I am currently developing an app that access files via webdav of users.
Therefore users should be able to sign in on first use by using app passwords from nextcloud.
Problem being, that I (for obvious security reasons) don’t want to save credentials in plaintext, but don’t want the user to enter the credentials after every start.
I already looked into the LoginFlow (Login Flow — Nextcloud latest Developer Manual latest documentation). and also reasearched that the best practice would be the use of tokens.
- Are app passwords in nextcloud an equivalent to tokens?
- Would it be safe to gather the app password, save it (in plaintext) at the client and use it every time a new webdav connection is established?
- If it’s not save, what other method should I use?
I thought about hashing the app password, but the Flow Login doesn’t document anything in that regard.
Any help is much appreciated.
Thanks in advance!