Hi
In a mobile appsheet app each user has to authenticate when they install the app and the first time they use it.
Is there a way to enforce this every time they use the app ?
The reason is that if they loose their phone or have it stolen the baddy may be able to break the phone’s own security code and then they would be able to use the app and access potentially sensitive data.
Thanks
Edit: the information I provided wasn’t completely accurate. Refer to this topic for a better understanding:
[Check User Auth During Sync](https://community.appsheet.com/t/check-user-auth-during-sync/22104/15) Feature Requests
We currently retain user login information in a browser cookie — this ensures that the user doesn’t have to sign too often. This is maintained for a long time (I think 60 days). When we check app access control permissions, we are currently only checking that the user successfully signed in via that specific Cognito endpoint (but we do not check if they are still valid members). Point taken – we will add that. The refresh token stuff is nothing to do with this. That is meant for a different ki…
To summarize, I’ll quote Praveen:
We check access permissions every time an app is accessed in our cloud service (approximates to every sync, but also a number of other operations). For apps using whitelists, the moment you remove the user from the whitelist, that user will fail on their next sync (which could even be a background sync) and after that the app becomes unusable. For apps using domain auth and groups, it is expensive to check group membership, so we cache this membership for upto 15 mins. Which means that if you remove a user from the group that has access to the app, then within 15 mins, AppSheet will know that this change has happened, and on the next sync, that user’s app stops working. In the case of Cognito, we have not yet implemented groups at all — we’re just associating access with membership in a user pool. As Jonathon pointed out, we are checking for membership during initial access/login, but not during repeated access. We have active dev work to fix that and should be deploying it soon.
OK thanks Mike
It’s the same issue as if you have the G Drive or G Sheets app on your phone… not surprising I suppose but it is surprising that it is not addressed by a simnple option to say Re-Authenticate at each use !
Sorry Jules, the information I provided could be more accurate. See Praveen’s post further down in the topic I cited:
[Check User Auth During Sync](https://community.appsheet.com/t/check-user-auth-during-sync/22104/22) Feature Requests
We check access permissions every time an app is accessed in our cloud service (approximates to every sync, but also a number of other operations). For apps using whitelists, the moment you remove the user from the whitelist, that user will fail on their next sync (which could even be a background sync) and after that the app becomes unusable. For apps using domain auth and groups, it is expensive to check group membership, so we cache this membership for upto 15 mins. Which means that if you re…
For context, I use Cognito, so I have some user auth struggles. But it may be that this concern is currently only with Cognito.
Issues with Cognito have been addressed:
[Check User Auth During Sync](https://community.appsheet.com/t/check-user-auth-during-sync/22104/23) Feature Requests
@Jonathon @Grant_Stead @MultiTech_Visions @Eso_Surveyors Hi All, I have some good news for you. We’ve been working on fixing this issue with Cognito, and it was just released to AppSheet. Here’s what we did: The App Creator will need to provide some extra configuration for the AWS Congnito Auth setup in AppSheet. We need to get an AWS User Key ID and Secret (With AmazonCognitoReadOnly permission in AWS IAM) configured so that we can read the Congnito UserList. We will check that the app…
@Jonathon your issue is Cognito-specific and we have ongoing dev work to address it.
@Jules_Lane, I understand your concern. Your email on your phone doesn’t ask you to sign in every time. Your browser retains cookies. The defaults are optimized for convenience, and assume the device-wide security holds. I will ask internally about whether such an option is possible. The other question is what fraction of our customers would use such an option if we were to enable it. The thing that kills a platform is to have hundreds of options, each of which is used by less than 1% of customers. This hasn’t emerged so far as a popular customer feature request. We’re always open to learning more though.
@Adam and @Arthur_Rallu FYI
Thanks Praveen. Yes I totally understand but I think it would be a very useful option if it was easy to provide. Thanks for your reply.