How to secure credentials in app

Hello everyone,

I am currently developing an app that access files via webdav of users.
Therefore users should be able to sign in on first use by using app passwords from nextcloud.
Problem being, that I (for obvious security reasons) don’t want to save credentials in plaintext, but don’t want the user to enter the credentials after every start.
I already looked into the LoginFlow (Login Flow — Nextcloud latest Developer Manual latest documentation). and also reasearched that the best practice would be the use of tokens.

  • Are app passwords in nextcloud an equivalent to tokens?
  • Would it be safe to gather the app password, save it (in plaintext) at the client and use it every time a new webdav connection is established?
  • If it’s not save, what other method should I use?

I thought about hashing the app password, but the Flow Login doesn’t document anything in that regard.

Any help is much appreciated.
Thanks in advance!

App passwords and tokens are pretty much synonyms.

The app passwords should be saved as secure as possible. This then depends on the platform and what measures it provides to save things securely.

Thanks for the response!
So in case of a web application could I just store it (password and username) in the local storage?
Signing in via a hashed password doesn’t seem to be an option right?
Do I have to handle session management?