I passed by and, like, all right, except:
With the mobile app I send the login and password to the server api.
Never! You Hear That, Carl?! NEVER SEND the authorization data to the server WITHOUT PRE-HASHING on the client side, the server key.
1. The data on the client: hash(USER1:PASSWORD:SKEY:RANDOM),
2. Send to the server: ab1e37ab50c61d8c80fb5cb4b1e3122f:RANDOM
3. Looking for on the server match:
ab1e37ab50c61d8c80fb5cb4b1e3122f===hash(USER:PASSWORD:SKEY:RANDOM) and get uchetku user, if everything is correct.
And so, Yes! Thanks, all quite clearly and correctly written!
In General, RFC 6648 Lee says that this is not recommended but not prohibited. - Allene_Crona78 commented on July 8th 19 at 15:33