@explorins/pers-sdk-react-native 1.5.25 → 1.5.27

package/src/storage/rn-secure-storage.ts

@@ -0,0 +1,110 @@
+import * as Keychain from 'react-native-keychain';
+import AsyncStorage from '@react-native-async-storage/async-storage';
+import { 
+  TokenStorage, 
+  DPOP_STORAGE_KEYS, 
+  AUTH_STORAGE_KEYS 
+} from '@explorins/pers-sdk/core';
+
+/**
+ * Secure Storage implementation for React Native
+ * Uses Keychain/Keystore for sensitive data and AsyncStorage for non-sensitive data.
+ */
+export class ReactNativeSecureStorage implements TokenStorage {
+  // Set to false because Keychain stores strings, so we need extractable (serializable) keys
+  readonly supportsObjects = false;
+  
+  // Define which keys MUST go to secure hardware storage
+  private readonly SECURE_KEYS = new Set([
+     DPOP_STORAGE_KEYS.PRIVATE,
+     AUTH_STORAGE_KEYS.ACCESS_TOKEN,
+     AUTH_STORAGE_KEYS.REFRESH_TOKEN,
+     AUTH_STORAGE_KEYS.PROVIDER_TOKEN
+  ]);
+
+  constructor(private keyPrefix: string = 'pers_tokens_') {}
+
+  async set(key: string, value: unknown): Promise<void> {
+    const prefixedKey = this.getKeyName(key);
+    const stringValue = typeof value === 'string' ? value : JSON.stringify(value);
+
+    // Cast key to any to bypass strict literal type checking of the Set.has method
+    // In runtime, 'key' is just a string, so this is safe.
+    if (this.SECURE_KEYS.has(key as any)) {
+      // Store in Keychain/Keystore
+      // Service name acts as the key identifier in simple usage
+      await Keychain.setGenericPassword(prefixedKey, stringValue, { service: prefixedKey });
+    } else {
+      // Store standard config/metadata in AsyncStorage
+      await AsyncStorage.setItem(prefixedKey, stringValue);
+    }
+  }
+
+  async get(key: string): Promise<unknown | null> {
+    const prefixedKey = this.getKeyName(key);
+
+    if (this.SECURE_KEYS.has(key as any)) {
+      try {
+        const credentials = await Keychain.getGenericPassword({ service: prefixedKey });
+        if (credentials) {
+            return this.tryParse(credentials.password);
+        }
+        return null;
+      } catch (e) {
+        console.warn(`[ReactNativeSecureStorage] Failed to access keychain for ${key}`, e);
+        return null; // Key not found or access denied
+      }
+    } else {
+      try {
+        const val = await AsyncStorage.getItem(prefixedKey);
+        return val ? this.tryParse(val) : null;
+      } catch (e) {
+        console.warn(`[ReactNativeSecureStorage] Failed to access AsyncStorage for ${key}`, e);
+        return null;
+      }
+    }
+  }
+
+  async remove(key: string): Promise<void> {
+    const prefixedKey = this.getKeyName(key);
+
+    if (this.SECURE_KEYS.has(key as any)) {
+      await Keychain.resetGenericPassword({ service: prefixedKey });
+    } else {
+      await AsyncStorage.removeItem(prefixedKey);
+    }
+  }
+
+  async clear(): Promise<void> {
+    // Clear all known secure keys
+    for (const key of this.SECURE_KEYS) {
+        await Keychain.resetGenericPassword({ service: this.getKeyName(key) });
+    }
+    
+    // Clear AsyncStorage keys related to PERS
+    try {
+      const allKeys = await AsyncStorage.getAllKeys();
+      const ourKeys = allKeys.filter(k => k.startsWith(this.keyPrefix));
+      if (ourKeys.length > 0) {
+        await AsyncStorage.multiRemove(ourKeys);
+      }
+    } catch (e) {
+      console.warn('[ReactNativeSecureStorage] Failed to clear AsyncStorage', e);
+    }
+  }
+
+  private getKeyName(key: string): string {
+    // For Keychain, we might want to avoid prefixes if we want to share across apps, 
+    // but for simple isolation, prefix is fine to avoid collisions if multiple instances exist.
+    // However, Keychain services are global to the app bundle ID usually.
+    return `${this.keyPrefix}${key}`;
+  }
+
+  private tryParse(val: string): unknown {
+      try {
+          return JSON.parse(val);
+      } catch {
+          return val;
+      }
+  }
+}