realm-object-server icon indicating copy to clipboard operation
realm-object-server copied to clipboard

Published 20 hours ago verified publisher icon realm

Remove Realm Sync Data At LogOut()

Open BlueMilkApps opened this issue 7 years ago • 9 comments

Goals

For security reasons, Realm sync data should be removed at logOut(). This is especially handy when developing a secure app or something in the healthcare market.

Expected Results

Sync'd realm on device is deleted at logOut().

Actual Results

Realm sits around until next launch.

Steps to Reproduce

View the Documents/realm-object-server folder on device in the app's sandbox as you log on, access a sync realm, and log off.

Version of Realm and Tooling

  • Realm Object Server Version: 1.4.1
  • Flavor:
    • [X ] Developer
    • [ ] Professional
    • [ ] Enterprise
  • Server OS & Version: ? (e.g. CentOS 6)
  • Client SDK Version: Latest
  • Client OS & Version: ?

BlueMilkApps avatar Apr 30 '17 12:04 BlueMilkApps

One possibility is to delete the Realm at log out. However, what about the security issue when the app terminates before log out. Shouldn't the Realm be deleted there as well?

What about encrypting the Realm? Wouldn't that give higher security?

morten-krogh avatar May 01 '17 09:05 morten-krogh

If the app terminates before log out, then the user is still probably logged in at next launch.

Definitely encrypting realm, which is already a useful option for those that need it. That solves most problems. But from a housecleaning perspective, I would expect the files be gone after logout vs next app startup. Apps on iOS don't "restart" as often in userland either, although Im not sure when this currently triggers (notification or didfinishlaunching).

On May 1, 2017, at 5:20 AM, Morten Krogh [email protected] wrote:

One possibility is to delete the Realm at log out. However, what about the security issue when the app terminates before log out. Shouldn't the Realm be deleted there as well?

What about encrypting the Realm? Wouldn't that give higher security?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.

BlueMilkApps avatar May 01 '17 10:05 BlueMilkApps

One possibility is for the app to explicitly delete the Realm after logout. That could be done at the app level.

Is that what you are looking for? Or would you like some configuration parameter such that the Realm is automatically deleted at log out?

morten-krogh avatar May 01 '17 10:05 morten-krogh

Yes, I can manually code something that does this on logout, but I haven’t tested to see how safe it is after next relaunch (if files are missing, etc..). If not the default, then a parameter might be nice to have Realm do this for you, although the constructor is getting long as it is. I would think most devs would want it to just happen like this.

On May 1, 2017, at 6:04 AM, Morten Krogh [email protected] wrote:

One possibility is for the app to explicitly delete the Realm after logout. That could be done at the app level.

Is that what you are looking for? Or would you like some configuration parameter such that the Realm is automatically deleted at log out?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/realm/realm-mobile-platform/issues/179#issuecomment-298314071, or mute the thread https://github.com/notifications/unsubscribe-auth/AI-Rik2jnI8XIB5gG5LV4d9tpUxDl-I-ks5r1a4igaJpZM4NMjTS.

BlueMilkApps avatar May 01 '17 10:05 BlueMilkApps

Currently, the Realm is supposed to be deleted at next app launch. Does that happen for you?

But you want it to be deleted immediately, right?

morten-krogh avatar May 01 '17 11:05 morten-krogh

Yes.

On May 1, 2017, at 7:48 AM, Morten Krogh [email protected] wrote:

Currently, the Realm is supposed to be deleted at next app launch. Does that happen for you?

But you want it to be deleted immediately, right?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.

BlueMilkApps avatar May 01 '17 12:05 BlueMilkApps

I'd like to introduce a method +[RLMRealm deleteRealmAtConfiguration:force:error:] where force would invalidate any existing references to that Realm. If force is false, an error would be reported if there are still Realms open. This method would take care of cleaning up any auxiliary files or metadata for that Realm.

You'd then be able to call that method immediately after logOut. Would that work for you @RiverbayChris?

jpsim avatar May 02 '17 22:05 jpsim

Yes this would be great 👍🏻

On May 2, 2017, at 6:10 PM, JP Simard [email protected] wrote:

I'd like to introduce a method +[RLMRealm deleteRealmAtConfiguration:force:error:] where force would invalidate any existing references to that Realm. If force is false, an error would be reported if there are still Realms open. This method would take care of cleaning up any auxiliary files or metadata for that Realm.

You'd then be able to call that method immediately after logOut. Would that work for you @RiverbayChris?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

BlueMilkApps avatar May 03 '17 10:05 BlueMilkApps

Is it a Good approach to clear DB on Sign in success instead of on logout?

Mr-Ramzan avatar Nov 04 '20 10:11 Mr-Ramzan