An issue that I feel I may have with my cordova app is being able to properly authenticate requests to the api that is serving data. Right now I'm using standard JWT authentication with an Angular interceptor including the token with every http request to the api. The api (rails) runs a method to validate the token before it passes the request to the proper controller action.
The problem I see is being able to make requests to the api by getting the token from localstorage and making and carrying out requests to the api bypassing pertinent client side validations.
Since Web views are easily accessible in a hybrid app (not being compiled or obfuscated) there really is no way to use Web views to pass a token to the api to make sure that every request to the api is actually coming from the app and not anything else (keeping client side validations in tact and making it easier to beef up validation server side).
A potential solution I came up with is using a cordova plugin (which would use native api's and get compiled when the app is built right?) That also intercepts http requests and sends a hash that changes with each request like 2 factor Auth. This would be checked and validated server side to make sure each request is actually coming from the app.
My question's are: would this be a viable option for proper authentication, is something like this already written. If it hasn't already been done, what would writing a plugin like this entail?
I really appreciate any input!