In Qiscus Chat SDK, we need to set user via client SDK. Qiscus is using login_or_register concept for setting up the user in the Qiscus object. Parameters that need to be passed on by client side are ’email’ (unique and function as an id for the user), ‘password’, and ‘username’.
User will be created if ’email’ not registered yet in the system. Means on the first time you set a specific user, Qiscus SDK will register the user. On the next time you set that specific user, Qiscus SDK will check the email and password and will successfully authenticate the user if both values match.
Example:
For the first time you call
Qiscus.setUser(“[email protected]”, “uniquevalue”).withUsername(“My Name”)
User with email [email protected] will be created.
Subsequently, if you call
Qiscus.setUser(“[email protected]”, “uniquevalue”).withUsername(“My Name”)
the same user will be returned. Meanwhile, if you call
Qiscus.setUser(“[email protected]”, “notmyuniquevalue”).withUsername(“My Name”)
Qiscus won’t return any user because the email and password don’t match.
Best Qiscus Chat SDK Practice:
If your app has its own authentication system and required a user to log in and input some verification code, you need to prepare unique password for each of the users to login_or_register in Qiscus SDK.
So after the user successfully login into your app, you give the response along with the success login payload a unique key for each user for being used by Qiscus SDK as a password. This unique value is also being stored in your backend server user database as you want to map the authentication of the user with Qiscus SDK.
Also read: “Create a Sophisticated Conversational Commerce using Qiscus Chat SDK“
The possible scenario is to add additional column data in your backend database on table user called `qiscus password` for storing this value.
Everytime user login using any account, Qiscus SDK will check the password using a unique value that you give. If the value does not match, Qiscus SDK will not return the user.
So you will be in total control of your users’ identity. Because all the password for each user is unique and only being known by your backend servers.
In the event that you feel some of the users’ password being compromised, you can change their password via REST API (https://www.qiscus.com/docs/restapi#login-or-register).
to summarize :
- Create a Qiscus user account with a unique password.
- Save the password to your secured persistent store.
- Load the password in your client and pass it to the Qiscus login method.
- For security reasons, we recommend that you periodically update your password via Qiscus REST API (https://www.qiscus.com/docs/restapi#login-or-register) by issuing a new password to replace the previous one.
