expo-secure-store 12.1.1 → 12.3.0

package/CHANGELOG.md

@@ -10,6 +10,22 @@
 
 ### 💡 Others
 
+## 12.3.0 — 2023-06-13
+
+### 🐛 Bug fixes
+
+- Fixed Android build warnings for Gradle version 8. ([#22537](https://github.com/expo/expo/pull/22537), [#22609](https://github.com/expo/expo/pull/22609) by [@kudo](https://github.com/kudo))
+
+### 💡 Others
+
+- Added automatic invalidated key handling on Android. ([#22716](https://github.com/expo/expo/pull/22716) by [@behenate](https://github.com/behenate))
+
+## 12.2.0 — 2023-05-08
+
+### 🎉 New features
+
+- Migrated iOS codebase to use Expo modules API. ([#21393](https://github.com/expo/expo/pull/21393) by [@alanjhughes](https://github.com/alanjhughes))
+
 ## 12.1.1 — 2023-02-09
 
 _This version does not introduce any user-facing changes._

package/README.md

@@ -16,7 +16,7 @@ Provides a way to encrypt and securely store key–value pairs locally on the de
 
 # Installation in managed Expo projects
 
-For [managed](https://docs.expo.dev/versions/latest/introduction/managed-vs-bare/) Expo projects, please follow the installation instructions in the [API documentation for the latest stable release](https://docs.expo.dev/versions/latest/sdk/securestore/).
+For [managed](https://docs.expo.dev/archive/managed-vs-bare/) Expo projects, please follow the installation instructions in the [API documentation for the latest stable release](https://docs.expo.dev/versions/latest/sdk/securestore/).
 
 # Installation in bare React Native projects
 
@@ -25,7 +25,7 @@ For bare React Native projects, you must ensure that you have [installed and con
 ### Add the package to your npm dependencies
 
 ```
-expo install expo-secure-store
+npx expo install expo-secure-store
 ```
 
 ### Configure for iOS

package/android/build.gradle

@@ -3,7 +3,7 @@ apply plugin: 'kotlin-android'
 apply plugin: 'maven-publish'
 
 group = 'host.exp.exponent'
-version = '12.1.1'
+version = '12.3.0'
 
 buildscript {
   def expoModulesCorePlugin = new File(project(":expo-modules-core").projectDir.absolutePath, "ExpoModulesCorePlugin.gradle")
@@ -35,19 +35,11 @@ buildscript {
   }
 }
 
-// Creating sources with comments
-task androidSourcesJar(type: Jar) {
-  classifier = 'sources'
-  from android.sourceSets.main.java.srcDirs
-}
-
 afterEvaluate {
   publishing {
     publications {
       release(MavenPublication) {
         from components.release
-        // Add additional sourcesJar to artifacts
-        artifact(androidSourcesJar)
       }
     }
     repositories {
@@ -70,15 +62,21 @@ android {
     jvmTarget = JavaVersion.VERSION_11.majorVersion
   }
 
+  namespace "expo.modules.securestore"
   defaultConfig {
     minSdkVersion safeExtGet("minSdkVersion", 21)
     targetSdkVersion safeExtGet("targetSdkVersion", 33)
     versionCode 17
-    versionName '12.1.1'
+    versionName '12.3.0'
   }
   lintOptions {
     abortOnError false
   }
+  publishing {
+    singleVariant("release") {
+      withSourcesJar()
+    }
+  }
 }
 
 dependencies {

package/android/src/main/AndroidManifest.xml

@@ -1,2 +1,2 @@
-<manifest package="expo.modules.securestore">
+<manifest>
 </manifest>

package/android/src/main/java/expo/modules/securestore/SecureStoreExceptions.kt

@@ -0,0 +1,27 @@
+package expo.modules.securestore
+
+import expo.modules.core.errors.CodedException
+
+internal class NullKeyException :
+  CodedException("SecureStore keys must not be null")
+
+internal class WriteException(message: String?, cause: Throwable?) :
+  CodedException(message ?: "An unexpected error occurred when writing to SecureStore", cause)
+
+internal class ReadException(cause: Throwable?) :
+  CodedException("An unexpected error occurred when reading from SecureStore", cause)
+
+internal class SecureStoreIOException(cause: Throwable?) :
+  CodedException("There was an I/O error loading the keystore for SecureStore", cause)
+
+internal class EncryptException(message: String?, cause: Throwable?) :
+  CodedException(message ?: "Could not encrypt the value for SecureStore", cause)
+
+internal class DecryptException(message: String?, cause: Throwable?) :
+  CodedException(message ?: "Could not decrypt the value for SecureStore", cause)
+
+internal class SecureStoreJSONException(message: String?, cause: Throwable?) :
+  CodedException(message, cause)
+
+internal class DeleteException(message: String?, cause: Throwable?) :
+  CodedException(message ?: "An unexpected error occurred when deleting from SecureStore", cause)

package/android/src/main/java/expo/modules/securestore/SecureStoreModule.java

@@ -8,6 +8,7 @@ import android.os.Build;
 import android.preference.PreferenceManager;
 import android.security.KeyPairGeneratorSpec;
 import android.security.keystore.KeyGenParameterSpec;
+import android.security.keystore.KeyPermanentlyInvalidatedException;
 import android.security.keystore.KeyProperties;
 import android.text.TextUtils;
 import android.util.Base64;
@@ -39,6 +40,7 @@ import java.security.spec.InvalidParameterSpecException;
 import java.util.Date;
 
 import javax.crypto.Cipher;
+import javax.crypto.IllegalBlockSizeException;
 import javax.crypto.KeyGenerator;
 import javax.crypto.NoSuchPaddingException;
 import javax.crypto.SecretKey;
@@ -81,16 +83,16 @@ public class SecureStoreModule extends ExportedModule {
   @SuppressWarnings("unused")
   public void setValueWithKeyAsync(String value, String key, ReadableArguments options, Promise promise) {
     try {
-      setItemImpl(key, value, options, promise);
+      setItemImpl(key, value, options, promise, false);
     } catch (Exception e) {
       Log.e(TAG, "Caught unexpected exception when writing to SecureStore", e);
-      promise.reject("E_SECURESTORE_WRITE_ERROR", "An unexpected error occurred when writing to SecureStore", e);
+      promise.reject(new WriteException(null, e));
     }
   }
 
-  private void setItemImpl(String key, String value, ReadableArguments options, Promise promise) {
+  private void setItemImpl(String key, String value, ReadableArguments options, Promise promise, boolean keyIsInvalidated) {
     if (key == null) {
-      promise.reject("E_SECURESTORE_NULL_KEY", "SecureStore keys must not be null");
+      promise.reject(new NullKeyException());
       return;
     }
 
@@ -101,7 +103,7 @@ public class SecureStoreModule extends ExportedModule {
       if (success) {
         promise.resolve(null);
       } else {
-        promise.reject("E_SECURESTORE_WRITE_ERROR", "Could not write a null value to SecureStore");
+        promise.reject(new WriteException("Could not write a null value to SecureStore", null));
       }
       return;
     }
@@ -114,6 +116,10 @@ public class SecureStoreModule extends ExportedModule {
       // use in the encrypted JSON item so that we know how to decode and decrypt it when reading
       // back a value.
       if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.M) {
+        if (keyIsInvalidated) {
+          String alias = mAESEncrypter.getKeyStoreAlias(options);
+          keyStore.deleteEntry(alias);
+        }
         KeyStore.SecretKeyEntry secretKeyEntry = getKeyEntry(KeyStore.SecretKeyEntry.class, mAESEncrypter, options);
         mAESEncrypter.createEncryptedItem(promise, value, keyStore, secretKeyEntry, options, mAuthenticationHelper.getDefaultCallback(), (innerPromise, result) -> {
           JSONObject obj = (JSONObject) result;
@@ -130,23 +136,45 @@ public class SecureStoreModule extends ExportedModule {
       }
     } catch (IOException e) {
       Log.w(TAG, e);
-      promise.reject("E_SECURESTORE_IO_ERROR", "There was an I/O error loading the keystore for SecureStore", e);
-      return;
-    } catch (GeneralSecurityException e) {
+      promise.reject(new SecureStoreIOException(e));
+    } catch (IllegalBlockSizeException e) {
+      // Sometimes, android throws IllegalBlockSizeException when the fingerprint has been changed.
+      // https://github.com/expo/expo/issues/22312. It should be handled the same way as KeyPermanentlyInvalidatedException
+      boolean isInvalidationException = e.getCause() != null && e.getCause().getMessage() != null && e.getCause().getMessage().contains("Key user not authenticated");
+
+      if(isInvalidationException && !keyIsInvalidated) {
+        setItemImpl(key, value, options, promise, true);
+        Log.w(TAG, "IllegalBlockSizeException, retrying with the key deleted");
+        return;
+      }
+      // If the issue persists after deleting the key it is likely not related to invalidation
+      promise.reject(new EncryptException(null, e));
       Log.w(TAG, e);
-      promise.reject("E_SECURESTORE_ENCRYPT_ERROR", "Could not encrypt the value for SecureStore", e);
-      return;
+    } catch (GeneralSecurityException e) {
+      boolean isInvalidationException = Build.VERSION.SDK_INT >= Build.VERSION_CODES.M && e instanceof KeyPermanentlyInvalidatedException;
+
+      if (isInvalidationException && !keyIsInvalidated) {
+        // If the key has been invalidated by the OS we try to reinitialize it.
+        Log.w(TAG, "Key has been invalidated, retrying with the key deleted");
+        setItemImpl(key, value, options, promise, true);
+      } else if (isInvalidationException) {
+        Log.w(TAG, e);
+        // If reinitialization of the key fails, reject the promise
+        promise.reject(new EncryptException("Encryption Failed. The key has been permanently invalidated and cannot be reinitialized", e));
+      } else {
+        Log.w(TAG, e);
+        promise.reject(new EncryptException(null, e));
+      }
     } catch (JSONException e) {
       Log.w(TAG, e);
-      promise.reject("E_SECURESTORE_ENCODE_ERROR", "Could not create an encrypted JSON item for SecureStore", e);
-      return;
+      promise.reject(new SecureStoreJSONException("Could not create an encrypted JSON item for SecureStore", e));
     }
   }
 
   private void saveEncryptedItem(Promise promise, JSONObject encryptedItem, SharedPreferences prefs, String key) {
     String encryptedItemString = encryptedItem.toString();
     if (encryptedItemString == null) { // lint warning suppressed, JSONObject#toString() may return null
-      promise.reject("E_SECURESTORE_JSON_ERROR", "Could not JSON-encode the encrypted item for SecureStore");
+      promise.reject(new SecureStoreJSONException("Could not JSON-encode the encrypted item for SecureStore", null));
       return;
     }
 
@@ -154,7 +182,7 @@ public class SecureStoreModule extends ExportedModule {
     if (success) {
       promise.resolve(null);
     } else {
-      promise.reject("E_SECURESTORE_WRITE_ERROR", "Could not write encrypted JSON to SecureStore");
+      promise.reject(new WriteException("Could not write encrypted JSON to SecureStore", null));
     }
   }
 
@@ -165,7 +193,7 @@ public class SecureStoreModule extends ExportedModule {
       getItemImpl(key, options, promise);
     } catch (Exception e) {
       Log.e(TAG, "Caught unexpected exception when reading from SecureStore", e);
-      promise.reject("E_SECURESTORE_READ_ERROR", "An unexpected error occurred when reading from SecureStore", e);
+      promise.reject(new ReadException(e));
     }
   }
 
@@ -187,14 +215,14 @@ public class SecureStoreModule extends ExportedModule {
       encryptedItem = new JSONObject(encryptedItemString);
     } catch (JSONException e) {
       Log.e(TAG, String.format("Could not parse stored value as JSON (key = %s, value = %s)", key, encryptedItemString), e);
-      promise.reject("E_SECURESTORE_JSON_ERROR", "Could not parse the encrypted JSON item in SecureStore");
+      promise.reject(new SecureStoreJSONException("Could not parse the encrypted JSON item in SecureStore", e));
       return;
     }
 
     String scheme = encryptedItem.optString(SCHEME_PROPERTY);
     if (scheme == null) {
       Log.e(TAG, String.format("Stored JSON object is missing a scheme (key = %s, value = %s)", key, encryptedItemString));
-      promise.reject("E_SECURESTORE_DECODE_ERROR", "Could not find the encryption scheme used for SecureStore item");
+      promise.reject(new DecryptException("Could not find the encryption scheme used for SecureStore item", null));
       return;
     }
 
@@ -211,21 +239,22 @@ public class SecureStoreModule extends ExportedModule {
         default:
           String message = String.format("The item for key \"%s\" in SecureStore has an unknown encoding scheme (%s)", key, scheme);
           Log.e(TAG, message);
-          promise.reject("E_SECURESTORE_DECODE_ERROR", message);
-          return;
+          promise.reject(new DecryptException(message, null));
       }
     } catch (IOException e) {
       Log.w(TAG, e);
-      promise.reject("E_SECURESTORE_IO_ERROR", "There was an I/O error loading the keystore for SecureStore", e);
-      return;
+      promise.reject(new SecureStoreIOException(e));
     } catch (GeneralSecurityException e) {
+      if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.M && e instanceof KeyPermanentlyInvalidatedException) {
+        Log.w(TAG, "The requested key has been permanently invalidated. Returning null");
+        promise.resolve(null);
+        return;
+      }
       Log.w(TAG, e);
-      promise.reject("E_SECURESTORE_DECRYPT_ERROR", "Could not decrypt the item in SecureStore", e);
-      return;
+      promise.reject(new DecryptException(null, e));
     } catch (JSONException e) {
       Log.w(TAG, e);
-      promise.reject("E_SECURESTORE_DECODE_ERROR", "Could not decode the encrypted JSON item in SecureStore", e);
-      return;
+      promise.reject(new SecureStoreJSONException("Could not decode the encrypted JSON item in SecureStore", e));
     }
   }
 
@@ -248,24 +277,24 @@ public class SecureStoreModule extends ExportedModule {
       String keystoreAlias = encrypter.getKeyStoreAlias(options);
 
       if (!keyStore.containsAlias(keystoreAlias)) {
-        promise.reject("E_SECURESTORE_DECRYPT_ERROR", "Could not find the keystore entry to decrypt the legacy item in SecureStore");
+        promise.reject(new DecryptException("Could not find the keystore entry to decrypt the legacy item in SecureStore", null));
         return;
       }
 
       KeyStore.Entry keyStoreEntry = keyStore.getEntry(keystoreAlias, null);
       if (!(keyStoreEntry instanceof KeyStore.PrivateKeyEntry)) {
-        promise.reject("E_SECURESTORE_DECRYPT_ERROR", "The keystore entry for the legacy item is not a private key entry");
+        promise.reject(new DecryptException("The keystore entry for the legacy item is not a private key entry", null));
         return;
       }
 
       value = encrypter.decryptItem(encryptedItem, (KeyStore.PrivateKeyEntry) keyStoreEntry);
     } catch (IOException e) {
       Log.w(TAG, e);
-      promise.reject("E_SECURESTORE_IO_ERROR", "There was an I/O error loading the keystore for SecureStore", e);
+      promise.reject(new SecureStoreIOException(e));
       return;
     } catch (GeneralSecurityException e) {
       Log.w(TAG, e);
-      promise.reject("E_SECURESTORE_DECRYPT_ERROR", "Could not decrypt the item in SecureStore", e);
+      promise.reject(new DecryptException(null, e));
       return;
     }
 
@@ -279,7 +308,7 @@ public class SecureStoreModule extends ExportedModule {
       deleteItemImpl(key, promise);
     } catch (Exception e) {
       Log.e(TAG, "Caught unexpected exception when deleting from SecureStore", e);
-      promise.reject("E_SECURESTORE_DELETE_ERROR", "An unexpected error occurred when deleting item from SecureStore", e);
+      promise.reject(new DeleteException(null, e));
     }
   }
 
@@ -298,7 +327,7 @@ public class SecureStoreModule extends ExportedModule {
     if (success) {
       promise.resolve(null);
     } else {
-      promise.reject("E_SECURESTORE_DELETE_ERROR", "Could not delete the item from SecureStore");
+      promise.reject(new DeleteException("Could not delete the item from SecureStore", null));
     }
   }
 

package/build/ExpoSecureStore.d.ts

@@ -1,3 +1,3 @@
-declare const _default: import("expo-modules-core").ProxyNativeModule;
+declare const _default: any;
 export default _default;
 //# sourceMappingURL=ExpoSecureStore.d.ts.map

package/build/ExpoSecureStore.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"ExpoSecureStore.d.ts","sourceRoot":"","sources":["../src/ExpoSecureStore.ts"],"names":[],"mappings":";AACA,wBAAwD"}
+{"version":3,"file":"ExpoSecureStore.d.ts","sourceRoot":"","sources":["../src/ExpoSecureStore.ts"],"names":[],"mappings":";AACA,wBAAsD"}

package/build/ExpoSecureStore.js

@@ -1,3 +1,3 @@
-import { NativeModulesProxy } from 'expo-modules-core';
-export default NativeModulesProxy.ExpoSecureStore || {};
+import { requireNativeModule } from 'expo-modules-core';
+export default requireNativeModule('ExpoSecureStore');
 //# sourceMappingURL=ExpoSecureStore.js.map

package/build/ExpoSecureStore.js.map

@@ -1 +1 @@
-{"version":3,"file":"ExpoSecureStore.js","sourceRoot":"","sources":["../src/ExpoSecureStore.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,kBAAkB,EAAE,MAAM,mBAAmB,CAAC;AACvD,eAAe,kBAAkB,CAAC,eAAe,IAAI,EAAE,CAAC","sourcesContent":["import { NativeModulesProxy } from 'expo-modules-core';\nexport default NativeModulesProxy.ExpoSecureStore || {};\n"]}
+{"version":3,"file":"ExpoSecureStore.js","sourceRoot":"","sources":["../src/ExpoSecureStore.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,mBAAmB,EAAE,MAAM,mBAAmB,CAAC;AACxD,eAAe,mBAAmB,CAAC,iBAAiB,CAAC,CAAC","sourcesContent":["import { requireNativeModule } from 'expo-modules-core';\nexport default requireNativeModule('ExpoSecureStore');\n"]}

package/build/SecureStore.d.ts

@@ -35,16 +35,17 @@ export declare const WHEN_UNLOCKED: KeychainAccessibilityConstant;
 export declare const WHEN_UNLOCKED_THIS_DEVICE_ONLY: KeychainAccessibilityConstant;
 export type SecureStoreOptions = {
     /**
-     * - iOS: The item's service, equivalent to `kSecAttrService`
-     * - Android: Equivalent of the public/private key pair `Alias`
+     * - Android: Equivalent of the public/private key pair `Alias`.
+     * - iOS: The item's service, equivalent to [`kSecAttrService`](https://developer.apple.com/documentation/security/ksecattrservice/).
      * > If the item is set with the `keychainService` option, it will be required to later fetch the value.
      */
     keychainService?: string;
     /**
      * Option responsible for enabling the usage of the user authentication methods available on the device while
      * accessing data stored in SecureStore.
-     * - iOS: Equivalent to `kSecAccessControlBiometryCurrentSet`
-     * - Android: Equivalent to `setUserAuthenticationRequired(true)` (requires API 23).
+     * - Android: Equivalent to [`setUserAuthenticationRequired(true)`](https://developer.android.com/reference/android/security/keystore/KeyGenParameterSpec.Builder#setUserAuthenticationRequired(boolean))
+     *   (requires API 23).
+     * - iOS: Equivalent to [`kSecAccessControlBiometryCurrentSet`](https://developer.apple.com/documentation/security/secaccesscontrolcreateflags/ksecaccesscontrolbiometrycurrentset/).
      * Complete functionality is unlocked only with a freshly generated key - this would not work in tandem with the `keychainService`
      * value used for the others non-authenticated operations.
      */
@@ -55,7 +56,7 @@ export type SecureStoreOptions = {
     authenticationPrompt?: string;
     /**
      * Specifies when the stored entry is accessible, using iOS's `kSecAttrAccessible` property.
-     * @see Apple's documentation on [keychain item accessibility](https://developer.apple.com/library/content/documentation/Security/Conceptual/keychainServConcepts/02concepts/concepts.html).
+     * @see Apple's documentation on [keychain item accessibility](https://developer.apple.com/documentation/security/ksecattraccessible/).
      * @default SecureStore.WHEN_UNLOCKED
      * @platform ios
      */
@@ -66,7 +67,7 @@ export type SecureStoreOptions = {
  * permissions.
  *
  * @return Promise which fulfils witch `boolean`, indicating whether the SecureStore API is available
- * on the current device. Currently this resolves `true` on iOS and Android only.
+ * on the current device. Currently, this resolves `true` on Android and iOS only.
  */
 export declare function isAvailableAsync(): Promise<boolean>;
 /**
@@ -84,8 +85,12 @@ export declare function deleteItemAsync(key: string, options?: SecureStoreOption
  * @param key The key that was used to store the associated value.
  * @param options An [`SecureStoreOptions`](#securestoreoptions) object.
  *
- * @return A promise that resolves to the previously stored value, or `null` if there is no entry
- * for the given key. The promise will reject if an error occurred while retrieving the value.
+ * @return A promise that resolves to the previously stored value. It will return `null` if there is no entry
+ * for the given key or if the key has been invalidated. It will reject if an error occurs while retrieving the value.
+ *
+ * > Keys are invalidated by the system when biometrics change, such as adding a new fingerprint or changing the face profile used for face recognition.
+ * > After a key has been invalidated, it becomes impossible to read its value.
+ * > This only applies to values stored with `requireAuthentication` set to `true`.
  */
 export declare function getItemAsync(key: string, options?: SecureStoreOptions): Promise<string | null>;
 /**

package/build/SecureStore.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"SecureStore.d.ts","sourceRoot":"","sources":["../src/SecureStore.ts"],"names":[],"mappings":"AAIA,MAAM,MAAM,6BAA6B,GAAG,MAAM,CAAC;AAGnD;;;;GAIG;AACH,eAAO,MAAM,kBAAkB,EAAE,6BAAkE,CAAC;AAGpG;;;GAGG;AACH,eAAO,MAAM,mCAAmC,EAAE,6BACG,CAAC;AAGtD;;;GAGG;AACH,eAAO,MAAM,MAAM,EAAE,6BAAsD,CAAC;AAG5E;;;GAGG;AACH,eAAO,MAAM,kCAAkC,EAAE,6BACG,CAAC;AAGrD;;GAEG;AACH,eAAO,MAAM,uBAAuB,EAAE,6BACG,CAAC;AAG1C;;GAEG;AACH,eAAO,MAAM,aAAa,EAAE,6BAA6D,CAAC;AAG1F;;;GAGG;AACH,eAAO,MAAM,8BAA8B,EAAE,6BACG,CAAC;AAKjD,MAAM,MAAM,kBAAkB,GAAG;IAC/B;;;;OAIG;IACH,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB;;;;;;;OAOG;IACH,qBAAqB,CAAC,EAAE,OAAO,CAAC;IAChC;;OAEG;IACH,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B;;;;;OAKG;IACH,kBAAkB,CAAC,EAAE,6BAA6B,CAAC;CACpD,CAAC;AAGF;;;;;;GAMG;AACH,wBAAsB,gBAAgB,IAAI,OAAO,CAAC,OAAO,CAAC,CAEzD;AAGD;;;;;;;GAOG;AACH,wBAAsB,eAAe,CACnC,GAAG,EAAE,MAAM,EACX,OAAO,GAAE,kBAAuB,GAC/B,OAAO,CAAC,IAAI,CAAC,CAOf;AAGD;;;;;;;;GAQG;AACH,wBAAsB,YAAY,CAChC,GAAG,EAAE,MAAM,EACX,OAAO,GAAE,kBAAuB,GAC/B,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAGxB;AAGD;;;;;;;;;GASG;AACH,wBAAsB,YAAY,CAChC,GAAG,EAAE,MAAM,EACX,KAAK,EAAE,MAAM,EACb,OAAO,GAAE,kBAAuB,GAC/B,OAAO,CAAC,IAAI,CAAC,CAWf"}
+{"version":3,"file":"SecureStore.d.ts","sourceRoot":"","sources":["../src/SecureStore.ts"],"names":[],"mappings":"AAIA,MAAM,MAAM,6BAA6B,GAAG,MAAM,CAAC;AAGnD;;;;GAIG;AACH,eAAO,MAAM,kBAAkB,EAAE,6BAAkE,CAAC;AAGpG;;;GAGG;AACH,eAAO,MAAM,mCAAmC,EAAE,6BACG,CAAC;AAGtD;;;GAGG;AACH,eAAO,MAAM,MAAM,EAAE,6BAAsD,CAAC;AAG5E;;;GAGG;AACH,eAAO,MAAM,kCAAkC,EAAE,6BACG,CAAC;AAGrD;;GAEG;AACH,eAAO,MAAM,uBAAuB,EAAE,6BACG,CAAC;AAG1C;;GAEG;AACH,eAAO,MAAM,aAAa,EAAE,6BAA6D,CAAC;AAG1F;;;GAGG;AACH,eAAO,MAAM,8BAA8B,EAAE,6BACG,CAAC;AAKjD,MAAM,MAAM,kBAAkB,GAAG;IAC/B;;;;OAIG;IACH,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB;;;;;;;;OAQG;IACH,qBAAqB,CAAC,EAAE,OAAO,CAAC;IAChC;;OAEG;IACH,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B;;;;;OAKG;IACH,kBAAkB,CAAC,EAAE,6BAA6B,CAAC;CACpD,CAAC;AAGF;;;;;;GAMG;AACH,wBAAsB,gBAAgB,IAAI,OAAO,CAAC,OAAO,CAAC,CAEzD;AAGD;;;;;;;GAOG;AACH,wBAAsB,eAAe,CACnC,GAAG,EAAE,MAAM,EACX,OAAO,GAAE,kBAAuB,GAC/B,OAAO,CAAC,IAAI,CAAC,CAOf;AAGD;;;;;;;;;;;;GAYG;AACH,wBAAsB,YAAY,CAChC,GAAG,EAAE,MAAM,EACX,OAAO,GAAE,kBAAuB,GAC/B,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAGxB;AAGD;;;;;;;;;GASG;AACH,wBAAsB,YAAY,CAChC,GAAG,EAAE,MAAM,EACX,KAAK,EAAE,MAAM,EACb,OAAO,GAAE,kBAAuB,GAC/B,OAAO,CAAC,IAAI,CAAC,CAWf"}

package/build/SecureStore.js

@@ -48,7 +48,7 @@ const VALUE_BYTES_LIMIT = 2048;
  * permissions.
  *
  * @return Promise which fulfils witch `boolean`, indicating whether the SecureStore API is available
- * on the current device. Currently this resolves `true` on iOS and Android only.
+ * on the current device. Currently, this resolves `true` on Android and iOS only.
  */
 export async function isAvailableAsync() {
     return !!ExpoSecureStore.getValueWithKeyAsync;
@@ -76,8 +76,12 @@ export async function deleteItemAsync(key, options = {}) {
  * @param key The key that was used to store the associated value.
  * @param options An [`SecureStoreOptions`](#securestoreoptions) object.
  *
- * @return A promise that resolves to the previously stored value, or `null` if there is no entry
- * for the given key. The promise will reject if an error occurred while retrieving the value.
+ * @return A promise that resolves to the previously stored value. It will return `null` if there is no entry
+ * for the given key or if the key has been invalidated. It will reject if an error occurs while retrieving the value.
+ *
+ * > Keys are invalidated by the system when biometrics change, such as adding a new fingerprint or changing the face profile used for face recognition.
+ * > After a key has been invalidated, it becomes impossible to read its value.
+ * > This only applies to values stored with `requireAuthentication` set to `true`.
  */
 export async function getItemAsync(key, options = {}) {
     _ensureValidKey(key);

package/build/SecureStore.js.map

@@ -1 +1 @@
-{"version":3,"file":"SecureStore.js","sourceRoot":"","sources":["../src/SecureStore.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,mBAAmB,EAAE,MAAM,mBAAmB,CAAC;AAExD,OAAO,eAAe,MAAM,mBAAmB,CAAC;AAIhD,cAAc;AACd;;;;GAIG;AACH,MAAM,CAAC,MAAM,kBAAkB,GAAkC,eAAe,CAAC,kBAAkB,CAAC;AAEpG,cAAc;AACd;;;GAGG;AACH,MAAM,CAAC,MAAM,mCAAmC,GAC9C,eAAe,CAAC,mCAAmC,CAAC;AAEtD,cAAc;AACd;;;GAGG;AACH,MAAM,CAAC,MAAM,MAAM,GAAkC,eAAe,CAAC,MAAM,CAAC;AAE5E,cAAc;AACd;;;GAGG;AACH,MAAM,CAAC,MAAM,kCAAkC,GAC7C,eAAe,CAAC,kCAAkC,CAAC;AAErD,cAAc;AACd;;GAEG;AACH,MAAM,CAAC,MAAM,uBAAuB,GAClC,eAAe,CAAC,uBAAuB,CAAC;AAE1C,cAAc;AACd;;GAEG;AACH,MAAM,CAAC,MAAM,aAAa,GAAkC,eAAe,CAAC,aAAa,CAAC;AAE1F,cAAc;AACd;;;GAGG;AACH,MAAM,CAAC,MAAM,8BAA8B,GACzC,eAAe,CAAC,8BAA8B,CAAC;AAEjD,MAAM,iBAAiB,GAAG,IAAI,CAAC;AAgC/B,cAAc;AACd;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB;IACpC,OAAO,CAAC,CAAC,eAAe,CAAC,oBAAoB,CAAC;AAChD,CAAC;AAED,cAAc;AACd;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,GAAW,EACX,UAA8B,EAAE;IAEhC,eAAe,CAAC,GAAG,CAAC,CAAC;IAErB,IAAI,CAAC,eAAe,CAAC,uBAAuB,EAAE;QAC5C,MAAM,IAAI,mBAAmB,CAAC,aAAa,EAAE,iBAAiB,CAAC,CAAC;KACjE;IACD,MAAM,eAAe,CAAC,uBAAuB,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;AAC9D,CAAC;AAED,cAAc;AACd;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,GAAW,EACX,UAA8B,EAAE;IAEhC,eAAe,CAAC,GAAG,CAAC,CAAC;IACrB,OAAO,MAAM,eAAe,CAAC,oBAAoB,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;AAClE,CAAC;AAED,cAAc;AACd;;;;;;;;;GASG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,GAAW,EACX,KAAa,EACb,UAA8B,EAAE;IAEhC,eAAe,CAAC,GAAG,CAAC,CAAC;IACrB,IAAI,CAAC,aAAa,CAAC,KAAK,CAAC,EAAE;QACzB,MAAM,IAAI,KAAK,CACb,6HAA6H,CAC9H,CAAC;KACH;IACD,IAAI,CAAC,eAAe,CAAC,oBAAoB,EAAE;QACzC,MAAM,IAAI,mBAAmB,CAAC,aAAa,EAAE,cAAc,CAAC,CAAC;KAC9D;IACD,MAAM,eAAe,CAAC,oBAAoB,CAAC,KAAK,EAAE,GAAG,EAAE,OAAO,CAAC,CAAC;AAClE,CAAC;AAED,SAAS,eAAe,CAAC,GAAW;IAClC,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,EAAE;QACrB,MAAM,IAAI,KAAK,CACb,0HAA0H,CAC3H,CAAC;KACH;AACH,CAAC;AAED,SAAS,WAAW,CAAC,GAAW;IAC9B,OAAO,OAAO,GAAG,KAAK,QAAQ,IAAI,WAAW,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC1D,CAAC;AAED,SAAS,aAAa,CAAC,KAAa;IAClC,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE;QAC7B,OAAO,KAAK,CAAC;KACd;IACD,IAAI,UAAU,CAAC,KAAK,CAAC,GAAG,iBAAiB,EAAE;QACzC,OAAO,CAAC,IAAI,CACV,0HAA0H,CAC3H,CAAC;KACH;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,wDAAwD;AACxD,SAAS,UAAU,CAAC,KAAa;IAC/B,IAAI,KAAK,GAAG,CAAC,CAAC;IAEd,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE;QACrC,MAAM,SAAS,GAAG,KAAK,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;QAEtC,gDAAgD;QAChD,IAAI,SAAS,IAAI,MAAM,IAAI,SAAS,GAAG,MAAM,EAAE;YAC7C,IAAI,SAAS,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE;gBAC9C,MAAM,IAAI,GAAG,KAAK,CAAC,UAAU,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;gBAErC,IAAI,IAAI,IAAI,MAAM,IAAI,IAAI,GAAG,MAAM,EAAE;oBACnC,KAAK,IAAI,CAAC,CAAC;oBACX,CAAC,EAAE,CAAC;oBACJ,SAAS;iBACV;aACF;SACF;QAED,KAAK,IAAI,SAAS,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;KAC3D;IAED,OAAO,KAAK,CAAC;AACf,CAAC","sourcesContent":["import { UnavailabilityError } from 'expo-modules-core';\n\nimport ExpoSecureStore from './ExpoSecureStore';\n\nexport type KeychainAccessibilityConstant = number;\n\n// @needsAudit\n/**\n * The data in the keychain item cannot be accessed after a restart until the device has been\n * unlocked once by the user. This may be useful if you need to access the item when the phone\n * is locked.\n */\nexport const AFTER_FIRST_UNLOCK: KeychainAccessibilityConstant = ExpoSecureStore.AFTER_FIRST_UNLOCK;\n\n// @needsAudit\n/**\n * Similar to `AFTER_FIRST_UNLOCK`, except the entry is not migrated to a new device when restoring\n * from a backup.\n */\nexport const AFTER_FIRST_UNLOCK_THIS_DEVICE_ONLY: KeychainAccessibilityConstant =\n  ExpoSecureStore.AFTER_FIRST_UNLOCK_THIS_DEVICE_ONLY;\n\n// @needsAudit\n/**\n * The data in the keychain item can always be accessed regardless of whether the device is locked.\n * This is the least secure option.\n */\nexport const ALWAYS: KeychainAccessibilityConstant = ExpoSecureStore.ALWAYS;\n\n// @needsAudit\n/**\n * Similar to `WHEN_UNLOCKED_THIS_DEVICE_ONLY`, except the user must have set a passcode in order to\n * store an entry. If the user removes their passcode, the entry will be deleted.\n */\nexport const WHEN_PASSCODE_SET_THIS_DEVICE_ONLY: KeychainAccessibilityConstant =\n  ExpoSecureStore.WHEN_PASSCODE_SET_THIS_DEVICE_ONLY;\n\n// @needsAudit\n/**\n * Similar to `ALWAYS`, except the entry is not migrated to a new device when restoring from a backup.\n */\nexport const ALWAYS_THIS_DEVICE_ONLY: KeychainAccessibilityConstant =\n  ExpoSecureStore.ALWAYS_THIS_DEVICE_ONLY;\n\n// @needsAudit\n/**\n * The data in the keychain item can be accessed only while the device is unlocked by the user.\n */\nexport const WHEN_UNLOCKED: KeychainAccessibilityConstant = ExpoSecureStore.WHEN_UNLOCKED;\n\n// @needsAudit\n/**\n * Similar to `WHEN_UNLOCKED`, except the entry is not migrated to a new device when restoring from\n * a backup.\n */\nexport const WHEN_UNLOCKED_THIS_DEVICE_ONLY: KeychainAccessibilityConstant =\n  ExpoSecureStore.WHEN_UNLOCKED_THIS_DEVICE_ONLY;\n\nconst VALUE_BYTES_LIMIT = 2048;\n\n// @needsAudit\nexport type SecureStoreOptions = {\n  /**\n   * - iOS: The item's service, equivalent to `kSecAttrService`\n   * - Android: Equivalent of the public/private key pair `Alias`\n   * > If the item is set with the `keychainService` option, it will be required to later fetch the value.\n   */\n  keychainService?: string;\n  /**\n   * Option responsible for enabling the usage of the user authentication methods available on the device while\n   * accessing data stored in SecureStore.\n   * - iOS: Equivalent to `kSecAccessControlBiometryCurrentSet`\n   * - Android: Equivalent to `setUserAuthenticationRequired(true)` (requires API 23).\n   * Complete functionality is unlocked only with a freshly generated key - this would not work in tandem with the `keychainService`\n   * value used for the others non-authenticated operations.\n   */\n  requireAuthentication?: boolean;\n  /**\n   * Custom message displayed to the user while `requireAuthentication` option is turned on.\n   */\n  authenticationPrompt?: string;\n  /**\n   * Specifies when the stored entry is accessible, using iOS's `kSecAttrAccessible` property.\n   * @see Apple's documentation on [keychain item accessibility](https://developer.apple.com/library/content/documentation/Security/Conceptual/keychainServConcepts/02concepts/concepts.html).\n   * @default SecureStore.WHEN_UNLOCKED\n   * @platform ios\n   */\n  keychainAccessible?: KeychainAccessibilityConstant;\n};\n\n// @needsAudit\n/**\n * Returns whether the SecureStore API is enabled on the current device. This does not check the app\n * permissions.\n *\n * @return Promise which fulfils witch `boolean`, indicating whether the SecureStore API is available\n * on the current device. Currently this resolves `true` on iOS and Android only.\n */\nexport async function isAvailableAsync(): Promise<boolean> {\n  return !!ExpoSecureStore.getValueWithKeyAsync;\n}\n\n// @needsAudit\n/**\n * Delete the value associated with the provided key.\n *\n * @param key The key that was used to store the associated value.\n * @param options An [`SecureStoreOptions`](#securestoreoptions) object.\n *\n * @return A promise that will reject if the value couldn't be deleted.\n */\nexport async function deleteItemAsync(\n  key: string,\n  options: SecureStoreOptions = {}\n): Promise<void> {\n  _ensureValidKey(key);\n\n  if (!ExpoSecureStore.deleteValueWithKeyAsync) {\n    throw new UnavailabilityError('SecureStore', 'deleteItemAsync');\n  }\n  await ExpoSecureStore.deleteValueWithKeyAsync(key, options);\n}\n\n// @needsAudit\n/**\n * Fetch the stored value associated with the provided key.\n *\n * @param key The key that was used to store the associated value.\n * @param options An [`SecureStoreOptions`](#securestoreoptions) object.\n *\n * @return A promise that resolves to the previously stored value, or `null` if there is no entry\n * for the given key. The promise will reject if an error occurred while retrieving the value.\n */\nexport async function getItemAsync(\n  key: string,\n  options: SecureStoreOptions = {}\n): Promise<string | null> {\n  _ensureValidKey(key);\n  return await ExpoSecureStore.getValueWithKeyAsync(key, options);\n}\n\n// @needsAudit\n/**\n * Store a key–value pair.\n *\n * @param key The key to associate with the stored value. Keys may contain alphanumeric characters\n * `.`, `-`, and `_`.\n * @param value The value to store. Size limit is 2048 bytes.\n * @param options An [`SecureStoreOptions`](#securestoreoptions) object.\n *\n * @return A promise that will reject if value cannot be stored on the device.\n */\nexport async function setItemAsync(\n  key: string,\n  value: string,\n  options: SecureStoreOptions = {}\n): Promise<void> {\n  _ensureValidKey(key);\n  if (!_isValidValue(value)) {\n    throw new Error(\n      `Invalid value provided to SecureStore. Values must be strings; consider JSON-encoding your values if they are serializable.`\n    );\n  }\n  if (!ExpoSecureStore.setValueWithKeyAsync) {\n    throw new UnavailabilityError('SecureStore', 'setItemAsync');\n  }\n  await ExpoSecureStore.setValueWithKeyAsync(value, key, options);\n}\n\nfunction _ensureValidKey(key: string) {\n  if (!_isValidKey(key)) {\n    throw new Error(\n      `Invalid key provided to SecureStore. Keys must not be empty and contain only alphanumeric characters, \".\", \"-\", and \"_\".`\n    );\n  }\n}\n\nfunction _isValidKey(key: string) {\n  return typeof key === 'string' && /^[\\w.-]+$/.test(key);\n}\n\nfunction _isValidValue(value: string) {\n  if (typeof value !== 'string') {\n    return false;\n  }\n  if (_byteCount(value) > VALUE_BYTES_LIMIT) {\n    console.warn(\n      'Provided value to SecureStore is larger than 2048 bytes. An attempt to store such a value will throw an error in SDK 35.'\n    );\n  }\n  return true;\n}\n\n// copy-pasted from https://stackoverflow.com/a/39488643\nfunction _byteCount(value: string) {\n  let bytes = 0;\n\n  for (let i = 0; i < value.length; i++) {\n    const codePoint = value.charCodeAt(i);\n\n    // Lone surrogates cannot be passed to encodeURI\n    if (codePoint >= 0xd800 && codePoint < 0xe000) {\n      if (codePoint < 0xdc00 && i + 1 < value.length) {\n        const next = value.charCodeAt(i + 1);\n\n        if (next >= 0xdc00 && next < 0xe000) {\n          bytes += 4;\n          i++;\n          continue;\n        }\n      }\n    }\n\n    bytes += codePoint < 0x80 ? 1 : codePoint < 0x800 ? 2 : 3;\n  }\n\n  return bytes;\n}\n"]}
+{"version":3,"file":"SecureStore.js","sourceRoot":"","sources":["../src/SecureStore.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,mBAAmB,EAAE,MAAM,mBAAmB,CAAC;AAExD,OAAO,eAAe,MAAM,mBAAmB,CAAC;AAIhD,cAAc;AACd;;;;GAIG;AACH,MAAM,CAAC,MAAM,kBAAkB,GAAkC,eAAe,CAAC,kBAAkB,CAAC;AAEpG,cAAc;AACd;;;GAGG;AACH,MAAM,CAAC,MAAM,mCAAmC,GAC9C,eAAe,CAAC,mCAAmC,CAAC;AAEtD,cAAc;AACd;;;GAGG;AACH,MAAM,CAAC,MAAM,MAAM,GAAkC,eAAe,CAAC,MAAM,CAAC;AAE5E,cAAc;AACd;;;GAGG;AACH,MAAM,CAAC,MAAM,kCAAkC,GAC7C,eAAe,CAAC,kCAAkC,CAAC;AAErD,cAAc;AACd;;GAEG;AACH,MAAM,CAAC,MAAM,uBAAuB,GAClC,eAAe,CAAC,uBAAuB,CAAC;AAE1C,cAAc;AACd;;GAEG;AACH,MAAM,CAAC,MAAM,aAAa,GAAkC,eAAe,CAAC,aAAa,CAAC;AAE1F,cAAc;AACd;;;GAGG;AACH,MAAM,CAAC,MAAM,8BAA8B,GACzC,eAAe,CAAC,8BAA8B,CAAC;AAEjD,MAAM,iBAAiB,GAAG,IAAI,CAAC;AAiC/B,cAAc;AACd;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB;IACpC,OAAO,CAAC,CAAC,eAAe,CAAC,oBAAoB,CAAC;AAChD,CAAC;AAED,cAAc;AACd;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,GAAW,EACX,UAA8B,EAAE;IAEhC,eAAe,CAAC,GAAG,CAAC,CAAC;IAErB,IAAI,CAAC,eAAe,CAAC,uBAAuB,EAAE;QAC5C,MAAM,IAAI,mBAAmB,CAAC,aAAa,EAAE,iBAAiB,CAAC,CAAC;KACjE;IACD,MAAM,eAAe,CAAC,uBAAuB,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;AAC9D,CAAC;AAED,cAAc;AACd;;;;;;;;;;;;GAYG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,GAAW,EACX,UAA8B,EAAE;IAEhC,eAAe,CAAC,GAAG,CAAC,CAAC;IACrB,OAAO,MAAM,eAAe,CAAC,oBAAoB,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;AAClE,CAAC;AAED,cAAc;AACd;;;;;;;;;GASG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,GAAW,EACX,KAAa,EACb,UAA8B,EAAE;IAEhC,eAAe,CAAC,GAAG,CAAC,CAAC;IACrB,IAAI,CAAC,aAAa,CAAC,KAAK,CAAC,EAAE;QACzB,MAAM,IAAI,KAAK,CACb,6HAA6H,CAC9H,CAAC;KACH;IACD,IAAI,CAAC,eAAe,CAAC,oBAAoB,EAAE;QACzC,MAAM,IAAI,mBAAmB,CAAC,aAAa,EAAE,cAAc,CAAC,CAAC;KAC9D;IACD,MAAM,eAAe,CAAC,oBAAoB,CAAC,KAAK,EAAE,GAAG,EAAE,OAAO,CAAC,CAAC;AAClE,CAAC;AAED,SAAS,eAAe,CAAC,GAAW;IAClC,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,EAAE;QACrB,MAAM,IAAI,KAAK,CACb,0HAA0H,CAC3H,CAAC;KACH;AACH,CAAC;AAED,SAAS,WAAW,CAAC,GAAW;IAC9B,OAAO,OAAO,GAAG,KAAK,QAAQ,IAAI,WAAW,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC1D,CAAC;AAED,SAAS,aAAa,CAAC,KAAa;IAClC,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE;QAC7B,OAAO,KAAK,CAAC;KACd;IACD,IAAI,UAAU,CAAC,KAAK,CAAC,GAAG,iBAAiB,EAAE;QACzC,OAAO,CAAC,IAAI,CACV,0HAA0H,CAC3H,CAAC;KACH;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,wDAAwD;AACxD,SAAS,UAAU,CAAC,KAAa;IAC/B,IAAI,KAAK,GAAG,CAAC,CAAC;IAEd,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE;QACrC,MAAM,SAAS,GAAG,KAAK,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;QAEtC,gDAAgD;QAChD,IAAI,SAAS,IAAI,MAAM,IAAI,SAAS,GAAG,MAAM,EAAE;YAC7C,IAAI,SAAS,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE;gBAC9C,MAAM,IAAI,GAAG,KAAK,CAAC,UAAU,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;gBAErC,IAAI,IAAI,IAAI,MAAM,IAAI,IAAI,GAAG,MAAM,EAAE;oBACnC,KAAK,IAAI,CAAC,CAAC;oBACX,CAAC,EAAE,CAAC;oBACJ,SAAS;iBACV;aACF;SACF;QAED,KAAK,IAAI,SAAS,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;KAC3D;IAED,OAAO,KAAK,CAAC;AACf,CAAC","sourcesContent":["import { UnavailabilityError } from 'expo-modules-core';\n\nimport ExpoSecureStore from './ExpoSecureStore';\n\nexport type KeychainAccessibilityConstant = number;\n\n// @needsAudit\n/**\n * The data in the keychain item cannot be accessed after a restart until the device has been\n * unlocked once by the user. This may be useful if you need to access the item when the phone\n * is locked.\n */\nexport const AFTER_FIRST_UNLOCK: KeychainAccessibilityConstant = ExpoSecureStore.AFTER_FIRST_UNLOCK;\n\n// @needsAudit\n/**\n * Similar to `AFTER_FIRST_UNLOCK`, except the entry is not migrated to a new device when restoring\n * from a backup.\n */\nexport const AFTER_FIRST_UNLOCK_THIS_DEVICE_ONLY: KeychainAccessibilityConstant =\n  ExpoSecureStore.AFTER_FIRST_UNLOCK_THIS_DEVICE_ONLY;\n\n// @needsAudit\n/**\n * The data in the keychain item can always be accessed regardless of whether the device is locked.\n * This is the least secure option.\n */\nexport const ALWAYS: KeychainAccessibilityConstant = ExpoSecureStore.ALWAYS;\n\n// @needsAudit\n/**\n * Similar to `WHEN_UNLOCKED_THIS_DEVICE_ONLY`, except the user must have set a passcode in order to\n * store an entry. If the user removes their passcode, the entry will be deleted.\n */\nexport const WHEN_PASSCODE_SET_THIS_DEVICE_ONLY: KeychainAccessibilityConstant =\n  ExpoSecureStore.WHEN_PASSCODE_SET_THIS_DEVICE_ONLY;\n\n// @needsAudit\n/**\n * Similar to `ALWAYS`, except the entry is not migrated to a new device when restoring from a backup.\n */\nexport const ALWAYS_THIS_DEVICE_ONLY: KeychainAccessibilityConstant =\n  ExpoSecureStore.ALWAYS_THIS_DEVICE_ONLY;\n\n// @needsAudit\n/**\n * The data in the keychain item can be accessed only while the device is unlocked by the user.\n */\nexport const WHEN_UNLOCKED: KeychainAccessibilityConstant = ExpoSecureStore.WHEN_UNLOCKED;\n\n// @needsAudit\n/**\n * Similar to `WHEN_UNLOCKED`, except the entry is not migrated to a new device when restoring from\n * a backup.\n */\nexport const WHEN_UNLOCKED_THIS_DEVICE_ONLY: KeychainAccessibilityConstant =\n  ExpoSecureStore.WHEN_UNLOCKED_THIS_DEVICE_ONLY;\n\nconst VALUE_BYTES_LIMIT = 2048;\n\n// @needsAudit\nexport type SecureStoreOptions = {\n  /**\n   * - Android: Equivalent of the public/private key pair `Alias`.\n   * - iOS: The item's service, equivalent to [`kSecAttrService`](https://developer.apple.com/documentation/security/ksecattrservice/).\n   * > If the item is set with the `keychainService` option, it will be required to later fetch the value.\n   */\n  keychainService?: string;\n  /**\n   * Option responsible for enabling the usage of the user authentication methods available on the device while\n   * accessing data stored in SecureStore.\n   * - Android: Equivalent to [`setUserAuthenticationRequired(true)`](https://developer.android.com/reference/android/security/keystore/KeyGenParameterSpec.Builder#setUserAuthenticationRequired(boolean))\n   *   (requires API 23).\n   * - iOS: Equivalent to [`kSecAccessControlBiometryCurrentSet`](https://developer.apple.com/documentation/security/secaccesscontrolcreateflags/ksecaccesscontrolbiometrycurrentset/).\n   * Complete functionality is unlocked only with a freshly generated key - this would not work in tandem with the `keychainService`\n   * value used for the others non-authenticated operations.\n   */\n  requireAuthentication?: boolean;\n  /**\n   * Custom message displayed to the user while `requireAuthentication` option is turned on.\n   */\n  authenticationPrompt?: string;\n  /**\n   * Specifies when the stored entry is accessible, using iOS's `kSecAttrAccessible` property.\n   * @see Apple's documentation on [keychain item accessibility](https://developer.apple.com/documentation/security/ksecattraccessible/).\n   * @default SecureStore.WHEN_UNLOCKED\n   * @platform ios\n   */\n  keychainAccessible?: KeychainAccessibilityConstant;\n};\n\n// @needsAudit\n/**\n * Returns whether the SecureStore API is enabled on the current device. This does not check the app\n * permissions.\n *\n * @return Promise which fulfils witch `boolean`, indicating whether the SecureStore API is available\n * on the current device. Currently, this resolves `true` on Android and iOS only.\n */\nexport async function isAvailableAsync(): Promise<boolean> {\n  return !!ExpoSecureStore.getValueWithKeyAsync;\n}\n\n// @needsAudit\n/**\n * Delete the value associated with the provided key.\n *\n * @param key The key that was used to store the associated value.\n * @param options An [`SecureStoreOptions`](#securestoreoptions) object.\n *\n * @return A promise that will reject if the value couldn't be deleted.\n */\nexport async function deleteItemAsync(\n  key: string,\n  options: SecureStoreOptions = {}\n): Promise<void> {\n  _ensureValidKey(key);\n\n  if (!ExpoSecureStore.deleteValueWithKeyAsync) {\n    throw new UnavailabilityError('SecureStore', 'deleteItemAsync');\n  }\n  await ExpoSecureStore.deleteValueWithKeyAsync(key, options);\n}\n\n// @needsAudit\n/**\n * Fetch the stored value associated with the provided key.\n *\n * @param key The key that was used to store the associated value.\n * @param options An [`SecureStoreOptions`](#securestoreoptions) object.\n *\n * @return A promise that resolves to the previously stored value. It will return `null` if there is no entry\n * for the given key or if the key has been invalidated. It will reject if an error occurs while retrieving the value.\n *\n * > Keys are invalidated by the system when biometrics change, such as adding a new fingerprint or changing the face profile used for face recognition.\n * > After a key has been invalidated, it becomes impossible to read its value.\n * > This only applies to values stored with `requireAuthentication` set to `true`.\n */\nexport async function getItemAsync(\n  key: string,\n  options: SecureStoreOptions = {}\n): Promise<string | null> {\n  _ensureValidKey(key);\n  return await ExpoSecureStore.getValueWithKeyAsync(key, options);\n}\n\n// @needsAudit\n/**\n * Store a key–value pair.\n *\n * @param key The key to associate with the stored value. Keys may contain alphanumeric characters\n * `.`, `-`, and `_`.\n * @param value The value to store. Size limit is 2048 bytes.\n * @param options An [`SecureStoreOptions`](#securestoreoptions) object.\n *\n * @return A promise that will reject if value cannot be stored on the device.\n */\nexport async function setItemAsync(\n  key: string,\n  value: string,\n  options: SecureStoreOptions = {}\n): Promise<void> {\n  _ensureValidKey(key);\n  if (!_isValidValue(value)) {\n    throw new Error(\n      `Invalid value provided to SecureStore. Values must be strings; consider JSON-encoding your values if they are serializable.`\n    );\n  }\n  if (!ExpoSecureStore.setValueWithKeyAsync) {\n    throw new UnavailabilityError('SecureStore', 'setItemAsync');\n  }\n  await ExpoSecureStore.setValueWithKeyAsync(value, key, options);\n}\n\nfunction _ensureValidKey(key: string) {\n  if (!_isValidKey(key)) {\n    throw new Error(\n      `Invalid key provided to SecureStore. Keys must not be empty and contain only alphanumeric characters, \".\", \"-\", and \"_\".`\n    );\n  }\n}\n\nfunction _isValidKey(key: string) {\n  return typeof key === 'string' && /^[\\w.-]+$/.test(key);\n}\n\nfunction _isValidValue(value: string) {\n  if (typeof value !== 'string') {\n    return false;\n  }\n  if (_byteCount(value) > VALUE_BYTES_LIMIT) {\n    console.warn(\n      'Provided value to SecureStore is larger than 2048 bytes. An attempt to store such a value will throw an error in SDK 35.'\n    );\n  }\n  return true;\n}\n\n// copy-pasted from https://stackoverflow.com/a/39488643\nfunction _byteCount(value: string) {\n  let bytes = 0;\n\n  for (let i = 0; i < value.length; i++) {\n    const codePoint = value.charCodeAt(i);\n\n    // Lone surrogates cannot be passed to encodeURI\n    if (codePoint >= 0xd800 && codePoint < 0xe000) {\n      if (codePoint < 0xdc00 && i + 1 < value.length) {\n        const next = value.charCodeAt(i + 1);\n\n        if (next >= 0xdc00 && next < 0xe000) {\n          bytes += 4;\n          i++;\n          continue;\n        }\n      }\n    }\n\n    bytes += codePoint < 0x80 ? 1 : codePoint < 0x800 ? 2 : 3;\n  }\n\n  return bytes;\n}\n"]}

package/expo-module.config.json

@@ -0,0 +1,6 @@
+{
+  "platforms": ["ios", "android"],
+  "ios": {
+    "modules": ["SecureStoreModule"]
+  }
+}

package/ios/{EXSecureStore.podspec → ExpoSecureStore.podspec}

@@ -3,7 +3,7 @@ require 'json'
 package = JSON.parse(File.read(File.join(__dir__, '..', 'package.json')))
 
 Pod::Spec.new do |s|
-  s.name           = 'EXSecureStore'
+  s.name           = 'ExpoSecureStore'
   s.version        = package['version']
   s.summary        = package['description']
   s.description    = package['description']
@@ -11,15 +11,22 @@ Pod::Spec.new do |s|
   s.author         = package['author']
   s.homepage       = package['homepage']
   s.platform       = :ios, '13.0'
+  s.swift_version  = '5.4'
   s.source         = { git: 'https://github.com/expo/expo.git' }
   s.static_framework = true
 
   s.dependency 'ExpoModulesCore'
 
+  # Swift/Objective-C compatibility
+  s.pod_target_xcconfig = {
+    'DEFINES_MODULE' => 'YES',
+    'SWIFT_COMPILATION_MODE' => 'wholemodule'
+  }
+  
   if !$ExpoUseSources&.include?(package['name']) && ENV['EXPO_USE_SOURCE'].to_i == 0 && File.exist?("#{s.name}.xcframework") && Gem::Version.new(Pod::VERSION) >= Gem::Version.new('1.10.0')
-    s.source_files = "#{s.name}/**/*.h"
+    s.source_files = "**/*.h"
     s.vendored_frameworks = "#{s.name}.xcframework"
   else
-    s.source_files = "#{s.name}/**/*.{h,m}"
+    s.source_files = "**/*.{h,m,swift}"
   end
 end

package/ios/SecureStoreAccessible.swift

@@ -0,0 +1,11 @@
+import ExpoModulesCore
+
+enum SecureStoreAccessible: Int, Enumerable {
+  case afterFirstUnlock = 0
+  case afterFirstUnlockThisDeviceOnly = 1
+  case always = 2
+  case whenPasscodeSetThisDeviceOnly = 3
+  case alwaysThisDeviceOnly = 4
+  case whenUnlocked = 5
+  case whenUnlockedThisDeviceOnly = 6
+}

package/ios/SecureStoreExceptions.swift

@@ -0,0 +1,55 @@
+import ExpoModulesCore
+
+internal class InvalidKeyException: Exception {
+  override var reason: String {
+    "Invalid key"
+  }
+}
+
+internal class KeyChainException: GenericException<OSStatus> {
+  override var reason: String {
+    switch param {
+    case errSecUnimplemented:
+      return "Function or operation not implemented."
+
+    case errSecIO:
+      return "I/O error."
+
+    case errSecOpWr:
+      return "File already open with with write permission."
+
+    case errSecParam:
+      return "One or more parameters passed to a function where not valid."
+
+    case errSecAllocate:
+      return "Failed to allocate memory."
+
+    case errSecUserCanceled:
+      return "User canceled the operation."
+
+    case errSecBadReq:
+      return "Bad parameter or invalid state for operation."
+
+    case errSecNotAvailable:
+      return "No keychain is available. You may need to restart your computer."
+
+    case errSecDuplicateItem:
+      return "The specified item already exists in the keychain."
+
+    case errSecItemNotFound:
+      return "The specified item could not be found in the keychain."
+
+    case errSecInteractionNotAllowed:
+      return "User interaction is not allowed."
+
+    case errSecDecode:
+      return "Unable to decode the provided data."
+
+    case errSecAuthFailed:
+      return "Authentication failed. Provided passphrase/PIN is incorrect or there is no user authentication method configured for this device."
+
+    default:
+      return "Unknown Keychain Error."
+    }
+  }
+}

package/ios/SecureStoreModule.swift

@@ -0,0 +1,160 @@
+import ExpoModulesCore
+import LocalAuthentication
+import Security
+
+public final class SecureStoreModule: Module {
+  public func definition() -> ModuleDefinition {
+    Name("ExpoSecureStore")
+
+    Constants([
+      "AFTER_FIRST_UNLOCK": SecureStoreAccessible.afterFirstUnlock.rawValue,
+      "AFTER_FIRST_UNLOCK_THIS_DEVICE_ONLY": SecureStoreAccessible.afterFirstUnlockThisDeviceOnly.rawValue,
+      "ALWAYS": SecureStoreAccessible.always.rawValue,
+      "WHEN_PASSCODE_SET_THIS_DEVICE_ONLY": SecureStoreAccessible.whenPasscodeSetThisDeviceOnly.rawValue,
+      "ALWAYS_THIS_DEVICE_ONLY": SecureStoreAccessible.alwaysThisDeviceOnly.rawValue,
+      "WHEN_UNLOCKED": SecureStoreAccessible.whenUnlocked.rawValue,
+      "WHEN_UNLOCKED_THIS_DEVICE_ONLY": SecureStoreAccessible.whenPasscodeSetThisDeviceOnly.rawValue
+    ])
+
+    AsyncFunction("getValueWithKeyAsync") { (key: String, options: SecureStoreOptions) -> String? in
+      guard let key = validate(for: key) else {
+        throw InvalidKeyException()
+      }
+
+      let data = try searchKeyChain(with: key, options: options)
+
+      guard let data = data else {
+        return nil
+      }
+
+      return String(data: data, encoding: .utf8)
+    }
+
+    AsyncFunction("setValueWithKeyAsync") { (value: String, key: String, options: SecureStoreOptions) -> Bool in
+      guard let key = validate(for: key) else {
+        throw InvalidKeyException()
+      }
+
+      return try set(value: value, with: key, options: options)
+    }
+
+    AsyncFunction("deleteValueWithKeyAsync") { (key: String, options: SecureStoreOptions) in
+      var searchDictionary = query(with: key, options: options)
+      SecItemDelete(searchDictionary as CFDictionary)
+    }
+  }
+
+  private func set(value: String, with key: String, options: SecureStoreOptions) throws -> Bool {
+    var query = query(with: key, options: options)
+
+    let valueData = value.data(using: .utf8)
+    query[kSecValueData as String] = valueData
+
+    let accessibility = attributeWith(options: options)
+
+    if !options.requireAuthentication {
+      query[kSecAttrAccessible as String] = accessibility
+    } else {
+      let accessOptions = SecAccessControlCreateWithFlags(kCFAllocatorDefault, accessibility, SecAccessControlCreateFlags.biometryCurrentSet, nil)
+      query[kSecAttrAccessControl as String] = accessOptions
+    }
+
+    let status = SecItemAdd(query as CFDictionary, nil)
+
+    switch status {
+    case errSecSuccess:
+      return true
+    case errSecDuplicateItem:
+      return try update(value: value, with: key, options: options)
+    default:
+      throw KeyChainException(status)
+    }
+  }
+
+  private func update(value: String, with key: String, options: SecureStoreOptions) throws -> Bool {
+    var query = query(with: key, options: options)
+
+    let valueData = value.data(using: .utf8)
+    let updateDictionary = [kSecValueData as String: valueData]
+
+    if let authPrompt = options.authenticationPrompt {
+      query[kSecUseOperationPrompt as String] = authPrompt
+    }
+
+    let status = SecItemUpdate(query as CFDictionary, updateDictionary as CFDictionary)
+
+    if status == errSecSuccess {
+      return true
+    } else {
+      throw KeyChainException(status)
+    }
+  }
+
+  private func searchKeyChain(with key: String, options: SecureStoreOptions) throws -> Data? {
+    var query = query(with: key, options: options)
+
+    query[kSecMatchLimit as String] = kSecMatchLimitOne
+    query[kSecReturnData as String] = kCFBooleanTrue
+
+    if let authPrompt = options.authenticationPrompt {
+      query[kSecUseOperationPrompt as String] = authPrompt
+    }
+
+    var item: CFTypeRef?
+    let status = SecItemCopyMatching(query as CFDictionary, &item)
+
+    switch status {
+    case errSecSuccess:
+      guard let item = item as? Data else {
+        return nil
+      }
+
+      return item
+    case errSecItemNotFound:
+      return nil
+    default:
+      throw KeyChainException(status)
+    }
+  }
+
+  private func query(with key: String, options: SecureStoreOptions) -> [String: Any] {
+    let service = options.keychainService ?? "app"
+    let encodedKey = key.data(using: .utf8)
+
+    return [
+      kSecClass as String: kSecClassGenericPassword,
+      kSecAttrService as String: service,
+      kSecAttrGeneric as String: encodedKey,
+      kSecAttrAccount as String: encodedKey
+    ]
+  }
+
+  private func attributeWith(options: SecureStoreOptions) -> CFString {
+    switch options.keychainAccessible {
+    case .afterFirstUnlock:
+      return kSecAttrAccessibleAfterFirstUnlock
+    case .afterFirstUnlockThisDeviceOnly:
+      return kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly
+    case .always:
+      return kSecAttrAccessibleAlways
+    case .whenPasscodeSetThisDeviceOnly:
+      return kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly
+    case .whenUnlocked:
+      return kSecAttrAccessibleWhenUnlocked
+    case .alwaysThisDeviceOnly:
+      return kSecAttrAccessibleAlwaysThisDeviceOnly
+    case .whenUnlockedThisDeviceOnly:
+      return kSecAttrAccessibleWhenUnlockedThisDeviceOnly
+    default:
+      return kSecAttrAccessibleWhenUnlocked
+    }
+  }
+
+  private func validate(for key: String) -> String? {
+    let trimmedKey = key.trimmingCharacters(in: .whitespaces)
+    if trimmedKey.isEmpty {
+      return nil
+    }
+    return key
+  }
+}

package/ios/SecureStoreOptions.swift

@@ -0,0 +1,15 @@
+import ExpoModulesCore
+
+internal struct SecureStoreOptions: Record {
+  @Field
+  var authenticationPrompt: String?
+
+  @Field
+  var keychainAccessible: SecureStoreAccessible = .whenUnlocked
+
+  @Field
+  var keychainService: String?
+
+  @Field
+  var requireAuthentication: Bool
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "expo-secure-store",
-  "version": "12.1.1",
+  "version": "12.3.0",
   "description": "Provides a way to encrypt and securely store key–value pairs locally on the device.",
   "main": "build/SecureStore.js",
   "types": "build/SecureStore.d.ts",
@@ -42,5 +42,5 @@
   "peerDependencies": {
     "expo": "*"
   },
-  "gitHead": "1f8a6a09570fd451378565ca34933018ce48454e"
+  "gitHead": "3ccd2edee9cbfed217557675cb50f0ba5e55a9e4"
 }

package/src/ExpoSecureStore.ts

@@ -1,2 +1,2 @@
-import { NativeModulesProxy } from 'expo-modules-core';
-export default NativeModulesProxy.ExpoSecureStore || {};
+import { requireNativeModule } from 'expo-modules-core';
+export default requireNativeModule('ExpoSecureStore');

package/src/SecureStore.ts

@@ -61,16 +61,17 @@ const VALUE_BYTES_LIMIT = 2048;
 // @needsAudit
 export type SecureStoreOptions = {
   /**
-   * - iOS: The item's service, equivalent to `kSecAttrService`
-   * - Android: Equivalent of the public/private key pair `Alias`
+   * - Android: Equivalent of the public/private key pair `Alias`.
+   * - iOS: The item's service, equivalent to [`kSecAttrService`](https://developer.apple.com/documentation/security/ksecattrservice/).
    * > If the item is set with the `keychainService` option, it will be required to later fetch the value.
    */
   keychainService?: string;
   /**
    * Option responsible for enabling the usage of the user authentication methods available on the device while
    * accessing data stored in SecureStore.
-   * - iOS: Equivalent to `kSecAccessControlBiometryCurrentSet`
-   * - Android: Equivalent to `setUserAuthenticationRequired(true)` (requires API 23).
+   * - Android: Equivalent to [`setUserAuthenticationRequired(true)`](https://developer.android.com/reference/android/security/keystore/KeyGenParameterSpec.Builder#setUserAuthenticationRequired(boolean))
+   *   (requires API 23).
+   * - iOS: Equivalent to [`kSecAccessControlBiometryCurrentSet`](https://developer.apple.com/documentation/security/secaccesscontrolcreateflags/ksecaccesscontrolbiometrycurrentset/).
    * Complete functionality is unlocked only with a freshly generated key - this would not work in tandem with the `keychainService`
    * value used for the others non-authenticated operations.
    */
@@ -81,7 +82,7 @@ export type SecureStoreOptions = {
   authenticationPrompt?: string;
   /**
    * Specifies when the stored entry is accessible, using iOS's `kSecAttrAccessible` property.
-   * @see Apple's documentation on [keychain item accessibility](https://developer.apple.com/library/content/documentation/Security/Conceptual/keychainServConcepts/02concepts/concepts.html).
+   * @see Apple's documentation on [keychain item accessibility](https://developer.apple.com/documentation/security/ksecattraccessible/).
    * @default SecureStore.WHEN_UNLOCKED
    * @platform ios
    */
@@ -94,7 +95,7 @@ export type SecureStoreOptions = {
  * permissions.
  *
  * @return Promise which fulfils witch `boolean`, indicating whether the SecureStore API is available
- * on the current device. Currently this resolves `true` on iOS and Android only.
+ * on the current device. Currently, this resolves `true` on Android and iOS only.
  */
 export async function isAvailableAsync(): Promise<boolean> {
   return !!ExpoSecureStore.getValueWithKeyAsync;
@@ -128,8 +129,12 @@ export async function deleteItemAsync(
  * @param key The key that was used to store the associated value.
  * @param options An [`SecureStoreOptions`](#securestoreoptions) object.
  *
- * @return A promise that resolves to the previously stored value, or `null` if there is no entry
- * for the given key. The promise will reject if an error occurred while retrieving the value.
+ * @return A promise that resolves to the previously stored value. It will return `null` if there is no entry
+ * for the given key or if the key has been invalidated. It will reject if an error occurs while retrieving the value.
+ *
+ * > Keys are invalidated by the system when biometrics change, such as adding a new fingerprint or changing the face profile used for face recognition.
+ * > After a key has been invalidated, it becomes impossible to read its value.
+ * > This only applies to values stored with `requireAuthentication` set to `true`.
  */
 export async function getItemAsync(
   key: string,

package/ios/EXSecureStore/EXSecureStore.h

@@ -1,18 +0,0 @@
-//  Copyright © 2018 650 Industries. All rights reserved.
-
-#import <ExpoModulesCore/EXExportedModule.h>
-#import <ExpoModulesCore/EXModuleRegistryConsumer.h>
-
-typedef NS_ENUM(NSInteger, EXSecureStoreAccessible) {
-  EXSecureStoreAccessibleAfterFirstUnlock = 0,
-  EXSecureStoreAccessibleAfterFirstUnlockThisDeviceOnly = 1,
-  EXSecureStoreAccessibleAlways = 2,
-  EXSecureStoreAccessibleWhenPasscodeSetThisDeviceOnly = 3,
-  EXSecureStoreAccessibleAlwaysThisDeviceOnly = 4,
-  EXSecureStoreAccessibleWhenUnlocked = 5,
-  EXSecureStoreAccessibleWhenUnlockedThisDeviceOnly = 6
-};
-
-@interface EXSecureStore : EXExportedModule
-
-@end

package/ios/EXSecureStore/EXSecureStore.m

@@ -1,298 +0,0 @@
-//  Copyright © 2018 650 Industries. All rights reserved.
-
-#import <EXSecureStore/EXSecureStore.h>
-
-#import <CommonCrypto/CommonHMAC.h>
-#import <Security/Security.h>
-
-@implementation EXSecureStore
-
-#pragma mark - internal
-
-- (NSMutableDictionary *)_queryWithKey:(NSString *)key withOptions:(NSDictionary *)options
-{
-  NSString *service = (NSString *) options[@"keychainService"] ? (NSString *) options[@"keychainService"]:@"app";
-  NSData *encodedKey = [key dataUsingEncoding:NSUTF8StringEncoding];
-  NSMutableDictionary *query = [@{
-                                  (__bridge id)kSecClass:(__bridge id)kSecClassGenericPassword,
-                                  (__bridge id)kSecAttrService:service,
-                                  (__bridge id)kSecAttrGeneric:encodedKey,
-                                  (__bridge id)kSecAttrAccount:encodedKey
-                                  } mutableCopy];
-
-  return query;
-}
-
-- (BOOL)_setValue:(NSString *)value withKey:(NSString *)key withOptions:(NSDictionary *)options error:(NSError **)error
-{
-  NSMutableDictionary *dictionary = [self _queryWithKey:key
-                                            withOptions:options];
-
-  NSString *requireAuth = options[@"requireAuthentication"];
-
-  NSData *valueData = [value dataUsingEncoding:NSUTF8StringEncoding];
-  [dictionary setObject:valueData forKey:(__bridge id)kSecValueData];
-
-  CFStringRef accessibility = [self _accessibilityAttributeWithOptions:options];
-  
-  if (![requireAuth boolValue]) {
-    [dictionary setObject:(__bridge id)accessibility forKey:(__bridge id)kSecAttrAccessible];
-  } else {
-    SecAccessControlRef accessOptions = SecAccessControlCreateWithFlags(nil, accessibility, kSecAccessControlBiometryCurrentSet, nil);
-    [dictionary setObject:(__bridge_transfer id)accessOptions forKey:(__bridge id)kSecAttrAccessControl];
-  }
-
-  OSStatus status = SecItemAdd((__bridge CFDictionaryRef)dictionary, NULL);
-
-  if (status == errSecSuccess) {
-    return YES;
-  } else if (status == errSecDuplicateItem){
-    NSError *updateError;
-    BOOL update = [self _updateValue:value
-                             withKey:key
-                         withOptions:options
-                               error:&updateError];
-    *error = updateError;
-    return update;
-  } else {
-    *error = [NSError errorWithDomain:NSOSStatusErrorDomain code:status userInfo:nil];
-    return NO;
-  }
-}
-
-- (NSString *)_getValueWithKey:(NSString *)key withOptions:(NSDictionary *)options error:(NSError **)error
-{
-  NSError *searchError;
-  NSData *data = [self _searchKeychainWithKey:key
-                                  withOptions:options
-                                        error:&searchError];
-  if (data) {
-    NSString *value = [[NSString alloc] initWithData:data
-                                            encoding:NSUTF8StringEncoding];
-    return value;
-  } else {
-    *error = searchError;
-    return nil;
-  }
-}
-
-- (BOOL)_updateValue:(NSString *)value withKey:(NSString *)key withOptions:(NSDictionary *)options error:(NSError **)error
-{
-  NSMutableDictionary *searchDictionary = [self _queryWithKey:key
-                                                  withOptions:options];
-  NSData *valueData = [value dataUsingEncoding:NSUTF8StringEncoding];
-  NSDictionary *updateDictionary = @{(__bridge id)kSecValueData:valueData};
-  
-  if ((NSString *) options[@"authenticationPrompt"]) {
-    NSString *promptText = options[@"authenticationPrompt"];
-    [searchDictionary setObject:promptText forKey:(__bridge id)kSecUseOperationPrompt];
-  }
-
-  OSStatus status = SecItemUpdate((__bridge CFDictionaryRef)searchDictionary,
-                                  (__bridge CFDictionaryRef)updateDictionary);
-
-  if (status == errSecSuccess) {
-    return YES;
-  } else {
-    *error = [NSError errorWithDomain:NSOSStatusErrorDomain code:status userInfo:nil];
-    return NO;
-  }
-}
-
-- (NSData *)_searchKeychainWithKey:(NSString *)key withOptions:(NSDictionary *)options error:(NSError **)error
-{
-  NSMutableDictionary *searchDictionary = [self _queryWithKey:key
-                                                  withOptions:options];
-
-  [searchDictionary setObject:(__bridge id)kSecMatchLimitOne forKey:(__bridge id)kSecMatchLimit];
-  [searchDictionary setObject:(__bridge id)kCFBooleanTrue forKey:(__bridge id)kSecReturnData];
-  
-  if ((NSString *) options[@"authenticationPrompt"]) {
-    NSString *promptText = options[@"authenticationPrompt"];
-    [searchDictionary setObject:promptText forKey:(__bridge id)kSecUseOperationPrompt];
-  }
-
-  CFTypeRef foundDict = NULL;
-  OSStatus status = SecItemCopyMatching((__bridge CFDictionaryRef)searchDictionary, &foundDict);
-
-  if (status == noErr) {
-    NSData *result = (__bridge_transfer NSData *)foundDict;
-    return result;
-  } else {
-    *error = [NSError errorWithDomain:NSOSStatusErrorDomain code:status userInfo:nil];
-    return nil;
-  }
-}
-
-- (void)_deleteValueWithKey:(NSString *)key withOptions:(NSDictionary *)options
-{
-  NSMutableDictionary *searchDictionary = [self _queryWithKey:key
-                                                  withOptions:options];
-  CFDictionaryRef dictionary = (__bridge CFDictionaryRef)searchDictionary;
-
-  SecItemDelete(dictionary);
-}
-
-- (CFStringRef)_accessibilityAttributeWithOptions:(NSDictionary *)options
-{
-  NSInteger accessibility = [options[@"keychainAccessible"] integerValue];
-  switch (accessibility) {
-    case EXSecureStoreAccessibleAfterFirstUnlock:
-      return kSecAttrAccessibleAfterFirstUnlock;
-    case EXSecureStoreAccessibleAfterFirstUnlockThisDeviceOnly:
-      return kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly;
-    case EXSecureStoreAccessibleAlways:
-      return kSecAttrAccessibleAlways;
-    case EXSecureStoreAccessibleWhenPasscodeSetThisDeviceOnly:
-      return kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly;
-    case EXSecureStoreAccessibleWhenUnlocked:
-      return kSecAttrAccessibleWhenUnlocked;
-    case EXSecureStoreAccessibleAlwaysThisDeviceOnly:
-      return kSecAttrAccessibleAlwaysThisDeviceOnly;
-    case EXSecureStoreAccessibleWhenUnlockedThisDeviceOnly:
-      return kSecAttrAccessibleWhenUnlockedThisDeviceOnly;
-    default:
-      return kSecAttrAccessibleWhenUnlocked;
-  }
-}
-
-+ (NSString *) _messageForError:(NSError *)error
-{
-  switch (error.code) {
-    case errSecUnimplemented:
-      return @"Function or operation not implemented.";
-
-    case errSecIO:
-      return @"I/O error.";
-
-    case errSecOpWr:
-      return @"File already open with with write permission.";
-
-    case errSecParam:
-      return @"One or more parameters passed to a function where not valid.";
-
-    case errSecAllocate:
-      return @"Failed to allocate memory.";
-
-    case errSecUserCanceled:
-      return @"User canceled the operation.";
-
-    case errSecBadReq:
-      return @"Bad parameter or invalid state for operation.";
-
-    case errSecNotAvailable:
-      return @"No keychain is available. You may need to restart your computer.";
-
-    case errSecDuplicateItem:
-      return @"The specified item already exists in the keychain.";
-
-    case errSecItemNotFound:
-      return @"The specified item could not be found in the keychain.";
-
-    case errSecInteractionNotAllowed:
-      return @"User interaction is not allowed.";
-
-    case errSecDecode:
-      return @"Unable to decode the provided data.";
-
-    case errSecAuthFailed:
-      return @"Authentication failed. Provided passphrase/PIN is incorrect or there is no user authentication method configured for this device.";
-
-    default:
-      return error.localizedDescription;
-  }
-}
-
-#pragma mark - SecureStore API
-
-- (NSDictionary *)constantsToExport
-{
-  return @{
-           @"AFTER_FIRST_UNLOCK":@(EXSecureStoreAccessibleAfterFirstUnlock),
-           @"AFTER_FIRST_UNLOCK_THIS_DEVICE_ONLY":@(EXSecureStoreAccessibleAfterFirstUnlockThisDeviceOnly),
-           @"ALWAYS":@(EXSecureStoreAccessibleAlways),
-           @"WHEN_PASSCODE_SET_THIS_DEVICE_ONLY":@(EXSecureStoreAccessibleWhenPasscodeSetThisDeviceOnly),
-           @"ALWAYS_THIS_DEVICE_ONLY":@(EXSecureStoreAccessibleAlwaysThisDeviceOnly),
-           @"WHEN_UNLOCKED":@(EXSecureStoreAccessibleWhenUnlocked),
-           @"WHEN_UNLOCKED_THIS_DEVICE_ONLY":@(EXSecureStoreAccessibleWhenUnlockedThisDeviceOnly)
-           };
-};
-
-EX_EXPORT_MODULE(ExpoSecureStore);
-
-EX_EXPORT_METHOD_AS(setValueWithKeyAsync,
-                    setValueWithKeyAsync:(NSString *)value
-                    key:(NSString *)key
-                    options:(NSDictionary *)options
-                    resolver:(EXPromiseResolveBlock)resolve
-                    rejecter:(EXPromiseRejectBlock)reject)
-{
-  NSString *validatedKey = [self validatedKey:key];
-  if (!validatedKey) {
-    reject(@"E_SECURESTORE_SETVALUEFAIL", @"Invalid key", nil);
-  } else {
-    NSError *error;
-    BOOL setValue = [self _setValue:value
-                            withKey:validatedKey
-                        withOptions:options
-                              error:&error];
-    if (setValue) {
-      resolve(nil);
-    } else {
-      reject(@"E_SECURESTORE_SETVALUEFAIL", [[self class] _messageForError:error], nil);
-    }
-  }
-}
-
-EX_EXPORT_METHOD_AS(getValueWithKeyAsync,
-                    getValueWithKeyAsync:(NSString *)key
-                    options:(NSDictionary *)options
-                    resolver:(EXPromiseResolveBlock)resolve
-                    rejecter:(EXPromiseRejectBlock)reject)
-{
-  NSString *validatedKey = [self validatedKey:key];
-  if (!validatedKey) {
-    reject(@"E_SECURESTORE_GETVALUEFAIL", @"Invalid key", nil);
-  } else {
-    NSError *error;
-    NSString *value = [self _getValueWithKey:validatedKey
-                                 withOptions:options
-                                       error:&error];
-    if (error) {
-      if (error.code == errSecItemNotFound) {
-        resolve([NSNull null]);
-      } else {
-        reject(@"E_SECURESTORE_GETVALUEFAIL", [[self class] _messageForError:error], nil);
-      }
-    } else {
-      resolve(value);
-    }
-  }
-}
-
-EX_EXPORT_METHOD_AS(deleteValueWithKeyAsync,
-                    deleteValueWithKeyAsync:(NSString *)key
-                    options:(NSDictionary *)options
-                    resolver:(EXPromiseResolveBlock)resolve
-                    rejecter:(EXPromiseRejectBlock)reject)
-{
-  NSString *validatedKey = [self validatedKey:key];
-  if (!validatedKey) {
-    reject(@"E_SECURESTORE_DELETEVALUEFAIL", @"Invalid key", nil);
-  } else {
-    [self _deleteValueWithKey:validatedKey
-                  withOptions:options];
-    resolve(nil);
-  }
-}
-
-- (NSString *)validatedKey:(NSString *)key
-{
-  NSString *trimmedKey = [key stringByTrimmingCharactersInSet:[NSCharacterSet whitespaceCharacterSet]];
-  if (!key || trimmedKey.length == 0) {
-    return nil;
-  }
-  return key;
-}
-
-@end

package/unimodule.json

@@ -1,4 +0,0 @@
-{
-  "name": "expo-secure-store",
-  "platforms": ["ios", "android"]
-}