1

I am new to Electron, but I was thinking about creating a desktop application to sell as a SaaS.

The software will function primarily in an offline state, which brings me to my first concern. If the application is meant to function primarily offline, how does one go about authenticating a user to make sure they have paid for the product or that their subscription is valid in the first place? I mean, what is stopping somebody from digging around in the code and "jail breaking" the software if it is not exposed to online authentication?

Can anybody explain how authentication generally works in this context?

Is there a way to implement foolproof offline authentication?

oldboy
  • 5,729
  • 6
  • 38
  • 86
  • Can you guys explain your close votes? – oldboy Oct 03 '19 at 21:49
  • Yes the question is too broad. – Yury Tarabanko Oct 03 '19 at 21:49
  • 1
    @YuryTarabanko It's simply about authentication? Any suggestions on how I could make it sufficiently specific? – oldboy Oct 03 '19 at 21:50
  • Also it is somewhat contradictory to me. "to sell as a SaaS" and "will function primarily in an offline state". What is "the service" that you are going to provide? The app itself is not a service. – Yury Tarabanko Oct 03 '19 at 21:53
  • @YuryTarabanko It's not contradictory. SaaS is simply the business model, whereas the application is the product. The product, for example, could be a text editor or something else entirely. The nature of the product is irrelevant since I'm asking specifically about how authentication would work regarding an application that is primarily used offline. – oldboy Oct 03 '19 at 21:56
  • Okay okay, business model :) – Yury Tarabanko Oct 03 '19 at 21:59
  • @YuryTarabanko I've edited some of terminology in the question. Is it still not sufficiently specific for you? – oldboy Oct 03 '19 at 22:23
  • 1
    If the application is meant to function offline, and authentication is the only thing that makes it dependent on back-end, then it potentially can be jail-broken, no mater how hard you'd try to protect it. Even if you use some kind of hardware USB keys, that can be hacked, too. It might be easier to hack an Electron app than say a native C++ app, but doesn't really matter. – noseratio Oct 03 '19 at 22:32
  • @noseratio ok thats what i thought. what if you wanted to try and make it as invulnerable as possible, would hashing some key and then writing an obscure function to handle it make it a bit more secure? do you know of any good approaches to this? – oldboy Oct 03 '19 at 22:47
  • @noseratio or better yet hashing some file with an expiry date in it that is checked before the program launches? – oldboy Oct 03 '19 at 22:48
  • 1
    Personally, I wouldn't add any obscurity, I'd simply implement the standard OAuth2 workflow, as you still need to authenticate users for the billing purposes. Check [this](https://stackoverflow.com/questions/55336027/organizing-a-secure-channel-between-a-web-app-and-a-native-app) for some ideas on how to do this for a desktop app. If someone hacks your app, strips out the auth and any telemetry collection ogic, then starts pirating your app it in that form... oh well then, just let it go :) – noseratio Oct 03 '19 at 23:00
  • @noseratio hmm ill check it out. appreciate it <3 – oldboy Oct 03 '19 at 23:20
  • no worries, sorry about the typos, typing from my phone – noseratio Oct 03 '19 at 23:44
  • @noseratio didnt even notice em. im just pissed theres no effective way to authenticate without being online – oldboy Oct 03 '19 at 23:52

0 Answers0