GitHub – nraboy/ng-cordova-oauth: AngularJS oauth library for use with Apache Cordova projects

Performance Considerations

Consider the following issues to improve the performance in your mobile applications:

Click versus Touch – Many devices impose a 300ms delay on click events in order to distinguish between a tap and tap-to-zoom gesture. This can have the effect of making your app feel slow and unresponsive. Avoiding this delay is one of the most important ways of improving your app’s perceived performance. For more information on the tap delay, see 300ms tap delay, gone away on the Google Developer site.

A working example

Alternatively you can inject OauthCordova in constructor as shown in examples above.

Allow list

By default the app’s navigation is unrestricted. It’s recommended to restrict the navigation only to trusted domains. Learn more by reading the Allow List Guide

Bower way:

Add this repository as dependency:

This action will set the dependency and add it to the bower.json file.

The JavaScript library must then be added to your index.html file found in your projects www

Certificate pinning

Cordova does not support true certificate pinning. The main barrier to this is a lack of native APIs in Android for intercepting SSL connections to perform the check of the server’s certificate. (Although it is possible to do certificate pinning on Android in Java using JSSE, the webview on Android is written in C , and server connections are handled for you by the webview, so it is not possible to use Java and JSSE there.)

There are ways to approximate certificate pinning, such as checking the server’s public key (fingerprint) is the expected value when your application starts or at other various times during your application’s lifetime. There are third-party plugins available for Cordova that can do that.

There are also plugins that can do true certificate pinning for some platforms, assuming your app is able to do all of its network requests using the plugin (i.e.: no traditional XHR/AJAX requests, etc).

Chrome remote debugging

Virtually the same as the Safari version, this works with Android only but can be used from any desktop operating system. Once connected, you get the same Chrome Dev Tools experience for your mobile applications as you do with your desktop applications.

Contribution rules

All contributions must be made via the development branch. This keeps the project more maintainable in terms of versioning as well as code control.

If you want to contribute please use the new architecture of files. Each provider need to be in a separated file following this pattern: oauth.<provider name>.js and add it to the oauth.provider module as a dependency.

(If you have any doubt about the architecture take a look other providers to see how it is.)

//oauth.jsangular.module("oauth.providers",["oauth.utils","oauth.azuread","oauth.adfs",'oauth.dropbox','oauth.digitalOcean','','oauth.github','oauth.facebook','oauth.linkedin','oauth.instagram','','oauth.reddit','oauth.slack','oauth.twitter','oauth.meetup','oauth.salesforce','oauth.strava','oauth.withings','oauth.foursquare','oauth.magento','oauth.vkontakte','oauth.odnoklassniki','oauth.imgur','oauth.spotify','oauth.uber','oauth.windowslive','oauth.yammer','oauth.venmo','oauth.stripe','oauth.rally','oauth.familySearch','oauth.envato','','oauth.jawbone','oauth.untappd','oauth.dribble','<YOUR PROVIDER MODULE HERE>']).factory("$cordovaOauth",cordovaOauth);functioncordovaOauth($q,$http,$cordovaOauthUtility,$azureAD,$adfs,$dropbox,$digitalOcean,$google,$github,$facebook,$linkedin,$instagram,$box,$reddit,$slack,$twitter,$meetup,$salesforce,$strava,$withings,$foursquare,$magento$vkontakte,$odnoklassniki,$imgur,$spotify,$uber,$windowslive,$yammer,$venmo,$stripe,$rally,$familySearch,$envato,$weibo,$jawbone,$untappd,$dribble,<YOURFACTORYNAME>){return{// A lot of providers...yourProvider: $yourProvider.signinFuncion,}}$cordovaOauth.$inject=["$q",'$http',"$cordovaOauthUtility","$azureAD","$adfs",'$dropbox','$digitalOcean','$google','$github','$facebook','$linkedin','$instagram','$box','$reddit','$slack','$twitter''$meetup','$salesforce','$strava','$withings','$foursquare','$magento','$vkontakte','$odnoklassniki','$imgur','$spotify','$uber','$windowslive','$yammer','$venmo','$stripe','$rally','$familySearch','$envato','$weibo','$jawbone','$untappd','$dribble','<YOUR FACTORY NAME>'];

Custom browser window options

Browser’s and Cordova’s InAppBrowser supports bunch of options which can be passed as a second argument to logInVia. For example if you don’t know want to clear session cache, or place toolbar at the top for iOS:

Похожее:  Авторизация через Telegram бота

the list of all available options can be found:

Debugging cordova apps

In most cases, debugging Cordova apps is quite straightforward.

Do not assume that your source code is secure

  • Since a Cordova application is built from HTML and JavaScript assets that get packaged in a native container, you should not consider your code to be secure. It is possible to reverse engineer a Cordova application.

Don’t use eval() unless you know what you’re doing

  • The JavaScript function eval() has a long history of being abused. Using it incorrectly can open your code up for injection attacks, debugging difficulties, and slower code execution.

Encrypted storage


Getting help

The following links are the best places to get help for Cordova:

Have a question or found a bug (compliments work too)?

This project is maintained by Nic Raboy.

Iframes and the callback id mechanism

If content is served in an iframe from a whitelisted domain, that domain will have access to the native Cordova bridge. This means that if you whitelist a third-party advertising network and serve those ads through an iframe, it is possible that a malicious ad will be able to break out of the iframe and perform malicious actions.

Because of this, you should generally not use iframes unless you control the server that hosts the iframe content. Also note that there are third party plugins available to support advertising networks. Note that this statement is not true for iOS, which intercepts everything including iframe connections.

Important note about testing

This library will NOT work with a web browser, ionic serve, ionic live-reload, or ionic view. It MUST be used via installing to a device or simulator.

Keeping up

Here are a few ways to keep up to date with Cordova.

Loading remote content

Invoking Cordova JavaScript functions from a remotely-loaded HTML page (an HTML page not stored locally on the device) is an unsupported configuration. This is because Cordova was not designed for this, and the Apache Cordova community does no testing of this configuration.

Похожее:  Python и API: превосходное комбо для автоматизации работы с публичными данными

While it can work in some circumstances, it is not recommended nor supported. There are challenges with the same origin policy, keeping the JavaScript and native portions of Cordova synchronized at the same version (since they are coupled via private APIs which may change), the trustworthiness of remote content calling native local functions, and potential app store rejection.

The display of remotely-loaded HTML content in a webview should be done using Cordova’s InAppBrowser. The InAppBrowser is designed so that JavaScript running there does not have access to the Cordova JavaScript APIs for the reasons listed above. Please refer to the Security Guide.

Outdated way:

Copy the following file from this repository to your Apache Cordova project:

The JavaScript library must then be added to your index.html file found in your projects www

Platform quirks

While reading the documentation, look for sections which outline different behaviors or requirements on multiple platforms. If present, these would be in a section titled “Android Quirks”, “iOS Quirks”, etc. Read through these quirks and be aware of them as you work with Cordova.

Plugin upgrades

Upgrading plugins involves the same process as platforms – remove it, then re-add it.

Refer to Manage versions and platforms for more details.

Be sure to check the updated plugin’s documentation, as you may need to adjust your code to work with the new version. Also, double check that the new version of the plugin works with your project’s version of Cordova.

Always test your apps to ensure that installing the new plugin has not broken something that you did not anticipate.

If your project has a lot of plugins that you need updated, it might save time to create a shell or batch script that removes and adds the plugins with one command.


For Cordova application:

For Web application:

  • webpack, systemjs or amd loaders

Safari remote debugging with web inspector

With Safari’s web inspector you can debug the webview and js code in your Cordova application. This works only on macOS. It uses Safari to connect to your device (or the simulator) and will connect the browser’s dev tools to the Cordova application. You get what you expect from dev tools – DOM inspection/manipulation, a JavaScript debugger, network inspection, the console, and more.

Like Xcode, with Safari’s web inspector you can set breakpoints in the JavaScript code and view the state of the variables at that time. You can view any errors, warnings or messages that are printed to the console. You can also run JavaScript commands directly from the console as your app is running.

To start inspecting, first enable it on device at Settings > Safari > Advanced > Web Inspector. On your desktop, enable the developer tools from Safari > Preferences > Advanced > Show Develop menu in menu bar. In the Develop menu, you will now be able to select the connected device, and the app you want to inspect.

Похожее:  OAuth 2.0 простым и понятным языком / Хабр

Self-signed certificates

Using self-signed certificates on your server is not recommended. If you desire SSL, then it is highly recommended that your server have a certificate that has been properly signed by a well-known CA (certificate authority). The inability to do true certificate pinning makes this important.

Special considerations

Although Cordova makes cross-platform development easier, it’s just not possible to provide 100% isolation from the underlying native platform, so do be aware of restrictions.

Testing cordova apps

Testing your applications is super important. The Cordova team uses Jasmine, but any web-friendly unit testing solution will do.

Testing on a simulator vs. on a real device

It’s not uncommon to use desktop browsers and device simulators/emulators when developing a Cordova application. However, it is incredibly important that you test your app on as many physical devices as you possibly can:

This guide discusses the following topics:

  • Allow List
  • Iframes and the Callback Id Mechanism
  • Certificate Pinning
  • Self-signed Certificates
  • Encrypted storage
  • General Tips
  • Recommended Articles and Other Resources

Use inappbrowser for outside links

  • Use the InAppBrowser when opening links to any outside website. This is much safer than whitelisting a domain name and including the content directly in your application because the InAppBrowser will use the native browser’s security features and will not give the website access to your Cordova environment. Even if you trust the third party website and include it directly in your application, that third party website could link to malicious web content.

Using ng2-cordova-oauth in your project

Each web service API acts independently in this library. However, when configuring each web service, one thing must remain consistent.

Version history



With Xcode you can debug the iOS native side of your Cordova application. Make sure the Debug Area is showing (View -> Debug Area). Once your app is running on the device (or simulator), you can view log output in the debug area. This is where any errors or warnings will print.

You can also set breakpoints within the source files. This will allow you to step through the code one line at a time and view the state of the variables at that time. The state of the variables is shown in the debug area when a breakpoint is hit. Once your app is up and running on the device, you can bring up Safari’s web inspector (as described below) to debug the webview and JS side of your application. For more details refer to the Apple Debugging Support docs.

1 Звезда2 Звезды3 Звезды4 Звезды5 Звезд (1 оценок, среднее: 5,00 из 5)

Добавить комментарий

Ваш адрес email не будет опубликован. Обязательные поля помечены *