Hello! I stumbled across your repo after looking through https://dzone.com/articles/draft-an-angular-pwa-from-frontend-to-backend-the because I was curious how to accomplish the similar task of how to allow offline use of at least a portion of the angular app I'm building for work. Sometimes, our technicians will be in a setting where the internet is not available. We have a feature module that we recently added to our angular app that is basically a specific engineering calculation calculator. At first, we were writing an electron application, but decided to move the functionality to our website and attempt to build a PWA that allowed offline access instead. Managing more than one application with the size of our development team seemed infeasible, especially if the electron app doesn't really have a ton of functionality on its own.
We use Azure AD B2C for authentication when the user is online, so we don't actually have a login form of our own as we use the redirect flow for B2C authentication. Hence, I'm contemplating what the best (convenient, yet secure) user experience is for logging in while offline. So far, I'm thinking that for offline use, a separate password just for offline use could be created at first, and the user would have to use that password instead of their B2C password to authenticate offline.
I'm using this repo as inspiration for implementing this, but I'm a bit confused about something in your login component. There is a login and a sign-in. What are the differences there? It isn't immediately obvious to me why there is a tab for logging in and a tab for signing in. Is sign-in actually a sign-up flow in this app? I notice that the sign-in form has a password confirmation field in addition to the password field.
In addition to this question, I was wondering if you see any problems with the approach I'm trying to take here. Our angular app never sees the B2C password, so I can't easily use their existing password for the local login unless I ask them to give it to me again once in the angular app. I'm thinking that when the app recognizes the user is offline, it could go to a new login component in the angular app similar to the one in this repo, and the user could create a secure password or provide their own if they don't already exist in the local-db, otherwise login with the password they chose to use for offline local login.
Are you aware of any issues with the browser's window.crypto
in terms of security? Would the only thing I should really be concerned with be brute force password detection? I'm not really savvy when it comes to security in general, and I have to admit I'm not at all sure how this hides a user's password. I know it uses encryption, but how does the encryption stay secure if everything is client side? What prevents a "bad guy" from decrypting encrypted information if everything is client-side?
I'm really sorry for the long message here, and if you have the time to respond, I would greatly appreciate it. If you don't have the time to respond, I still greatly appreciate you putting all this together and sharing it with the public.