Geolocation, Performance and more.
firt.dev firt.dev

PWAs share Service Worker's registration and CacheStorage with Safari. This new behavior matches what happens on Android when you install a PWA. However, Cookies, Web Storage, and IndexedDB are still isolated and separately from Safari and other icons of the same PWAs. That is, partial storage will be available when you open a PWA from the home screen.
Click to expand...
 
Jeremy P said:
It’s been a while since I’ve looked at the specifics, but I’m not sure we can vary the manifest for users because I think the WebAPK build/update process for Android expects it to be static. This is why we pull values from the default style and language rather than the visitor's selected style.
Click to expand...
Not sure if relevant but the manifest now
supports an ID field which we now include. That perhaps means it’s safer to have a dynamic start_url but not entirely comfortable as it doesn’t feel like that’s what it should be used for.

CacheStorage might be worth looking at.
 
Did a basic test and it doesn't look like localStorage is shared between Safari and PWA app in 16.4.

Staring Episode 2 GIF by The Office
 
Chris D said:
That perhaps means it’s safer to have a dynamic start_url but not entirely comfortable as it doesn’t feel like that’s what it should be used for.
Click to expand...
If memory serves (and it very well may not), the issue was Google distributing a single WebAPK for all users (and any manifest changes are detected as updates that should be pushed to all users). And this "implementation detail" was buried in some issue tracker somewhere rather than being properly documented, so I'm not sure if that still is (or ever was) entirely accurate.

I guess we could special-case Safari manifests, but I think CacheStorage is likely a more appropriate mechanism for implementing this.
 
I found a simpler test/demo someone else made (mine was hidden behind some user authentication), and it doesn't seem to work in their demo either:

App

oceanic-join.surge.sh oceanic-join.surge.sh

That was supposed to be a demo of how to get data between Safari and PWA standalone app. Was from 2018, so I'm guessing it used to work before they changed everything in 16.4.

www.netguru.com

How to Share Cookie or State Between Progressive Web Application in Standalone Mode and Safari on iOS

Sharing data between PWA in standalone mode and Safari seems impossible, but there is a simple workaround to enable you to take PWA on iOS to next level!
www.netguru.com www.netguru.com
 
Last edited:
Chris D said:
Not sure if relevant but the manifest now
supports an ID field which we now include. That perhaps means it’s safer to have a dynamic start_url but not entirely comfortable as it doesn’t feel like that’s what it should be used for.

CacheStorage might be worth looking at.
Click to expand...
Was reading more documentation on the id property (which Safari supports), and it does seem to me that using id as the unique identifier and back to my original idea for a single-use/expiring token in the start_url might be the best route.

Even if CacheStorage starts working for Safari -> PWA handoff, it's incredibly hacky. Storing the content of a fake URL so you can read in that page content from browser cache later is well... pretty ugly (even if it worked).

Not sure about the intricacies with Google distributing a single WebAPK to all users, but from what I've been skimming, it looks like Google has switched to using id instead of start_url as the unique manifest identifier in Chrome 96.

I found a lot of stuff talking about how it might be best to generate the id in the manifest file with the registered user's ID. Not sure it would be of much use for normal users, but one interesting thing you can do with that is install two different PWA instances (if they have a unique ID set) where you are getting push notifications and things for different users (you can log in as different users in that scenario since they are considered different "apps"). My point is that maybe Google generating a single WebAPK for all users isn't a thing anymore? If it did, wouldn't that be a limitation on Android where you can't have two unique PWA instances for a single site?

Another possible option would be to simply let Android generate a new WebAPK after the browser -> PWA onboarding... onboarding token included initially but then if the request for the manifest file is coming from something already in PWA mode, don't include the onboarding token... goes back to "normal" then at the expense of Android needing to rebuild the WebAPK once after the fact.

Some stuff for reference:

iOS PWA Compatibility-firt.dev

What's supported on Safari on iOS and iPadOS for Progressive Web Apps
firt.dev firt.dev

Uniquely identifying PWAs with the web app manifest id property | Capabilities | Chrome for Developers

The optional `id` property is part of the web app manifest spec, and allows you to explicitly define the identifier used for your PWA. Adding the `id` property to the manifest removes the dependency on the `start_url` or the location of the manifest, and makes it possible for them to be updated...
developer.chrome.com developer.chrome.com

blog.lukaszolejnik.com

Tracking users with rogue Progressive Web Applications

Welcome to the privacy analysis of Progressive Web Applications. With new features in steady supply, the web is changing in exciting ways. One of the more interesting trends is the concept of Progressive Web Applications (PWA). PWAs use modern and powerful web features to further blur the...
blog.lukaszolejnik.com
 
Last edited:
digitalpoint said:
My point is that maybe Google generating a single WebAPK for all users isn't a thing anymore? If it did, wouldn't that be a limitation on Android where you can't have two unique PWA instances for a single site?
Click to expand...
I believe older versions of Chrome used the start_url to uniquely identify a PWA, and newer versions use the id and fall back to the start_url. I still don't think you can have multiple instances with the same identifier, but I imagine you could work around this by varying the identifier if you really wanted to (probably a niche use case).

digitalpoint said:
Another possible option would be to simply let Android generate a new WebAPK after the browser -> PWA onboarding... onboarding token included initially but then if the request for the manifest file is coming from something already in PWA mode, don't include the onboarding token... goes back to "normal" then at the expense of Android needing to rebuild the WebAPK once after the fact.
Click to expand...
As far as I know Android doesn't have this problem to begin with because it shares cookies/caches between Chrome and the PWA, so you maintain the session when you install it already. So we'd only really need to vary the manifest for Safari, which I suppose is technically feasible if there's no solid alternative.
 
Jeremy P said:
I believe older versions of Chrome used the start_url to uniquely identify a PWA, and newer versions use the id and fall back to the start_url. I still don't think you can have multiple instances with the same identifier, but I imagine you could work around this by varying the identifier if you really wanted to (probably a niche use case).
Click to expand...
Ya, that was my understanding too.

Jeremy P said:
As far as I know Android doesn't have this problem to begin with because it shares cookies/caches between Chrome and the PWA, so you maintain the session when you install it already. So we'd only really need to vary the manifest for Safari, which I suppose is technically feasible if there's no solid alternative.
Click to expand...
Ya, although I'm not sure you'd want to to put an onboarding token all the time for Safari... Just initially when the user is logged in but not already in PWA mode. Seems like generating new/spewing out unnecessary tokens whenever the manifest is requested from the PWA (like to check for an update) could be a potential security risk/attack vector. At that point maybe it's better to just do the same handoff mechanism (if token exists, ignore cookies and use single-use token), and then the manifest falls back to not having a token when requested by an existing PWA instance. The bonus of that would be that it would still work on Android or other platforms if they ever take a more sandboxed approach to PWA (I could see that happening someday with all the privacy changes happening in the world).
 
digitalpoint said:
Just initially when the user is logged in but not already in PWA mode. [..] At that point maybe it's better to just do the same handoff mechanism (if token exists, ignore cookies and use single-use token), and then the manifest falls back to not having a token when requested by an existing PWA instance
Click to expand...
Hmm ... how would you distinguish a "PWA Manifest Request" from a "Non-PWA Manifest Request" (which should contain the token)?
 
Kirby said:
Hmm ... how would you distinguish a "PWA Manifest Request" from a "Non-PWA Manifest Request" (which should contain the token)?
Click to expand...
Not sure, I doubt it's as easy as a different user agent, but I haven't looked into it. I know you can detect standalone mode via JavaScript, so it could probably be done with some creativity within the service_worker.js where you intercept the request, check if it's PWA and add something to the request.
 

Similar threads

digitalpoint
  • Suggestion Suggestion
Prominent push notification request if in PWA app
Replies
6
Views
804
Mendalla
Mendalla
digitalpoint
Confirmed Use statechange listener in PWA app
Replies
11
Views
1K
digitalpoint
digitalpoint
Back
Top Bottom