I’m developing a React Native (Expo) app for an Osclass (PHP) backend, and I’m facing a critical authentication issue. The website’s REST API plugin has no login endpoint; it does not provide a method to verify a plain-text password against the stored Bcrypt ($2y$) hash.
I need to implement a secure login flow, but I have strict project constraints:
No Client-Side Verification: This is insecure as it would expose the hash, and it’s non-functional because it wouldn’t generate the required API token for subsequent requests.
No Server-Side Middleware: I cannot add a custom gateway (e.g., Laravel/Node.js) to handle the login logic.
No WebView: I cannot use a WebView to wrap the website’s existing login form.
Given this technical impasse, is there any established, secure pattern to authenticate a native app under these conditions? Or is the only viable solution to modify the backend PHP plugin to add the missing login functionality?