@algorandfoundation/react-native-passkey-autofill 0.0.1 → 1.0.0-canary.2

package/.eslintrc.js

@@ -0,0 +1,5 @@
+module.exports = {
+  root: true,
+  extends: ['universe/native', 'universe/web'],
+  ignorePatterns: ['build'],
+};

package/ARCHITECTURE.md

@@ -0,0 +1,67 @@
+# 🏗️ Architecture
+
+This document describes the internal structure of the `react-native-passkey-autofill` module and how it works.
+
+## Project Structure
+
+The project follows the standard layout for an Expo module:
+
+- `src/`: TypeScript source files for the module's JavaScript API.
+- `android/`: Native Android implementation using Kotlin.
+- `ios/`: Native iOS implementation using Swift.
+- `example/`: An example app demonstrating the use of the module.
+
+## How it works
+
+The module provides an interface to interact with native Passkey AutoFill capabilities. It uses Expo's native module system to bridge the JavaScript code with the platform-specific implementations.
+
+### TypeScript Layer (`src/`)
+
+- `index.ts`: The entry point for the module, re-exporting the native module.
+- `ReactNativePasskeyAutofillModule.ts`: Defines the `ReactNativePasskeyAutofillModule` class and its methods (`setMasterKey`, `setHdRootKeyId`, `getHdRootKeyId`, etc.).
+- `ReactNativePasskeyAutofill.types.ts`: Defines types and interfaces used by the module.
+
+### Android Implementation (`android/`)
+
+The Android part is implemented using Kotlin and follows the Android Autofill Framework.
+
+- `ReactNativePasskeyAutofillModule.kt`: The main class that exposes methods to React Native.
+- `service/PasskeyAutofillCredentialProviderService.kt`: Implements the `CredentialProviderService` to handle Passkey AutoFill requests from the Android system.
+- `credentials/`: Contains logic for managing credentials and interacting with the local storage.
+- `GetPasskeyActivity.kt` and `CreatePasskeyActivity.kt`: Activities used to handle the UI flow for getting and creating passkeys.
+
+#### The `CredentialProvider` and Chain of Trust
+
+The `PasskeyAutofillCredentialProviderService` is the core of the Android implementation. It extends the Android Jetpack `CredentialProviderService` to provide passkeys directly to the system's Credential Manager.
+
+##### What is `CredentialProviderService`?
+Introduced in Android 14 (API level 34) and backported to Android 9 via the Jetpack Credentials library, this service allows password managers and other credential providers to integrate with the system's unified sign-in flow. When a user interacts with a sign-in or sign-up field, the system queries registered services to provide available credentials.
+
+##### Handling the Chain of Trust
+The "Chain of Trust" ensures that passkeys are only used by the legitimate owners of a domain or application. This is handled through several layers of validation:
+
+1.  **Digital Asset Links**: For a passkey to be used across a website and an Android app, the website must host a `/.well-known/assetlinks.json` file that explicitly authorizes the Android app (via its package name and certificate fingerprint). This establishes a cryptographically verified link between the web origin and the mobile application.
+2.  **Relying Party ID (rpId) Validation**: When the service receives a `BeginGetCredentialRequest` or `BeginCreateCredentialRequest`, it includes information about the `rpId` (e.g., `example.com`). The system and the provider must ensure that the requesting app is authorized to use credentials for that `rpId`.
+3.  **App Signature Verification**: The Android system verifies the signature of the app requesting the credential. It will only offer credentials to apps that can prove their identity through the Digital Asset Link chain.
+4.  **User Consent**: The `CredentialProviderService` does not directly return the credential. Instead, it returns a list of "Entries" (like `PublicKeyCredentialEntry`). When a user selects an entry, a `PendingIntent` is triggered, which typically launches an activity (like `GetPasskeyActivity`) to perform user verification (e.g., biometric check) before the actual passkey is released to the requesting app.
+
+### iOS Implementation (`ios/`) [WIP]
+
+The iOS part is implemented using Swift.
+
+- `ReactNativePasskeyAutofillModule.swift`: Defines the native module for iOS.
+- `ReactNativePasskeyAutofillView.swift`: If any native views are required.
+
+## Native Module API
+
+The following methods are exposed to the JavaScript layer:
+
+- `setMasterKey(secret: string)`: Sets the master key for credential encryption/decryption.
+- `setHdRootKeyId(id: string)`: Sets the ID for the HD root key.
+- `getHdRootKeyId()`: Retrieves the current HD root key ID.
+- `configureIntentActions(getPasskeyAction: string, createPasskeyAction: string)`: Configures the intent actions used for Passkey flows.
+- `clearCredentials()`: Clears all stored credentials.
+
+## Security Considerations
+
+As this module handles sensitive information (Passkeys), it is crucial to ensure that keys and secrets are handled securely in the native layers. Master keys should be stored in secure storage (like Android Keystore or iOS Keychain).

package/CONTRIBUTING.md

@@ -0,0 +1,72 @@
+# 🤝 Contributing
+
+Contributions are very welcome! Whether you are fixing a bug, adding a feature, or improving documentation, your help is appreciated.
+
+## Getting Started
+
+To get started with the project, follow these steps:
+
+1. **Fork the repository** to your own GitHub account.
+2. **Clone the repository** to your local machine.
+3. **Install dependencies** at the root of the project:
+   ```bash
+   npm install
+   ```
+4. **Build the project**:
+   ```bash
+   npm run build
+   ```
+
+## Development Workflow
+
+### Example App
+
+The project includes an example app in the `example/` directory. You can use it to test your changes.
+
+1. Navigate to the `example/` directory:
+   ```bash
+   cd example
+   ```
+2. Install example dependencies:
+   ```bash
+   npm install
+   ```
+3. Prebuild the example for Android or iOS:
+   ```bash
+   npx expo prebuild
+   ```
+4. Run the example app:
+   ```bash
+   npm run android # for Android
+   # or
+   npm run ios # for iOS
+   ```
+
+### Code Style
+
+- Use Prettier for code formatting (run `npx prettier --write .` if available).
+- Follow existing naming conventions and patterns in the codebase.
+- Ensure all TypeScript types are correctly defined.
+
+For more details on how the project is structured, see the [Architecture Guide](./ARCHITECTURE.md).
+
+## Submitting a Pull Request
+
+1. Create a new branch for your feature or bugfix:
+   ```bash
+   git checkout -b feature/your-feature-name
+   ```
+2. Make your changes and commit them with a descriptive message.
+3. Push your branch to your fork:
+   ```bash
+   git push origin feature/your-feature-name
+   ```
+4. Open a Pull Request on the main repository.
+
+## Reporting Issues
+
+If you find a bug or have a feature request, please open an issue on the GitHub repository. Provide as much detail as possible, including steps to reproduce the issue.
+
+---
+
+Thank you for contributing!

package/LICENSE

@@ -0,0 +1,201 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright 2026 Algorand Foundation
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

package/README.md

@@ -1,10 +1,78 @@
-# @algorandfoundation/react-native-passkey-autofill
+# 🔑 react-native-passkey-autofill
 
-react-native-passkey-autofill for Algorand (boilerplate 0.0.1).
+Passkey AutoFill for React Native using DP256.
+
+# 🚀 Get Started
+
+For bare React Native projects, you must ensure that you have [installed and configured the `expo` package](https://docs.expo.dev/bare/installing-expo-modules/) before continuing.
+
+### Add the package to your npm dependencies
+
+```bash
+npm install react-native-passkey-autofill
+```
+
+### Configure for Android
+
+To use this module on Android, you need to configure the AutoFill service in your `AndroidManifest.xml` or via the Expo plugin.
+
+#### Expo Plugin Configuration
+
+If you are using Expo, you can configure the plugin in your `app.json` or `app.config.js`:
+
+```json
+{
+  "expo": {
+    "plugins": [
+      [
+        "react-native-passkey-autofill",
+        {
+          "site": "https://your-fido-server.com",
+          "label": "My Custom Credential Provider"
+        }
+      ]
+    ]
+  }
+}
+```
+
+- `site`: The URL of your FIDO server (default: `https://fido.shore-tech.net`).
+- `label`: The name of the credential provider as it appears in Android settings (default: `My Credential Provider`).
 
 ## Usage
 
-```js
-const packageName = require('@algorandfoundation/react-native-passkey-autofill');
-console.log(packageName());
+```typescript
+import ReactNativePasskeyAutofill from '@algorandfoundation/react-native-passkey-autofill';
+
+// 1. Set the master key for encryption (hex string)
+await ReactNativePasskeyAutofill.setMasterKey(masterKeyHex);
+
+// 2. Set the HD root key ID if applicable
+await ReactNativePasskeyAutofill.setHdRootKeyId(hdRootKeyId);
+
+// 3. Configure intent actions for the Passkey flows
+await ReactNativePasskeyAutofill.configureIntentActions(
+  'your.package.name.GET_PASSKEY',
+  'your.package.name.CREATE_PASSKEY'
+);
+
+// Optional: Clear credentials
+await ReactNativePasskeyAutofill.clearCredentials();
 ```
+
+# 🤝 Contributing
+
+Contributions are very welcome! Please refer to guidelines described in the [contributing guide](./CONTRIBUTING.md).
+
+# 💖 Acknowledgements
+
+This has been the commination of many different efforts and ideas. We would like to thank the following individuals and organizations for their contributions:
+
+- [Bruno Martins](https://github.com/bmartins) the architect at [Algorand Foundation](https://github.com/algorandfoundation) for conceptualizing and guiding the project.
+- [HashMapsData2Value](https://github.com/HashMapsData2Value) for his guidance and support in DP256 and XHD and his work on the native autofill libraries.
+- [Will Beaumont](https://github.com/mjbeau) for working though integration within the Pera wallet
+- [Michael T Chuang](https://github.com/michaeltchuang) for his work in KMP integrations and client libraries.
+
+# 📄 License
+
+This project is licensed under the Apache-2.0 License - see the [LICENSE](./LICENSE) file for details.

package/android/build.gradle

@@ -0,0 +1,68 @@
+apply plugin: 'com.android.library'
+
+group = 'co.algorand.passkeyautofill'
+version = '0.1.0'
+
+def expoModulesCorePlugin = new File(project(":expo-modules-core").projectDir.absolutePath, "ExpoModulesCorePlugin.gradle")
+apply from: expoModulesCorePlugin
+applyKotlinExpoModulesCorePlugin()
+useCoreDependencies()
+useExpoPublishing()
+
+// If you want to use the managed Android SDK versions from expo-modules-core, set this to true.
+// The Android SDK versions will be bumped from time to time in SDK releases and may introduce breaking changes in your module code.
+// Most of the time, you may like to manage the Android SDK versions yourself.
+def useManagedAndroidSdkVersions = false
+if (useManagedAndroidSdkVersions) {
+  useDefaultAndroidSdkVersions()
+} else {
+  buildscript {
+    // Simple helper that allows the root project to override versions declared by this library.
+    ext.safeExtGet = { prop, fallback ->
+      rootProject.ext.has(prop) ? rootProject.ext.get(prop) : fallback
+    }
+  }
+  project.android {
+    compileSdkVersion safeExtGet("compileSdkVersion", 36)
+    defaultConfig {
+      minSdkVersion safeExtGet("minSdkVersion", 24)
+      targetSdkVersion safeExtGet("targetSdkVersion", 36)
+    }
+  }
+}
+
+android {
+  namespace "co.algorand.passkeyautofill"
+  defaultConfig {
+    versionCode 1
+    versionName "0.1.0"
+  }
+  lintOptions {
+    abortOnError false
+  }
+  kotlinOptions {
+    freeCompilerArgs += ["-opt-in=kotlin.time.ExperimentalTime", "-opt-in=kotlin.RequiresOptIn"]
+  }
+}
+
+dependencies {
+  implementation "androidx.credentials:credentials:1.3.0"
+  implementation "androidx.credentials:credentials-play-services-auth:1.3.0"
+  implementation "androidx.appcompat:appcompat:1.7.0"
+  implementation "androidx.activity:activity-ktx:1.8.2"
+  implementation "androidx.lifecycle:lifecycle-viewmodel-ktx:2.8.4"
+  implementation "androidx.lifecycle:lifecycle-runtime-ktx:2.8.4"
+  implementation "io.github.zhongwuzw:mmkv:2.3.0"
+  implementation "org.bouncycastle:bcprov-jdk18on:1.78.1"
+  implementation "androidx.datastore:datastore-preferences:1.1.1"
+  implementation(name: 'dP256Android-release', ext: 'aar')
+  implementation fileTree(dir: 'libs', include: ['*.jar'])
+  implementation "org.jetbrains.kotlinx:kotlinx-coroutines-android:1.8.0"
+  implementation "org.jetbrains.kotlinx:kotlinx-coroutines-core:1.8.0"
+}
+
+repositories {
+  flatDir {
+    dirs 'libs'
+  }
+}

package/android/src/main/AndroidManifest.xml

@@ -0,0 +1,32 @@
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+          xmlns:tools="http://schemas.android.com/tools">
+    <application>
+        <service
+            android:name=".service.PasskeyAutofillCredentialProviderService"
+            android:enabled="true"
+            android:exported="true"
+            android:label="@string/passkey_autofill_label"
+            android:icon="@mipmap/ic_launcher"
+            android:permission="android.permission.BIND_CREDENTIAL_PROVIDER_SERVICE"
+            tools:targetApi="upside_down_cake">
+            <intent-filter>
+                <action android:name="android.service.credentials.CredentialProviderService" />
+            </intent-filter>
+            <meta-data
+                android:name="android.credentials.provider"
+                android:resource="@xml/provider" />
+        </service>
+        <activity android:name=".GetPasskeyActivity" android:exported="true">
+            <intent-filter>
+                <action android:name="co.algorand.passkeyautofill.GET_PASSKEY"/>
+                <category android:name="android.intent.category.DEFAULT"/>
+            </intent-filter>
+        </activity>
+        <activity android:name=".CreatePasskeyActivity" android:exported="true">
+            <intent-filter>
+                <action android:name="co.algorand.passkeyautofill.CREATE_PASSKEY"/>
+                <category android:name="android.intent.category.DEFAULT"/>
+            </intent-filter>
+        </activity>
+    </application>
+</manifest>