expo-secure-store 11.0.3 → 11.1.0

package/CHANGELOG.md

@@ -1,5 +1,9 @@
 # Changelog
 
+### 🎉 New features
+
+- Added `requireAuthentication` and `authenticationPrompt` parameters to `SecureStoreOptions` options object used in `SecureStore.{deleteItemAsync, getItemAsync, setItemAsync}` methods to enable user authentication while accessing Secure Store. ([#14512](https://github.com/expo/expo/pull/14512) by [@j-piasecki](https://github.com/j-piasecki))
+
 ## Unpublished
 
 ### 🛠 Breaking changes
@@ -10,11 +14,7 @@
 
 ### 💡 Others
 
-## 11.0.3 — 2021-10-21
-
-_This version does not introduce any user-facing changes._
-
-## 11.0.2 — 2021-10-15
+## 11.1.0 — 2021-12-03
 
 _This version does not introduce any user-facing changes._
 

package/README.md

@@ -13,7 +13,7 @@ For managed [managed](https://docs.expo.io/versions/latest/introduction/managed-
 
 # Installation in bare React Native projects
 
-For bare React Native projects, you must ensure that you have [installed and configured the `react-native-unimodules` package](https://github.com/expo/expo/tree/master/packages/react-native-unimodules) before continuing.
+For bare React Native projects, you must ensure that you have [installed and configured the `expo` package](https://docs.expo.dev/bare/installing-expo-modules/) before continuing.
 
 ### Add the package to your npm dependencies
 

package/android/build.gradle

@@ -3,7 +3,7 @@ apply plugin: 'kotlin-android'
 apply plugin: 'maven'
 
 group = 'host.exp.exponent'
-version = '11.0.3'
+version = '11.1.0'
 
 buildscript {
   // Simple helper that allows the root project to override versions declared by this library.
@@ -57,7 +57,7 @@ android {
     minSdkVersion safeExtGet("minSdkVersion", 21)
     targetSdkVersion safeExtGet("targetSdkVersion", 30)
     versionCode 17
-    versionName '11.0.3'
+    versionName '11.1.0'
   }
   lintOptions {
     abortOnError false
@@ -67,5 +67,7 @@ android {
 dependencies {
   implementation project(':expo-modules-core')
 
+  api "androidx.biometric:biometric:1.1.0"
+
   implementation "org.jetbrains.kotlin:kotlin-stdlib-jdk7:${safeExtGet('kotlinVersion', '1.4.21')}"
 }

package/android/src/main/java/expo/modules/securestore/AuthenticationCallback.kt

@@ -0,0 +1,28 @@
+package expo.modules.securestore
+
+import expo.modules.core.Promise
+import expo.modules.core.arguments.ReadableArguments
+import javax.crypto.Cipher
+import javax.crypto.spec.GCMParameterSpec
+
+// Interface used to pass the authentication logic
+interface AuthenticationCallback {
+  fun checkAuthentication(
+    promise: Promise,
+    cipher: Cipher,
+    gcmParameterSpec: GCMParameterSpec,
+    options: ReadableArguments,
+    encryptionCallback: EncryptionCallback,
+    postEncryptionCallback: PostEncryptionCallback?
+  )
+
+  fun checkAuthentication(
+    promise: Promise,
+    requiresAuthentication: Boolean,
+    cipher: Cipher,
+    gcmParameterSpec: GCMParameterSpec,
+    options: ReadableArguments,
+    encryptionCallback: EncryptionCallback,
+    postEncryptionCallback: PostEncryptionCallback?
+  )
+}

package/android/src/main/java/expo/modules/securestore/AuthenticationHelper.kt

@@ -0,0 +1,212 @@
+package expo.modules.securestore
+
+import android.app.Activity
+import android.content.Context
+import android.os.Build
+import android.util.Log
+import androidx.biometric.BiometricManager
+import androidx.biometric.BiometricPrompt
+import androidx.biometric.BiometricPrompt.PromptInfo
+import androidx.core.content.ContextCompat
+import androidx.fragment.app.FragmentActivity
+import expo.modules.core.ModuleRegistry
+import expo.modules.core.Promise
+import expo.modules.core.arguments.ReadableArguments
+import expo.modules.core.interfaces.ActivityProvider
+import expo.modules.core.interfaces.services.UIManager
+import org.json.JSONException
+import org.json.JSONObject
+import java.security.GeneralSecurityException
+import javax.crypto.Cipher
+import javax.crypto.spec.GCMParameterSpec
+
+class AuthenticationHelper(
+  private val context: Context,
+  private val moduleRegistry: ModuleRegistry
+) {
+  companion object {
+    private const val AUTHENTICATION_PROMPT_PROPERTY = "authenticationPrompt"
+    const val REQUIRE_AUTHENTICATION_PROPERTY = "requireAuthentication"
+  }
+
+  private val uiManager = moduleRegistry.getModule(UIManager::class.java)
+  private var isAuthenticating = false
+
+  // Authentication callback decides whether the operation requires authentication (either by
+  // requiresAuthentication argument, or from options). When item needs to be encrypted/decrypted an
+  // instance of Authentication callback is passed to the relevant method.
+  // The method prepares the cipher and starts authentication callback with it. If the operation
+  // requires authentication, the biometric prompt is shown, otherwise the encryption callback
+  // is called.
+  // When the user is authenticated the encryption callback is ran with the unlocked cipher and does
+  // encryption/decryption. Finally the PostEncryptionCallback may be ran with the object returned
+  // by previous callback (to save encrypted data to SharedPreferences).
+
+  val defaultCallback: AuthenticationCallback = object : AuthenticationCallback {
+    override fun checkAuthentication(
+      promise: Promise,
+      cipher: Cipher,
+      gcmParameterSpec: GCMParameterSpec,
+      options: ReadableArguments,
+      encryptionCallback: EncryptionCallback,
+      postEncryptionCallback: PostEncryptionCallback?
+    ) {
+      val requiresAuthentication = options.getBoolean(REQUIRE_AUTHENTICATION_PROPERTY, false)
+
+      checkAuthentication(
+        promise, requiresAuthentication, cipher, gcmParameterSpec, options, encryptionCallback, postEncryptionCallback
+      )
+    }
+
+    override fun checkAuthentication(
+      promise: Promise,
+      requiresAuthentication: Boolean,
+      cipher: Cipher,
+      gcmParameterSpec: GCMParameterSpec,
+      options: ReadableArguments,
+      encryptionCallback: EncryptionCallback,
+      postEncryptionCallback: PostEncryptionCallback?
+    ) {
+      if (requiresAuthentication) {
+        openAuthenticationPrompt(promise, options, encryptionCallback, cipher, gcmParameterSpec, postEncryptionCallback)
+      } else {
+        handleEncryptionCallback(promise, encryptionCallback, cipher, gcmParameterSpec, postEncryptionCallback)
+      }
+    }
+  }
+
+  fun handleEncryptionCallback(
+    promise: Promise,
+    encryptionCallback: EncryptionCallback,
+    cipher: Cipher,
+    gcmParameterSpec: GCMParameterSpec,
+    postEncryptionCallback: PostEncryptionCallback?
+  ) {
+    try {
+      encryptionCallback.run(promise, cipher, gcmParameterSpec, postEncryptionCallback)
+    } catch (exception: GeneralSecurityException) {
+      Log.w(SecureStoreModule.TAG, exception)
+      promise.reject(
+        "ERR_SECURESTORE_ENCRYPT_FAILURE",
+        "Could not encrypt/decrypt the value for SecureStore",
+        exception
+      )
+    } catch (exception: JSONException) {
+      Log.w(SecureStoreModule.TAG, exception)
+      promise.reject(
+        "ERR_SECURESTORE_ENCODE_FAILURE",
+        "Could not create an encrypted JSON item for SecureStore",
+        exception
+      )
+    }
+  }
+
+  private fun openAuthenticationPrompt(
+    promise: Promise,
+    options: ReadableArguments,
+    encryptionCallback: EncryptionCallback,
+    cipher: Cipher,
+    gcmParameterSpec: GCMParameterSpec,
+    postEncryptionCallback: PostEncryptionCallback?
+  ) {
+    if (Build.VERSION.SDK_INT < Build.VERSION_CODES.M) {
+      promise.reject(
+        "ERR_SECURESTORE_AUTH_NOT_AVAILABLE",
+        "Biometric authentication requires Android API 23"
+      )
+      return
+    }
+    if (isAuthenticating) {
+      promise.reject(
+        "ERR_SECURESTORE_AUTH_IN_PROGRESS",
+        "Authentication is already in progress"
+      )
+      return
+    }
+
+    val biometricManager = BiometricManager.from(context)
+    when (biometricManager.canAuthenticate(BiometricManager.Authenticators.BIOMETRIC_STRONG)) {
+      BiometricManager.BIOMETRIC_ERROR_HW_UNAVAILABLE, BiometricManager.BIOMETRIC_ERROR_NO_HARDWARE -> {
+        promise.reject(
+          "ERR_SECURESTORE_AUTH_NOT_AVAILABLE",
+          "No hardware available for biometric authentication. Use expo-local-authentication to check if the device supports it."
+        )
+        return
+      }
+      BiometricManager.BIOMETRIC_ERROR_NONE_ENROLLED -> {
+        promise.reject(
+          "ERR_SECURESTORE_AUTH_NOT_CONFIGURED",
+          "No biometrics are currently enrolled"
+        )
+        return
+      }
+    }
+
+    val title = options.getString(AUTHENTICATION_PROMPT_PROPERTY, " ")
+
+    val promptInfo = PromptInfo.Builder()
+      .setTitle(title)
+      .setNegativeButtonText(context.getString(android.R.string.cancel))
+      .build()
+    val fragmentActivity = getCurrentActivity() as FragmentActivity?
+    if (fragmentActivity == null) {
+      promise.reject(
+        "ERR_SECURESTORE_APP_BACKGROUNDED",
+        "Cannot display biometric prompt when the app is not in the foreground"
+      )
+      return
+    }
+
+    uiManager.runOnUiQueueThread(
+      Runnable {
+        isAuthenticating = true
+
+        BiometricPrompt(
+          fragmentActivity,
+          ContextCompat.getMainExecutor(context),
+          object : BiometricPrompt.AuthenticationCallback() {
+            override fun onAuthenticationSucceeded(result: BiometricPrompt.AuthenticationResult) {
+              super.onAuthenticationSucceeded(result)
+              isAuthenticating = false
+
+              val cipher = result.cryptoObject!!.cipher!!
+              handleEncryptionCallback(
+                promise,
+                encryptionCallback,
+                cipher,
+                gcmParameterSpec,
+                { promise, result ->
+                  val obj = result as JSONObject
+                  obj.put(REQUIRE_AUTHENTICATION_PROPERTY, true)
+                  postEncryptionCallback?.run(promise, result)
+                }
+              )
+            }
+
+            override fun onAuthenticationError(errorCode: Int, errString: CharSequence) {
+              super.onAuthenticationError(errorCode, errString)
+              isAuthenticating = false
+
+              if (errorCode == BiometricPrompt.ERROR_USER_CANCELED || errorCode == BiometricPrompt.ERROR_NEGATIVE_BUTTON) {
+                promise.reject(
+                  "ERR_SECURESTORE_AUTH_CANCELLED",
+                  "User canceled the authentication"
+                )
+              } else {
+                promise.reject(
+                  "ERR_SECURESTORE_AUTH_FAILURE",
+                  "Could not authenticate the user"
+                )
+              }
+            }
+          }
+        ).authenticate(promptInfo, BiometricPrompt.CryptoObject(cipher))
+      }
+    )
+  }
+
+  private fun getCurrentActivity(): Activity? {
+    val activityProvider: ActivityProvider = moduleRegistry.getModule(ActivityProvider::class.java)
+    return activityProvider.currentActivity
+  }
+}

package/android/src/main/java/expo/modules/securestore/EncryptionCallback.kt

@@ -0,0 +1,18 @@
+package expo.modules.securestore
+
+import expo.modules.core.Promise
+import org.json.JSONException
+import java.security.GeneralSecurityException
+import javax.crypto.Cipher
+import javax.crypto.spec.GCMParameterSpec
+
+// Interface used to pass encryption/decryption logic
+fun interface EncryptionCallback {
+  @Throws(GeneralSecurityException::class, JSONException::class)
+  fun run(
+    promise: Promise,
+    cipher: Cipher,
+    gcmParameterSpec: GCMParameterSpec,
+    postEncryptionCallback: PostEncryptionCallback?
+  ): Any
+}

package/android/src/main/java/expo/modules/securestore/PostEncryptionCallback.kt

@@ -0,0 +1,11 @@
+package expo.modules.securestore
+
+import expo.modules.core.Promise
+import org.json.JSONException
+import java.security.GeneralSecurityException
+
+// Interface used to pass logic that needs to happen after encryption/decryption
+fun interface PostEncryptionCallback {
+  @Throws(JSONException::class, GeneralSecurityException::class)
+  fun run(promise: Promise, result: Any)
+}

package/android/src/main/java/expo/modules/securestore/SecureStoreModule.java

@@ -16,6 +16,7 @@ import android.util.Log;
 import org.json.JSONException;
 import org.json.JSONObject;
 import expo.modules.core.ExportedModule;
+import expo.modules.core.ModuleRegistry;
 import expo.modules.core.Promise;
 import expo.modules.core.arguments.ReadableArguments;
 import expo.modules.core.interfaces.ExpoMethod;
@@ -46,7 +47,7 @@ import javax.crypto.spec.SecretKeySpec;
 import javax.security.auth.x500.X500Principal;
 
 public class SecureStoreModule extends ExportedModule {
-  private static final String TAG = "ExpoSecureStore";
+  static final String TAG = "ExpoSecureStore";
   private static final String SHARED_PREFERENCES_NAME = "SecureStore";
   private static final String KEYSTORE_PROVIDER = "AndroidKeyStore";
 
@@ -57,6 +58,7 @@ public class SecureStoreModule extends ExportedModule {
   private KeyStore mKeyStore;
   private AESEncrypter mAESEncrypter;
   private HybridAESEncrypter mHybridAESEncrypter;
+  private AuthenticationHelper mAuthenticationHelper;
 
   public SecureStoreModule(Context context) {
     super(context);
@@ -64,6 +66,11 @@ public class SecureStoreModule extends ExportedModule {
     mHybridAESEncrypter = new HybridAESEncrypter(context, mAESEncrypter);
   }
 
+  @Override
+  public void onCreate(ModuleRegistry moduleRegistry) {
+    mAuthenticationHelper = new AuthenticationHelper(getContext(), moduleRegistry);
+  }
+
   @Override
   public String getName() {
     return TAG;
@@ -81,7 +88,6 @@ public class SecureStoreModule extends ExportedModule {
     }
   }
 
-  @SuppressWarnings("ConstantConditions")
   private void setItemImpl(String key, String value, ReadableArguments options, Promise promise) {
     if (key == null) {
       promise.reject("E_SECURESTORE_NULL_KEY", "SecureStore keys must not be null");
@@ -100,7 +106,6 @@ public class SecureStoreModule extends ExportedModule {
       return;
     }
 
-    JSONObject encryptedItem;
     try {
       KeyStore keyStore = getKeyStore();
 
@@ -110,12 +115,18 @@ public class SecureStoreModule extends ExportedModule {
       // back a value.
       if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.M) {
         KeyStore.SecretKeyEntry secretKeyEntry = getKeyEntry(KeyStore.SecretKeyEntry.class, mAESEncrypter, options);
-        encryptedItem = mAESEncrypter.createEncryptedItem(value, keyStore, secretKeyEntry);
-        encryptedItem.put(SCHEME_PROPERTY, AESEncrypter.NAME);
+        mAESEncrypter.createEncryptedItem(promise, value, keyStore, secretKeyEntry, options, mAuthenticationHelper.getDefaultCallback(), (innerPromise, result) -> {
+          JSONObject obj = (JSONObject) result;
+          obj.put(SCHEME_PROPERTY, AESEncrypter.NAME);
+          saveEncryptedItem(innerPromise, obj, prefs, key);
+        });
       } else {
         KeyStore.PrivateKeyEntry privateKeyEntry = getKeyEntry(KeyStore.PrivateKeyEntry.class, mHybridAESEncrypter, options);
-        encryptedItem = mHybridAESEncrypter.createEncryptedItem(value, keyStore, privateKeyEntry);
-        encryptedItem.put(SCHEME_PROPERTY, HybridAESEncrypter.NAME);
+        mHybridAESEncrypter.createEncryptedItem(promise, value, keyStore, privateKeyEntry, options, mAuthenticationHelper.getDefaultCallback(), (innerPromise, result) -> {
+          JSONObject obj = (JSONObject) result;
+          obj.put(SCHEME_PROPERTY, HybridAESEncrypter.NAME);
+          saveEncryptedItem(innerPromise, obj, prefs, key);
+        });
       }
     } catch (IOException e) {
       Log.w(TAG, e);
@@ -130,7 +141,9 @@ public class SecureStoreModule extends ExportedModule {
       promise.reject("E_SECURESTORE_ENCODE_ERROR", "Could not create an encrypted JSON item for SecureStore", e);
       return;
     }
+  }
 
+  private void saveEncryptedItem(Promise promise, JSONObject encryptedItem, SharedPreferences prefs, String key) {
     String encryptedItemString = encryptedItem.toString();
     if (encryptedItemString == null) { // lint warning suppressed, JSONObject#toString() may return null
       promise.reject("E_SECURESTORE_JSON_ERROR", "Could not JSON-encode the encrypted item for SecureStore");
@@ -185,16 +198,15 @@ public class SecureStoreModule extends ExportedModule {
       return;
     }
 
-    String value;
     try {
       switch (scheme) {
         case AESEncrypter.NAME:
           KeyStore.SecretKeyEntry secretKeyEntry = getKeyEntry(KeyStore.SecretKeyEntry.class, mAESEncrypter, options);
-          value = mAESEncrypter.decryptItem(encryptedItem, secretKeyEntry);
+          mAESEncrypter.decryptItem(promise, encryptedItem, secretKeyEntry, options, mAuthenticationHelper.getDefaultCallback());
           break;
         case HybridAESEncrypter.NAME:
           KeyStore.PrivateKeyEntry privateKeyEntry = getKeyEntry(KeyStore.PrivateKeyEntry.class, mHybridAESEncrypter, options);
-          value = mHybridAESEncrypter.decryptItem(encryptedItem, privateKeyEntry);
+          mHybridAESEncrypter.decryptItem(promise, encryptedItem, privateKeyEntry, options, mAuthenticationHelper.getDefaultCallback());
           break;
         default:
           String message = String.format("The item for key \"%s\" in SecureStore has an unknown encoding scheme (%s)", key, scheme);
@@ -215,8 +227,6 @@ public class SecureStoreModule extends ExportedModule {
       promise.reject("E_SECURESTORE_DECODE_ERROR", "Could not decode the encrypted JSON item in SecureStore", e);
       return;
     }
-
-    promise.resolve(value);
   }
 
   private void readLegacySDK20Item(String key, ReadableArguments options, Promise promise) {
@@ -339,11 +349,12 @@ public class SecureStoreModule extends ExportedModule {
         GeneralSecurityException;
 
     @SuppressWarnings("unused")
-    JSONObject createEncryptedItem(String plaintextValue, KeyStore keyStore, E keyStoreEntry) throws
+    void createEncryptedItem(Promise promise, String plaintextValue, KeyStore keyStore, E keyStoreEntry, ReadableArguments options,
+                             AuthenticationCallback authenticationCallback, PostEncryptionCallback postEncryptionCallback) throws
         GeneralSecurityException, JSONException;
 
     @SuppressWarnings("unused")
-    String decryptItem(JSONObject encryptedItem, E keyStoreEntry) throws
+    void decryptItem(Promise promise, JSONObject encryptedItem, E keyStoreEntry, ReadableArguments options, AuthenticationCallback callback) throws
         GeneralSecurityException, JSONException;
   }
 
@@ -382,6 +393,7 @@ public class SecureStoreModule extends ExportedModule {
           .setKeySize(AES_KEY_SIZE_BITS)
           .setBlockModes(KeyProperties.BLOCK_MODE_GCM)
           .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE)
+          .setUserAuthenticationRequired(options.getBoolean(AuthenticationHelper.REQUIRE_AUTHENTICATION_PROPERTY, false))
           .build();
 
       KeyGenerator keyGenerator = KeyGenerator.getInstance(KeyProperties.KEY_ALGORITHM_AES, keyStore.getProvider());
@@ -398,18 +410,23 @@ public class SecureStoreModule extends ExportedModule {
     }
 
     @Override
-    public JSONObject createEncryptedItem(String plaintextValue, KeyStore keyStore, KeyStore.SecretKeyEntry secretKeyEntry) throws
-        GeneralSecurityException, JSONException {
+    public void createEncryptedItem(Promise promise, String plaintextValue, KeyStore keyStore, KeyStore.SecretKeyEntry secretKeyEntry,
+                                    ReadableArguments options, AuthenticationCallback authenticationCallback, PostEncryptionCallback postEncryptionCallback) throws
+        GeneralSecurityException {
 
       SecretKey secretKey = secretKeyEntry.getSecretKey();
       Cipher cipher = Cipher.getInstance(AES_CIPHER);
       cipher.init(Cipher.ENCRYPT_MODE, secretKey);
       GCMParameterSpec gcmSpec = cipher.getParameters().getParameterSpec(GCMParameterSpec.class);
 
-      return createEncryptedItem(plaintextValue, cipher, gcmSpec);
+      authenticationCallback.checkAuthentication(promise, cipher, gcmSpec, options,
+        (promise1, cipher1, gcmParameterSpec, postEncryptionCallback1) ->
+          createEncryptedItem(promise1, plaintextValue, cipher1, gcmSpec, postEncryptionCallback1), postEncryptionCallback
+      );
     }
 
-    /* package */ JSONObject createEncryptedItem(String plaintextValue, Cipher cipher, GCMParameterSpec gcmSpec) throws
+    /* package */ JSONObject createEncryptedItem(Promise promise, String plaintextValue, Cipher cipher,
+                                                 GCMParameterSpec gcmSpec, PostEncryptionCallback postEncryptionCallback) throws
         GeneralSecurityException, JSONException {
 
       byte[] plaintextBytes = plaintextValue.getBytes(StandardCharsets.UTF_8);
@@ -419,14 +436,19 @@ public class SecureStoreModule extends ExportedModule {
       String ivString = Base64.encodeToString(gcmSpec.getIV(), Base64.NO_WRAP);
       int authenticationTagLength = gcmSpec.getTLen();
 
-      return new JSONObject()
-          .put(CIPHERTEXT_PROPERTY, ciphertext)
-          .put(IV_PROPERTY, ivString)
-          .put(GCM_AUTHENTICATION_TAG_LENGTH_PROPERTY, authenticationTagLength);
+      JSONObject result = new JSONObject()
+        .put(CIPHERTEXT_PROPERTY, ciphertext)
+        .put(IV_PROPERTY, ivString)
+        .put(GCM_AUTHENTICATION_TAG_LENGTH_PROPERTY, authenticationTagLength);
+
+      postEncryptionCallback.run(promise, result);
+
+      return result;
     }
 
     @Override
-    public String decryptItem(JSONObject encryptedItem, KeyStore.SecretKeyEntry secretKeyEntry) throws
+    public void decryptItem(Promise promise, JSONObject encryptedItem, KeyStore.SecretKeyEntry secretKeyEntry, ReadableArguments options,
+                            AuthenticationCallback callback) throws
         GeneralSecurityException, JSONException {
 
       String ciphertext = encryptedItem.getString(CIPHERTEXT_PROPERTY);
@@ -438,9 +460,15 @@ public class SecureStoreModule extends ExportedModule {
       GCMParameterSpec gcmSpec = new GCMParameterSpec(authenticationTagLength, ivBytes);
       Cipher cipher = Cipher.getInstance(AES_CIPHER);
       cipher.init(Cipher.DECRYPT_MODE, secretKeyEntry.getSecretKey(), gcmSpec);
-      byte[] plaintextBytes = cipher.doFinal(ciphertextBytes);
 
-      return new String(plaintextBytes, StandardCharsets.UTF_8);
+      callback.checkAuthentication(promise, encryptedItem.optBoolean(AuthenticationHelper.REQUIRE_AUTHENTICATION_PROPERTY), cipher, gcmSpec, options,
+        (promise1, cipher1, gcmParameterSpec, postEncryptionCallback) -> {
+          String result = new String(cipher1.doFinal(ciphertextBytes), StandardCharsets.UTF_8);
+          promise1.resolve(result);
+          return result;
+        },
+        null
+      );
     }
   }
 
@@ -515,7 +543,8 @@ public class SecureStoreModule extends ExportedModule {
     }
 
     @Override
-    public JSONObject createEncryptedItem(String plaintextValue, KeyStore keyStore, KeyStore.PrivateKeyEntry privateKeyEntry) throws
+    public void createEncryptedItem(Promise promise, String plaintextValue, KeyStore keyStore, KeyStore.PrivateKeyEntry privateKeyEntry,
+                                    ReadableArguments options, AuthenticationCallback authenticationCallback, PostEncryptionCallback postEncryptionCallback) throws
         GeneralSecurityException, JSONException {
 
       // Generate the IV and symmetric key with which we encrypt the value
@@ -547,29 +576,41 @@ public class SecureStoreModule extends ExportedModule {
         chosenSpec = gcmSpec;
       }
 
-      JSONObject encryptedItem = mAESEncrypter.createEncryptedItem(plaintextValue, aesCipher, chosenSpec);
-
-      // Ensure the IV in the encrypted item matches our generated IV
-      String ivString = encryptedItem.getString(AESEncrypter.IV_PROPERTY);
-      String expectedIVString = Base64.encodeToString(ivBytes, Base64.NO_WRAP);
-      if (!ivString.equals(expectedIVString)) {
-        Log.e(TAG, String.format("HybridAESEncrypter generated two different IVs: %s and %s", expectedIVString, ivString));
-        throw new IllegalStateException("HybridAESEncrypter must store the same IV as the one used to parameterize the secret key");
-      }
-
-      // Encrypt the symmetric key with the asymmetric public key
-      byte[] secretKeyBytes = secretKey.getEncoded();
-      Cipher cipher = getRSACipher();
-      cipher.init(Cipher.ENCRYPT_MODE, privateKeyEntry.getCertificate());
-      byte[] encryptedSecretKeyBytes = cipher.doFinal(secretKeyBytes);
-      String encryptedSecretKeyString = Base64.encodeToString(encryptedSecretKeyBytes, Base64.NO_WRAP);
-
-      // Store the encrypted symmetric key in the encrypted item
-      return encryptedItem.put(ENCRYPTED_SECRET_KEY_PROPERTY, encryptedSecretKeyString);
+      authenticationCallback.checkAuthentication(promise, aesCipher, chosenSpec, options, new EncryptionCallback() {
+        @Override
+        public Object run(Promise promise, Cipher cipher, GCMParameterSpec gcmParameterSpec, PostEncryptionCallback postEncryptionCallback) throws
+          GeneralSecurityException, JSONException {
+            return mAESEncrypter.createEncryptedItem(promise, plaintextValue, cipher, gcmSpec, postEncryptionCallback);
+        }
+      }, new PostEncryptionCallback() {
+        @Override
+        public void run(Promise promise, Object result) throws JSONException, GeneralSecurityException {
+          JSONObject encryptedItem = (JSONObject) result;
+
+          // Ensure the IV in the encrypted item matches our generated IV
+          String ivString = encryptedItem.getString(AESEncrypter.IV_PROPERTY);
+          String expectedIVString = Base64.encodeToString(ivBytes, Base64.NO_WRAP);
+          if (!ivString.equals(expectedIVString)) {
+            Log.e(TAG, String.format("HybridAESEncrypter generated two different IVs: %s and %s", expectedIVString, ivString));
+            throw new IllegalStateException("HybridAESEncrypter must store the same IV as the one used to parameterize the secret key");
+          }
+
+          // Encrypt the symmetric key with the asymmetric public key
+          byte[] secretKeyBytes = secretKey.getEncoded();
+          Cipher cipher = getRSACipher();
+          cipher.init(Cipher.ENCRYPT_MODE, privateKeyEntry.getCertificate());
+          byte[] encryptedSecretKeyBytes = cipher.doFinal(secretKeyBytes);
+          String encryptedSecretKeyString = Base64.encodeToString(encryptedSecretKeyBytes, Base64.NO_WRAP);
+
+          encryptedItem.put(ENCRYPTED_SECRET_KEY_PROPERTY, encryptedSecretKeyString);
+
+          postEncryptionCallback.run(promise, encryptedItem);
+        }
+      });
     }
 
     @Override
-    public String decryptItem(JSONObject encryptedItem, KeyStore.PrivateKeyEntry privateKeyEntry) throws
+    public void decryptItem(Promise promise, JSONObject encryptedItem, KeyStore.PrivateKeyEntry privateKeyEntry, ReadableArguments options, AuthenticationCallback callback) throws
         GeneralSecurityException, JSONException {
 
       // Decrypt the encrypted symmetric key
@@ -584,7 +625,8 @@ public class SecureStoreModule extends ExportedModule {
 
       // Decrypt the value with the symmetric key
       KeyStore.SecretKeyEntry secretKeyEntry = new KeyStore.SecretKeyEntry(secretKey);
-      return mAESEncrypter.decryptItem(encryptedItem, secretKeyEntry);
+
+      mAESEncrypter.decryptItem(promise, encryptedItem, secretKeyEntry, options, callback);
     }
 
     private Cipher getRSACipher() throws NoSuchAlgorithmException, NoSuchProviderException, NoSuchPaddingException {
@@ -592,7 +634,6 @@ public class SecureStoreModule extends ExportedModule {
           ? Cipher.getInstance(RSA_CIPHER, RSA_CIPHER_LEGACY_PROVIDER)
           : Cipher.getInstance(RSA_CIPHER);
     }
-
   }
 
   /**

package/build/SecureStore.d.ts

@@ -40,6 +40,20 @@ export declare type SecureStoreOptions = {
      * > If the item is set with the `keychainService` option, it will be required to later fetch the value.
      */
     keychainService?: string;
+    /**
+     * Option responsible for enabling the usage of the user authentication methods available on the device while
+     * accessing data stored in SecureStore.
+     *
+     * - iOS: Equivalent to `kSecAccessControlUserPresence`
+     * - Android: Equivalent to `setUserAuthenticationRequired(true)` (requires API 23). Complete functionality
+     * is unlocked only with a freshly generated key - this would not work in tandem with the `keychainService`
+     * value used for the others non-authenticated operations.
+     */
+    requireAuthentication?: boolean;
+    /**
+     * Custom message displayed to the user while `requireAuthentication` option is turned on.
+     */
+    authenticationPrompt?: string;
     /**
      * __(iOS only)__ Specifies when the stored entry is accessible, using iOS's `kSecAttrAccessible`
      * property. See Apple's documentation on [keychain item accessibility](https://developer.apple.com/library/content/documentation/Security/Conceptual/keychainServConcepts/02concepts/concepts.html#//apple_ref/doc/uid/TP30000897-CH204-SW18).

package/build/SecureStore.js.map

@@ -1 +1 @@
-{"version":3,"file":"SecureStore.js","sourceRoot":"","sources":["../src/SecureStore.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,mBAAmB,EAAE,MAAM,mBAAmB,CAAC;AAExD,OAAO,eAAe,MAAM,mBAAmB,CAAC;AAIhD,cAAc;AACd;;;;GAIG;AACH,MAAM,CAAC,MAAM,kBAAkB,GAAkC,eAAe,CAAC,kBAAkB,CAAC;AAEpG,cAAc;AACd;;;GAGG;AACH,MAAM,CAAC,MAAM,mCAAmC,GAC9C,eAAe,CAAC,mCAAmC,CAAC;AAEtD,cAAc;AACd;;;GAGG;AACH,MAAM,CAAC,MAAM,MAAM,GAAkC,eAAe,CAAC,MAAM,CAAC;AAE5E,cAAc;AACd;;;GAGG;AACH,MAAM,CAAC,MAAM,kCAAkC,GAC7C,eAAe,CAAC,kCAAkC,CAAC;AAErD,cAAc;AACd;;GAEG;AACH,MAAM,CAAC,MAAM,uBAAuB,GAClC,eAAe,CAAC,uBAAuB,CAAC;AAE1C,cAAc;AACd;;GAEG;AACH,MAAM,CAAC,MAAM,aAAa,GAAkC,eAAe,CAAC,aAAa,CAAC;AAE1F,cAAc;AACd;;;GAGG;AACH,MAAM,CAAC,MAAM,8BAA8B,GACzC,eAAe,CAAC,8BAA8B,CAAC;AAEjD,MAAM,iBAAiB,GAAG,IAAI,CAAC;AAkB/B,cAAc;AACd;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB;IACpC,OAAO,CAAC,CAAC,eAAe,CAAC,oBAAoB,CAAC;AAChD,CAAC;AAED,cAAc;AACd;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,GAAW,EACX,UAA8B,EAAE;IAEhC,eAAe,CAAC,GAAG,CAAC,CAAC;IAErB,IAAI,CAAC,eAAe,CAAC,uBAAuB,EAAE;QAC5C,MAAM,IAAI,mBAAmB,CAAC,aAAa,EAAE,iBAAiB,CAAC,CAAC;KACjE;IACD,MAAM,eAAe,CAAC,uBAAuB,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;AAC9D,CAAC;AAED,cAAc;AACd;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,GAAW,EACX,UAA8B,EAAE;IAEhC,eAAe,CAAC,GAAG,CAAC,CAAC;IACrB,OAAO,MAAM,eAAe,CAAC,oBAAoB,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;AAClE,CAAC;AAED,cAAc;AACd;;;;;;;;;GASG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,GAAW,EACX,KAAa,EACb,UAA8B,EAAE;IAEhC,eAAe,CAAC,GAAG,CAAC,CAAC;IACrB,IAAI,CAAC,aAAa,CAAC,KAAK,CAAC,EAAE;QACzB,MAAM,IAAI,KAAK,CACb,6HAA6H,CAC9H,CAAC;KACH;IACD,IAAI,CAAC,eAAe,CAAC,oBAAoB,EAAE;QACzC,MAAM,IAAI,mBAAmB,CAAC,aAAa,EAAE,cAAc,CAAC,CAAC;KAC9D;IACD,MAAM,eAAe,CAAC,oBAAoB,CAAC,KAAK,EAAE,GAAG,EAAE,OAAO,CAAC,CAAC;AAClE,CAAC;AAED,SAAS,eAAe,CAAC,GAAW;IAClC,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,EAAE;QACrB,MAAM,IAAI,KAAK,CACb,0HAA0H,CAC3H,CAAC;KACH;AACH,CAAC;AAED,SAAS,WAAW,CAAC,GAAW;IAC9B,OAAO,OAAO,GAAG,KAAK,QAAQ,IAAI,WAAW,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC1D,CAAC;AAED,SAAS,aAAa,CAAC,KAAa;IAClC,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE;QAC7B,OAAO,KAAK,CAAC;KACd;IACD,IAAI,UAAU,CAAC,KAAK,CAAC,GAAG,iBAAiB,EAAE;QACzC,OAAO,CAAC,IAAI,CACV,0HAA0H,CAC3H,CAAC;KACH;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,wDAAwD;AACxD,SAAS,UAAU,CAAC,KAAa;IAC/B,IAAI,KAAK,GAAG,CAAC,CAAC;IAEd,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE;QACrC,MAAM,SAAS,GAAG,KAAK,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;QAEtC,gDAAgD;QAChD,IAAI,SAAS,IAAI,MAAM,IAAI,SAAS,GAAG,MAAM,EAAE;YAC7C,IAAI,SAAS,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE;gBAC9C,MAAM,IAAI,GAAG,KAAK,CAAC,UAAU,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;gBAErC,IAAI,IAAI,IAAI,MAAM,IAAI,IAAI,GAAG,MAAM,EAAE;oBACnC,KAAK,IAAI,CAAC,CAAC;oBACX,CAAC,EAAE,CAAC;oBACJ,SAAS;iBACV;aACF;SACF;QAED,KAAK,IAAI,SAAS,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;KAC3D;IAED,OAAO,KAAK,CAAC;AACf,CAAC","sourcesContent":["import { UnavailabilityError } from 'expo-modules-core';\n\nimport ExpoSecureStore from './ExpoSecureStore';\n\nexport type KeychainAccessibilityConstant = number;\n\n// @needsAudit\n/**\n * The data in the keychain item cannot be accessed after a restart until the device has been\n * unlocked once by the user. This may be useful if you need to access the item when the phone\n * is locked.\n */\nexport const AFTER_FIRST_UNLOCK: KeychainAccessibilityConstant = ExpoSecureStore.AFTER_FIRST_UNLOCK;\n\n// @needsAudit\n/**\n * Similar to `AFTER_FIRST_UNLOCK`, except the entry is not migrated to a new device when restoring\n * from a backup.\n */\nexport const AFTER_FIRST_UNLOCK_THIS_DEVICE_ONLY: KeychainAccessibilityConstant =\n  ExpoSecureStore.AFTER_FIRST_UNLOCK_THIS_DEVICE_ONLY;\n\n// @needsAudit\n/**\n * The data in the keychain item can always be accessed regardless of whether the device is locked.\n * This is the least secure option.\n */\nexport const ALWAYS: KeychainAccessibilityConstant = ExpoSecureStore.ALWAYS;\n\n// @needsAudit\n/**\n * Similar to `WHEN_UNLOCKED_THIS_DEVICE_ONLY`, except the user must have set a passcode in order to\n * store an entry. If the user removes their passcode, the entry will be deleted.\n */\nexport const WHEN_PASSCODE_SET_THIS_DEVICE_ONLY: KeychainAccessibilityConstant =\n  ExpoSecureStore.WHEN_PASSCODE_SET_THIS_DEVICE_ONLY;\n\n// @needsAudit\n/**\n * Similar to `ALWAYS`, except the entry is not migrated to a new device when restoring from a backup.\n */\nexport const ALWAYS_THIS_DEVICE_ONLY: KeychainAccessibilityConstant =\n  ExpoSecureStore.ALWAYS_THIS_DEVICE_ONLY;\n\n// @needsAudit\n/**\n * The data in the keychain item can be accessed only while the device is unlocked by the user.\n */\nexport const WHEN_UNLOCKED: KeychainAccessibilityConstant = ExpoSecureStore.WHEN_UNLOCKED;\n\n// @needsAudit\n/**\n * Similar to `WHEN_UNLOCKED`, except the entry is not migrated to a new device when restoring from\n * a backup.\n */\nexport const WHEN_UNLOCKED_THIS_DEVICE_ONLY: KeychainAccessibilityConstant =\n  ExpoSecureStore.WHEN_UNLOCKED_THIS_DEVICE_ONLY;\n\nconst VALUE_BYTES_LIMIT = 2048;\n\n// @needsAudit\nexport type SecureStoreOptions = {\n  /**\n   * - iOS: The item's service, equivalent to `kSecAttrService`\n   * - Android: Equivalent of the public/private key pair `Alias`\n   * > If the item is set with the `keychainService` option, it will be required to later fetch the value.\n   */\n  keychainService?: string;\n  /**\n   * __(iOS only)__ Specifies when the stored entry is accessible, using iOS's `kSecAttrAccessible`\n   * property. See Apple's documentation on [keychain item accessibility](https://developer.apple.com/library/content/documentation/Security/Conceptual/keychainServConcepts/02concepts/concepts.html#//apple_ref/doc/uid/TP30000897-CH204-SW18).\n   * Default value: `SecureStore.WHEN_UNLOCKED`.\n   */\n  keychainAccessible?: KeychainAccessibilityConstant;\n};\n\n// @needsAudit\n/**\n * Returns whether the SecureStore API is enabled on the current device. This does not check the app\n * permissions.\n *\n * @return Promise which fulfils witch `boolean`, indicating whether the SecureStore API is available\n * on the current device. Currently this resolves `true` on iOS and Android only.\n */\nexport async function isAvailableAsync(): Promise<boolean> {\n  return !!ExpoSecureStore.getValueWithKeyAsync;\n}\n\n// @needsAudit\n/**\n * Delete the value associated with the provided key.\n *\n * @param key The key that was used to store the associated value.\n * @param options An [`SecureStoreOptions`](#securestoreoptions) object.\n *\n * @return A promise that will reject if the value couldn't be deleted.\n */\nexport async function deleteItemAsync(\n  key: string,\n  options: SecureStoreOptions = {}\n): Promise<void> {\n  _ensureValidKey(key);\n\n  if (!ExpoSecureStore.deleteValueWithKeyAsync) {\n    throw new UnavailabilityError('SecureStore', 'deleteItemAsync');\n  }\n  await ExpoSecureStore.deleteValueWithKeyAsync(key, options);\n}\n\n// @needsAudit\n/**\n * Fetch the stored value associated with the provided key.\n *\n * @param key The key that was used to store the associated value.\n * @param options An [`SecureStoreOptions`](#securestoreoptions) object.\n *\n * @return A promise that resolves to the previously stored value, or `null` if there is no entry\n * for the given key. The promise will reject if an error occurred while retrieving the value.\n */\nexport async function getItemAsync(\n  key: string,\n  options: SecureStoreOptions = {}\n): Promise<string | null> {\n  _ensureValidKey(key);\n  return await ExpoSecureStore.getValueWithKeyAsync(key, options);\n}\n\n// @needsAudit\n/**\n * Store a key–value pair.\n *\n * @param key The key to associate with the stored value. Keys may contain alphanumeric characters\n * `.`, `-`, and `_`.\n * @param value The value to store. Size limit is 2048 bytes.\n * @param options An [`SecureStoreOptions`](#securestoreoptions) object.\n *\n * @return A promise that will reject if value cannot be stored on the device.\n */\nexport async function setItemAsync(\n  key: string,\n  value: string,\n  options: SecureStoreOptions = {}\n): Promise<void> {\n  _ensureValidKey(key);\n  if (!_isValidValue(value)) {\n    throw new Error(\n      `Invalid value provided to SecureStore. Values must be strings; consider JSON-encoding your values if they are serializable.`\n    );\n  }\n  if (!ExpoSecureStore.setValueWithKeyAsync) {\n    throw new UnavailabilityError('SecureStore', 'setItemAsync');\n  }\n  await ExpoSecureStore.setValueWithKeyAsync(value, key, options);\n}\n\nfunction _ensureValidKey(key: string) {\n  if (!_isValidKey(key)) {\n    throw new Error(\n      `Invalid key provided to SecureStore. Keys must not be empty and contain only alphanumeric characters, \".\", \"-\", and \"_\".`\n    );\n  }\n}\n\nfunction _isValidKey(key: string) {\n  return typeof key === 'string' && /^[\\w.-]+$/.test(key);\n}\n\nfunction _isValidValue(value: string) {\n  if (typeof value !== 'string') {\n    return false;\n  }\n  if (_byteCount(value) > VALUE_BYTES_LIMIT) {\n    console.warn(\n      'Provided value to SecureStore is larger than 2048 bytes. An attempt to store such a value will throw an error in SDK 35.'\n    );\n  }\n  return true;\n}\n\n// copy-pasted from https://stackoverflow.com/a/39488643\nfunction _byteCount(value: string) {\n  let bytes = 0;\n\n  for (let i = 0; i < value.length; i++) {\n    const codePoint = value.charCodeAt(i);\n\n    // Lone surrogates cannot be passed to encodeURI\n    if (codePoint >= 0xd800 && codePoint < 0xe000) {\n      if (codePoint < 0xdc00 && i + 1 < value.length) {\n        const next = value.charCodeAt(i + 1);\n\n        if (next >= 0xdc00 && next < 0xe000) {\n          bytes += 4;\n          i++;\n          continue;\n        }\n      }\n    }\n\n    bytes += codePoint < 0x80 ? 1 : codePoint < 0x800 ? 2 : 3;\n  }\n\n  return bytes;\n}\n"]}
+{"version":3,"file":"SecureStore.js","sourceRoot":"","sources":["../src/SecureStore.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,mBAAmB,EAAE,MAAM,mBAAmB,CAAC;AAExD,OAAO,eAAe,MAAM,mBAAmB,CAAC;AAIhD,cAAc;AACd;;;;GAIG;AACH,MAAM,CAAC,MAAM,kBAAkB,GAAkC,eAAe,CAAC,kBAAkB,CAAC;AAEpG,cAAc;AACd;;;GAGG;AACH,MAAM,CAAC,MAAM,mCAAmC,GAC9C,eAAe,CAAC,mCAAmC,CAAC;AAEtD,cAAc;AACd;;;GAGG;AACH,MAAM,CAAC,MAAM,MAAM,GAAkC,eAAe,CAAC,MAAM,CAAC;AAE5E,cAAc;AACd;;;GAGG;AACH,MAAM,CAAC,MAAM,kCAAkC,GAC7C,eAAe,CAAC,kCAAkC,CAAC;AAErD,cAAc;AACd;;GAEG;AACH,MAAM,CAAC,MAAM,uBAAuB,GAClC,eAAe,CAAC,uBAAuB,CAAC;AAE1C,cAAc;AACd;;GAEG;AACH,MAAM,CAAC,MAAM,aAAa,GAAkC,eAAe,CAAC,aAAa,CAAC;AAE1F,cAAc;AACd;;;GAGG;AACH,MAAM,CAAC,MAAM,8BAA8B,GACzC,eAAe,CAAC,8BAA8B,CAAC;AAEjD,MAAM,iBAAiB,GAAG,IAAI,CAAC;AAgC/B,cAAc;AACd;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB;IACpC,OAAO,CAAC,CAAC,eAAe,CAAC,oBAAoB,CAAC;AAChD,CAAC;AAED,cAAc;AACd;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,GAAW,EACX,UAA8B,EAAE;IAEhC,eAAe,CAAC,GAAG,CAAC,CAAC;IAErB,IAAI,CAAC,eAAe,CAAC,uBAAuB,EAAE;QAC5C,MAAM,IAAI,mBAAmB,CAAC,aAAa,EAAE,iBAAiB,CAAC,CAAC;KACjE;IACD,MAAM,eAAe,CAAC,uBAAuB,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;AAC9D,CAAC;AAED,cAAc;AACd;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,GAAW,EACX,UAA8B,EAAE;IAEhC,eAAe,CAAC,GAAG,CAAC,CAAC;IACrB,OAAO,MAAM,eAAe,CAAC,oBAAoB,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;AAClE,CAAC;AAED,cAAc;AACd;;;;;;;;;GASG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,GAAW,EACX,KAAa,EACb,UAA8B,EAAE;IAEhC,eAAe,CAAC,GAAG,CAAC,CAAC;IACrB,IAAI,CAAC,aAAa,CAAC,KAAK,CAAC,EAAE;QACzB,MAAM,IAAI,KAAK,CACb,6HAA6H,CAC9H,CAAC;KACH;IACD,IAAI,CAAC,eAAe,CAAC,oBAAoB,EAAE;QACzC,MAAM,IAAI,mBAAmB,CAAC,aAAa,EAAE,cAAc,CAAC,CAAC;KAC9D;IACD,MAAM,eAAe,CAAC,oBAAoB,CAAC,KAAK,EAAE,GAAG,EAAE,OAAO,CAAC,CAAC;AAClE,CAAC;AAED,SAAS,eAAe,CAAC,GAAW;IAClC,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,EAAE;QACrB,MAAM,IAAI,KAAK,CACb,0HAA0H,CAC3H,CAAC;KACH;AACH,CAAC;AAED,SAAS,WAAW,CAAC,GAAW;IAC9B,OAAO,OAAO,GAAG,KAAK,QAAQ,IAAI,WAAW,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC1D,CAAC;AAED,SAAS,aAAa,CAAC,KAAa;IAClC,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE;QAC7B,OAAO,KAAK,CAAC;KACd;IACD,IAAI,UAAU,CAAC,KAAK,CAAC,GAAG,iBAAiB,EAAE;QACzC,OAAO,CAAC,IAAI,CACV,0HAA0H,CAC3H,CAAC;KACH;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,wDAAwD;AACxD,SAAS,UAAU,CAAC,KAAa;IAC/B,IAAI,KAAK,GAAG,CAAC,CAAC;IAEd,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE;QACrC,MAAM,SAAS,GAAG,KAAK,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;QAEtC,gDAAgD;QAChD,IAAI,SAAS,IAAI,MAAM,IAAI,SAAS,GAAG,MAAM,EAAE;YAC7C,IAAI,SAAS,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE;gBAC9C,MAAM,IAAI,GAAG,KAAK,CAAC,UAAU,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;gBAErC,IAAI,IAAI,IAAI,MAAM,IAAI,IAAI,GAAG,MAAM,EAAE;oBACnC,KAAK,IAAI,CAAC,CAAC;oBACX,CAAC,EAAE,CAAC;oBACJ,SAAS;iBACV;aACF;SACF;QAED,KAAK,IAAI,SAAS,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;KAC3D;IAED,OAAO,KAAK,CAAC;AACf,CAAC","sourcesContent":["import { UnavailabilityError } from 'expo-modules-core';\n\nimport ExpoSecureStore from './ExpoSecureStore';\n\nexport type KeychainAccessibilityConstant = number;\n\n// @needsAudit\n/**\n * The data in the keychain item cannot be accessed after a restart until the device has been\n * unlocked once by the user. This may be useful if you need to access the item when the phone\n * is locked.\n */\nexport const AFTER_FIRST_UNLOCK: KeychainAccessibilityConstant = ExpoSecureStore.AFTER_FIRST_UNLOCK;\n\n// @needsAudit\n/**\n * Similar to `AFTER_FIRST_UNLOCK`, except the entry is not migrated to a new device when restoring\n * from a backup.\n */\nexport const AFTER_FIRST_UNLOCK_THIS_DEVICE_ONLY: KeychainAccessibilityConstant =\n  ExpoSecureStore.AFTER_FIRST_UNLOCK_THIS_DEVICE_ONLY;\n\n// @needsAudit\n/**\n * The data in the keychain item can always be accessed regardless of whether the device is locked.\n * This is the least secure option.\n */\nexport const ALWAYS: KeychainAccessibilityConstant = ExpoSecureStore.ALWAYS;\n\n// @needsAudit\n/**\n * Similar to `WHEN_UNLOCKED_THIS_DEVICE_ONLY`, except the user must have set a passcode in order to\n * store an entry. If the user removes their passcode, the entry will be deleted.\n */\nexport const WHEN_PASSCODE_SET_THIS_DEVICE_ONLY: KeychainAccessibilityConstant =\n  ExpoSecureStore.WHEN_PASSCODE_SET_THIS_DEVICE_ONLY;\n\n// @needsAudit\n/**\n * Similar to `ALWAYS`, except the entry is not migrated to a new device when restoring from a backup.\n */\nexport const ALWAYS_THIS_DEVICE_ONLY: KeychainAccessibilityConstant =\n  ExpoSecureStore.ALWAYS_THIS_DEVICE_ONLY;\n\n// @needsAudit\n/**\n * The data in the keychain item can be accessed only while the device is unlocked by the user.\n */\nexport const WHEN_UNLOCKED: KeychainAccessibilityConstant = ExpoSecureStore.WHEN_UNLOCKED;\n\n// @needsAudit\n/**\n * Similar to `WHEN_UNLOCKED`, except the entry is not migrated to a new device when restoring from\n * a backup.\n */\nexport const WHEN_UNLOCKED_THIS_DEVICE_ONLY: KeychainAccessibilityConstant =\n  ExpoSecureStore.WHEN_UNLOCKED_THIS_DEVICE_ONLY;\n\nconst VALUE_BYTES_LIMIT = 2048;\n\n// @needsAudit\nexport type SecureStoreOptions = {\n  /**\n   * - iOS: The item's service, equivalent to `kSecAttrService`\n   * - Android: Equivalent of the public/private key pair `Alias`\n   * > If the item is set with the `keychainService` option, it will be required to later fetch the value.\n   */\n  keychainService?: string;\n  /**\n   * Option responsible for enabling the usage of the user authentication methods available on the device while\n   * accessing data stored in SecureStore.\n   *\n   * - iOS: Equivalent to `kSecAccessControlUserPresence`\n   * - Android: Equivalent to `setUserAuthenticationRequired(true)` (requires API 23). Complete functionality\n   * is unlocked only with a freshly generated key - this would not work in tandem with the `keychainService`\n   * value used for the others non-authenticated operations.\n   */\n  requireAuthentication?: boolean;\n  /**\n   * Custom message displayed to the user while `requireAuthentication` option is turned on.\n   */\n  authenticationPrompt?: string;\n  /**\n   * __(iOS only)__ Specifies when the stored entry is accessible, using iOS's `kSecAttrAccessible`\n   * property. See Apple's documentation on [keychain item accessibility](https://developer.apple.com/library/content/documentation/Security/Conceptual/keychainServConcepts/02concepts/concepts.html#//apple_ref/doc/uid/TP30000897-CH204-SW18).\n   * Default value: `SecureStore.WHEN_UNLOCKED`.\n   */\n  keychainAccessible?: KeychainAccessibilityConstant;\n};\n\n// @needsAudit\n/**\n * Returns whether the SecureStore API is enabled on the current device. This does not check the app\n * permissions.\n *\n * @return Promise which fulfils witch `boolean`, indicating whether the SecureStore API is available\n * on the current device. Currently this resolves `true` on iOS and Android only.\n */\nexport async function isAvailableAsync(): Promise<boolean> {\n  return !!ExpoSecureStore.getValueWithKeyAsync;\n}\n\n// @needsAudit\n/**\n * Delete the value associated with the provided key.\n *\n * @param key The key that was used to store the associated value.\n * @param options An [`SecureStoreOptions`](#securestoreoptions) object.\n *\n * @return A promise that will reject if the value couldn't be deleted.\n */\nexport async function deleteItemAsync(\n  key: string,\n  options: SecureStoreOptions = {}\n): Promise<void> {\n  _ensureValidKey(key);\n\n  if (!ExpoSecureStore.deleteValueWithKeyAsync) {\n    throw new UnavailabilityError('SecureStore', 'deleteItemAsync');\n  }\n  await ExpoSecureStore.deleteValueWithKeyAsync(key, options);\n}\n\n// @needsAudit\n/**\n * Fetch the stored value associated with the provided key.\n *\n * @param key The key that was used to store the associated value.\n * @param options An [`SecureStoreOptions`](#securestoreoptions) object.\n *\n * @return A promise that resolves to the previously stored value, or `null` if there is no entry\n * for the given key. The promise will reject if an error occurred while retrieving the value.\n */\nexport async function getItemAsync(\n  key: string,\n  options: SecureStoreOptions = {}\n): Promise<string | null> {\n  _ensureValidKey(key);\n  return await ExpoSecureStore.getValueWithKeyAsync(key, options);\n}\n\n// @needsAudit\n/**\n * Store a key–value pair.\n *\n * @param key The key to associate with the stored value. Keys may contain alphanumeric characters\n * `.`, `-`, and `_`.\n * @param value The value to store. Size limit is 2048 bytes.\n * @param options An [`SecureStoreOptions`](#securestoreoptions) object.\n *\n * @return A promise that will reject if value cannot be stored on the device.\n */\nexport async function setItemAsync(\n  key: string,\n  value: string,\n  options: SecureStoreOptions = {}\n): Promise<void> {\n  _ensureValidKey(key);\n  if (!_isValidValue(value)) {\n    throw new Error(\n      `Invalid value provided to SecureStore. Values must be strings; consider JSON-encoding your values if they are serializable.`\n    );\n  }\n  if (!ExpoSecureStore.setValueWithKeyAsync) {\n    throw new UnavailabilityError('SecureStore', 'setItemAsync');\n  }\n  await ExpoSecureStore.setValueWithKeyAsync(value, key, options);\n}\n\nfunction _ensureValidKey(key: string) {\n  if (!_isValidKey(key)) {\n    throw new Error(\n      `Invalid key provided to SecureStore. Keys must not be empty and contain only alphanumeric characters, \".\", \"-\", and \"_\".`\n    );\n  }\n}\n\nfunction _isValidKey(key: string) {\n  return typeof key === 'string' && /^[\\w.-]+$/.test(key);\n}\n\nfunction _isValidValue(value: string) {\n  if (typeof value !== 'string') {\n    return false;\n  }\n  if (_byteCount(value) > VALUE_BYTES_LIMIT) {\n    console.warn(\n      'Provided value to SecureStore is larger than 2048 bytes. An attempt to store such a value will throw an error in SDK 35.'\n    );\n  }\n  return true;\n}\n\n// copy-pasted from https://stackoverflow.com/a/39488643\nfunction _byteCount(value: string) {\n  let bytes = 0;\n\n  for (let i = 0; i < value.length; i++) {\n    const codePoint = value.charCodeAt(i);\n\n    // Lone surrogates cannot be passed to encodeURI\n    if (codePoint >= 0xd800 && codePoint < 0xe000) {\n      if (codePoint < 0xdc00 && i + 1 < value.length) {\n        const next = value.charCodeAt(i + 1);\n\n        if (next >= 0xdc00 && next < 0xe000) {\n          bytes += 4;\n          i++;\n          continue;\n        }\n      }\n    }\n\n    bytes += codePoint < 0x80 ? 1 : codePoint < 0x800 ? 2 : 3;\n  }\n\n  return bytes;\n}\n"]}

package/ios/EXSecureStore/EXSecureStore.m

@@ -28,11 +28,19 @@
   NSMutableDictionary *dictionary = [self _queryWithKey:key
                                             withOptions:options];
 
+  NSString *requireAuth = options[@"requireAuthentication"];
+
   NSData *valueData = [value dataUsingEncoding:NSUTF8StringEncoding];
   [dictionary setObject:valueData forKey:(__bridge id)kSecValueData];
 
   CFStringRef accessibility = [self _accessibilityAttributeWithOptions:options];
-  [dictionary setObject:(__bridge id)accessibility forKey:(__bridge id)kSecAttrAccessible];
+  
+  if (![requireAuth boolValue]) {
+    [dictionary setObject:(__bridge id)accessibility forKey:(__bridge id)kSecAttrAccessible];
+  } else {
+    SecAccessControlRef accessOptions = SecAccessControlCreateWithFlags(nil, accessibility, kSecAccessControlUserPresence, nil);
+    [dictionary setObject:(__bridge_transfer id)accessOptions forKey:(__bridge id)kSecAttrAccessControl];
+  }
 
   OSStatus status = SecItemAdd((__bridge CFDictionaryRef)dictionary, NULL);
 
@@ -74,6 +82,11 @@
                                                   withOptions:options];
   NSData *valueData = [value dataUsingEncoding:NSUTF8StringEncoding];
   NSDictionary *updateDictionary = @{(__bridge id)kSecValueData:valueData};
+  
+  if ((NSString *) options[@"authenticationPrompt"]) {
+    NSString *promptText = options[@"authenticationPrompt"];
+    [searchDictionary setObject:promptText forKey:(__bridge id)kSecUseOperationPrompt];
+  }
 
   OSStatus status = SecItemUpdate((__bridge CFDictionaryRef)searchDictionary,
                                   (__bridge CFDictionaryRef)updateDictionary);
@@ -93,6 +106,11 @@
 
   [searchDictionary setObject:(__bridge id)kSecMatchLimitOne forKey:(__bridge id)kSecMatchLimit];
   [searchDictionary setObject:(__bridge id)kCFBooleanTrue forKey:(__bridge id)kSecReturnData];
+  
+  if ((NSString *) options[@"authenticationPrompt"]) {
+    NSString *promptText = options[@"authenticationPrompt"];
+    [searchDictionary setObject:promptText forKey:(__bridge id)kSecUseOperationPrompt];
+  }
 
   CFTypeRef foundDict = NULL;
   OSStatus status = SecItemCopyMatching((__bridge CFDictionaryRef)searchDictionary, &foundDict);
@@ -178,7 +196,7 @@
       return @"Unable to decode the provided data.";
 
     case errSecAuthFailed:
-      return @"The user name or passphrase you entered is not correct.";
+      return @"Authentication failed. Provided passphrase/PIN is incorrect or there is no user authentication method configured for this device.";
 
     default:
       return error.localizedDescription;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "expo-secure-store",
-  "version": "11.0.3",
+  "version": "11.1.0",
   "description": "Provides a way to encrypt and securely store key–value pairs locally on the device.",
   "main": "build/SecureStore.js",
   "types": "build/SecureStore.d.ts",
@@ -35,11 +35,12 @@
   "jest": {
     "preset": "expo-module-scripts"
   },
-  "dependencies": {
-    "expo-modules-core": "~0.4.4"
-  },
+  "dependencies": {},
   "devDependencies": {
     "expo-module-scripts": "^2.0.0"
   },
-  "gitHead": "4fa0497a180ae707fa860cb03858630ab7af19f4"
+  "peerDependencies": {
+    "expo": "*"
+  },
+  "gitHead": "2e5c6983b86d5ecfca028ba64002897d8adc2cc4"
 }

package/src/SecureStore.ts

@@ -66,6 +66,20 @@ export type SecureStoreOptions = {
    * > If the item is set with the `keychainService` option, it will be required to later fetch the value.
    */
   keychainService?: string;
+  /**
+   * Option responsible for enabling the usage of the user authentication methods available on the device while
+   * accessing data stored in SecureStore.
+   *
+   * - iOS: Equivalent to `kSecAccessControlUserPresence`
+   * - Android: Equivalent to `setUserAuthenticationRequired(true)` (requires API 23). Complete functionality
+   * is unlocked only with a freshly generated key - this would not work in tandem with the `keychainService`
+   * value used for the others non-authenticated operations.
+   */
+  requireAuthentication?: boolean;
+  /**
+   * Custom message displayed to the user while `requireAuthentication` option is turned on.
+   */
+  authenticationPrompt?: string;
   /**
    * __(iOS only)__ Specifies when the stored entry is accessible, using iOS's `kSecAttrAccessible`
    * property. See Apple's documentation on [keychain item accessibility](https://developer.apple.com/library/content/documentation/Security/Conceptual/keychainServConcepts/02concepts/concepts.html#//apple_ref/doc/uid/TP30000897-CH204-SW18).