expo-secure-store 12.4.1 → 12.6.0

package/CHANGELOG.md

@@ -10,6 +10,24 @@
 
 ### 💡 Others
 
+## 12.6.0 — 2023-10-17
+
+### 🛠 Breaking changes
+
+- Dropped support for Android SDK 21 and 22. ([#24201](https://github.com/expo/expo/pull/24201) by [@behenate](https://github.com/behenate))
+
+### 🐛 Bug fixes
+
+- Fixed the 'WHEN_UNLOCKED_THIS_DEVICE_ONLY' constraint being incorrectly mapped to wrong secure store accessible ([#24831](https://github.com/expo/expo/pull/24831) by [@mmmguitar](https://github.com/mmmguitar))
+
+## 12.5.0 — 2023-09-04
+
+### 🎉 New features
+
+- [Android] Migrated to Expo Modules API. ([#23804](https://github.com/expo/expo/pull/23804) by [@behenate](https://github.com/behenate))
+- [Android] It is now possible to store values that require authentication and ones that don't under the same `keychainService`. ([#23804](https://github.com/expo/expo/pull/23804) by [@behenate](https://github.com/behenate))
+- Added support for React Native 0.73. ([#24018](https://github.com/expo/expo/pull/24018) by [@kudo](https://github.com/kudo))
+
 ## 12.4.1 — 2023-08-02
 
 _This version does not introduce any user-facing changes._

package/android/build.gradle

@@ -3,15 +3,20 @@ apply plugin: 'kotlin-android'
 apply plugin: 'maven-publish'
 
 group = 'host.exp.exponent'
-version = '12.4.1'
+version = '12.6.0'
 
-buildscript {
-  def expoModulesCorePlugin = new File(project(":expo-modules-core").projectDir.absolutePath, "ExpoModulesCorePlugin.gradle")
-  if (expoModulesCorePlugin.exists()) {
-    apply from: expoModulesCorePlugin
-    applyKotlinExpoModulesCorePlugin()
+def expoModulesCorePlugin = new File(project(":expo-modules-core").projectDir.absolutePath, "ExpoModulesCorePlugin.gradle")
+if (expoModulesCorePlugin.exists()) {
+  apply from: expoModulesCorePlugin
+  applyKotlinExpoModulesCorePlugin()
+  // Remove this check, but keep the contents after SDK49 support is dropped
+  if (safeExtGet("expoProvidesDefaultConfig", false)) {
+    useExpoPublishing()
+    useCoreDependencies()
   }
+}
 
+buildscript {
   // Simple helper that allows the root project to override versions declared by this library.
   ext.safeExtGet = { prop, fallback ->
     rootProject.ext.has(prop) ? rootProject.ext.get(prop) : fallback
@@ -35,54 +40,71 @@ buildscript {
   }
 }
 
-afterEvaluate {
-  publishing {
-    publications {
-      release(MavenPublication) {
-        from components.release
+// Remove this if and it's contents, when support for SDK49 is dropped
+if (!safeExtGet("expoProvidesDefaultConfig", false)) {
+  afterEvaluate {
+    publishing {
+      publications {
+        release(MavenPublication) {
+          from components.release
+        }
       }
-    }
-    repositories {
-      maven {
-        url = mavenLocal().url
+      repositories {
+        maven {
+          url = mavenLocal().url
+        }
       }
     }
   }
 }
 
 android {
-  compileSdkVersion safeExtGet("compileSdkVersion", 33)
+  // Remove this if and it's contents, when support for SDK49 is dropped
+  if (!safeExtGet("expoProvidesDefaultConfig", false)) {
+    compileSdkVersion safeExtGet("compileSdkVersion", 33)
+
+    defaultConfig {
+      minSdkVersion safeExtGet("minSdkVersion", 23)
+      targetSdkVersion safeExtGet("targetSdkVersion", 33)
+    }
+
+    publishing {
+      singleVariant("release") {
+        withSourcesJar()
+      }
+    }
 
-  compileOptions {
-    sourceCompatibility JavaVersion.VERSION_11
-    targetCompatibility JavaVersion.VERSION_11
+    lintOptions {
+      abortOnError false
+    }
   }
 
-  kotlinOptions {
-    jvmTarget = JavaVersion.VERSION_11.majorVersion
+  def agpVersion = com.android.Version.ANDROID_GRADLE_PLUGIN_VERSION
+  if (agpVersion.tokenize('.')[0].toInteger() < 8) {
+    compileOptions {
+      sourceCompatibility JavaVersion.VERSION_11
+      targetCompatibility JavaVersion.VERSION_11
+    }
+
+    kotlinOptions {
+      jvmTarget = JavaVersion.VERSION_11.majorVersion
+    }
   }
 
   namespace "expo.modules.securestore"
   defaultConfig {
-    minSdkVersion safeExtGet("minSdkVersion", 21)
-    targetSdkVersion safeExtGet("targetSdkVersion", 33)
     versionCode 17
-    versionName '12.4.1'
-  }
-  lintOptions {
-    abortOnError false
-  }
-  publishing {
-    singleVariant("release") {
-      withSourcesJar()
-    }
+    versionName '12.6.0'
   }
 }
 
 dependencies {
-  implementation project(':expo-modules-core')
+  // Remove this if and it's contents, when support for SDK49 is dropped
+  if (!safeExtGet("expoProvidesDefaultConfig", false)) {
+    implementation project(':expo-modules-core')
+    implementation "org.jetbrains.kotlin:kotlin-stdlib-jdk7:${getKotlinVersion()}"
+  }
 
   api "androidx.biometric:biometric:1.1.0"
 
-  implementation "org.jetbrains.kotlin:kotlin-stdlib-jdk7:${getKotlinVersion()}"
 }

package/android/src/main/java/expo/modules/securestore/AuthenticationHelper.kt

@@ -1,212 +1,89 @@
 package expo.modules.securestore
 
+import android.annotation.SuppressLint
 import android.app.Activity
 import android.content.Context
 import android.os.Build
-import android.util.Log
 import androidx.biometric.BiometricManager
 import androidx.biometric.BiometricPrompt
-import androidx.biometric.BiometricPrompt.PromptInfo
-import androidx.core.content.ContextCompat
 import androidx.fragment.app.FragmentActivity
 import expo.modules.core.ModuleRegistry
-import expo.modules.core.Promise
-import expo.modules.core.arguments.ReadableArguments
 import expo.modules.core.interfaces.ActivityProvider
-import expo.modules.core.interfaces.services.UIManager
-import org.json.JSONException
-import org.json.JSONObject
-import java.security.GeneralSecurityException
+import kotlinx.coroutines.Dispatchers
+import kotlinx.coroutines.withContext
 import javax.crypto.Cipher
-import javax.crypto.spec.GCMParameterSpec
 
 class AuthenticationHelper(
   private val context: Context,
   private val moduleRegistry: ModuleRegistry
 ) {
-  companion object {
-    private const val AUTHENTICATION_PROMPT_PROPERTY = "authenticationPrompt"
-    const val REQUIRE_AUTHENTICATION_PROPERTY = "requireAuthentication"
-  }
-
-  private val uiManager = moduleRegistry.getModule(UIManager::class.java)
   private var isAuthenticating = false
 
-  // Authentication callback decides whether the operation requires authentication (either by
-  // requiresAuthentication argument, or from options). When item needs to be encrypted/decrypted an
-  // instance of Authentication callback is passed to the relevant method.
-  // The method prepares the cipher and starts authentication callback with it. If the operation
-  // requires authentication, the biometric prompt is shown, otherwise the encryption callback
-  // is called.
-  // When the user is authenticated the encryption callback is ran with the unlocked cipher and does
-  // encryption/decryption. Finally the PostEncryptionCallback may be ran with the object returned
-  // by previous callback (to save encrypted data to SharedPreferences).
-
-  val defaultCallback: AuthenticationCallback = object : AuthenticationCallback {
-    override fun checkAuthentication(
-      promise: Promise,
-      cipher: Cipher,
-      gcmParameterSpec: GCMParameterSpec,
-      options: ReadableArguments,
-      encryptionCallback: EncryptionCallback,
-      postEncryptionCallback: PostEncryptionCallback?
-    ) {
-      val requiresAuthentication = options.getBoolean(REQUIRE_AUTHENTICATION_PROPERTY, false)
-
-      checkAuthentication(
-        promise, requiresAuthentication, cipher, gcmParameterSpec, options, encryptionCallback, postEncryptionCallback
-      )
-    }
-
-    override fun checkAuthentication(
-      promise: Promise,
-      requiresAuthentication: Boolean,
-      cipher: Cipher,
-      gcmParameterSpec: GCMParameterSpec,
-      options: ReadableArguments,
-      encryptionCallback: EncryptionCallback,
-      postEncryptionCallback: PostEncryptionCallback?
-    ) {
-      if (requiresAuthentication) {
-        openAuthenticationPrompt(promise, options, encryptionCallback, cipher, gcmParameterSpec, postEncryptionCallback)
-      } else {
-        handleEncryptionCallback(promise, encryptionCallback, cipher, gcmParameterSpec, postEncryptionCallback)
-      }
-    }
-  }
-
-  fun handleEncryptionCallback(
-    promise: Promise,
-    encryptionCallback: EncryptionCallback,
-    cipher: Cipher,
-    gcmParameterSpec: GCMParameterSpec,
-    postEncryptionCallback: PostEncryptionCallback?
-  ) {
-    try {
-      encryptionCallback.run(promise, cipher, gcmParameterSpec, postEncryptionCallback)
-    } catch (exception: GeneralSecurityException) {
-      Log.w(SecureStoreModule.TAG, exception)
-      promise.reject(
-        "ERR_SECURESTORE_ENCRYPT_FAILURE",
-        "Could not encrypt/decrypt the value for SecureStore",
-        exception
-      )
-    } catch (exception: JSONException) {
-      Log.w(SecureStoreModule.TAG, exception)
-      promise.reject(
-        "ERR_SECURESTORE_ENCODE_FAILURE",
-        "Could not create an encrypted JSON item for SecureStore",
-        exception
-      )
+  suspend fun authenticateCipher(cipher: Cipher, requiresAuthentication: Boolean, title: String): Cipher {
+    if (requiresAuthentication) {
+      return openAuthenticationPrompt(cipher, title).cryptoObject?.cipher
+        ?: throw AuthenticationException("Couldn't get cipher from authentication result")
     }
+    return cipher
   }
 
-  private fun openAuthenticationPrompt(
-    promise: Promise,
-    options: ReadableArguments,
-    encryptionCallback: EncryptionCallback,
+  private suspend fun openAuthenticationPrompt(
     cipher: Cipher,
-    gcmParameterSpec: GCMParameterSpec,
-    postEncryptionCallback: PostEncryptionCallback?
-  ) {
+    title: String
+  ): BiometricPrompt.AuthenticationResult {
     if (Build.VERSION.SDK_INT < Build.VERSION_CODES.M) {
-      promise.reject(
-        "ERR_SECURESTORE_AUTH_NOT_AVAILABLE",
-        "Biometric authentication requires Android API 23"
-      )
-      return
+      throw AuthenticationException("Biometric authentication requires Android API 23")
     }
     if (isAuthenticating) {
-      promise.reject(
-        "ERR_SECURESTORE_AUTH_IN_PROGRESS",
-        "Authentication is already in progress"
-      )
-      return
+      throw AuthenticationException("Authentication is already in progress")
+    }
+
+    isAuthenticating = true
+
+    assertBiometricsSupport()
+    val fragmentActivity = getCurrentActivity() as? FragmentActivity
+      ?: throw AuthenticationException("Cannot display biometric prompt when the app is not in the foreground")
+
+    val authenticationPrompt = AuthenticationPrompt(fragmentActivity, context, title)
+
+    return withContext(Dispatchers.Main.immediate) {
+      try {
+        return@withContext authenticationPrompt.authenticate(cipher)
+          ?: throw AuthenticationException("Couldn't get the authentication result")
+      } finally {
+        isAuthenticating = false
+      }
     }
+  }
 
+  fun assertBiometricsSupport() {
     val biometricManager = BiometricManager.from(context)
+    @SuppressLint("SwitchIntDef") // BiometricManager.BIOMETRIC_SUCCESS shouldn't do anything
     when (biometricManager.canAuthenticate(BiometricManager.Authenticators.BIOMETRIC_STRONG)) {
       BiometricManager.BIOMETRIC_ERROR_HW_UNAVAILABLE, BiometricManager.BIOMETRIC_ERROR_NO_HARDWARE -> {
-        promise.reject(
-          "ERR_SECURESTORE_AUTH_NOT_AVAILABLE",
-          "No hardware available for biometric authentication. Use expo-local-authentication to check if the device supports it."
-        )
-        return
+        throw AuthenticationException("No hardware available for biometric authentication. Use expo-local-authentication to check if the device supports it")
       }
       BiometricManager.BIOMETRIC_ERROR_NONE_ENROLLED -> {
-        promise.reject(
-          "ERR_SECURESTORE_AUTH_NOT_CONFIGURED",
-          "No biometrics are currently enrolled"
-        )
-        return
+        throw AuthenticationException("No biometrics are currently enrolled")
       }
-    }
-
-    val title = options.getString(AUTHENTICATION_PROMPT_PROPERTY, " ")
-
-    val promptInfo = PromptInfo.Builder()
-      .setTitle(title)
-      .setNegativeButtonText(context.getString(android.R.string.cancel))
-      .build()
-    val fragmentActivity = getCurrentActivity() as FragmentActivity?
-    if (fragmentActivity == null) {
-      promise.reject(
-        "ERR_SECURESTORE_APP_BACKGROUNDED",
-        "Cannot display biometric prompt when the app is not in the foreground"
-      )
-      return
-    }
-
-    uiManager.runOnUiQueueThread(
-      Runnable {
-        isAuthenticating = true
-
-        BiometricPrompt(
-          fragmentActivity,
-          ContextCompat.getMainExecutor(context),
-          object : BiometricPrompt.AuthenticationCallback() {
-            override fun onAuthenticationSucceeded(result: BiometricPrompt.AuthenticationResult) {
-              super.onAuthenticationSucceeded(result)
-              isAuthenticating = false
-
-              val cipher = result.cryptoObject!!.cipher!!
-              handleEncryptionCallback(
-                promise,
-                encryptionCallback,
-                cipher,
-                gcmParameterSpec,
-                { promise, result ->
-                  val obj = result as JSONObject
-                  obj.put(REQUIRE_AUTHENTICATION_PROPERTY, true)
-                  postEncryptionCallback?.run(promise, result)
-                }
-              )
-            }
-
-            override fun onAuthenticationError(errorCode: Int, errString: CharSequence) {
-              super.onAuthenticationError(errorCode, errString)
-              isAuthenticating = false
-
-              if (errorCode == BiometricPrompt.ERROR_USER_CANCELED || errorCode == BiometricPrompt.ERROR_NEGATIVE_BUTTON) {
-                promise.reject(
-                  "ERR_SECURESTORE_AUTH_CANCELLED",
-                  "User canceled the authentication"
-                )
-              } else {
-                promise.reject(
-                  "ERR_SECURESTORE_AUTH_FAILURE",
-                  "Could not authenticate the user"
-                )
-              }
-            }
-          }
-        ).authenticate(promptInfo, BiometricPrompt.CryptoObject(cipher))
+      BiometricManager.BIOMETRIC_ERROR_SECURITY_UPDATE_REQUIRED -> {
+        throw AuthenticationException("An update is required before the biometrics can be used")
+      }
+      BiometricManager.BIOMETRIC_ERROR_UNSUPPORTED -> {
+        throw AuthenticationException("Biometric authentication is unsupported")
       }
-    )
+      BiometricManager.BIOMETRIC_STATUS_UNKNOWN -> {
+        throw AuthenticationException("Biometric authentication status is unknown")
+      }
+    }
   }
 
   private fun getCurrentActivity(): Activity? {
     val activityProvider: ActivityProvider = moduleRegistry.getModule(ActivityProvider::class.java)
     return activityProvider.currentActivity
   }
+
+  companion object {
+    const val REQUIRE_AUTHENTICATION_PROPERTY = "requireAuthentication"
+  }
 }

package/android/src/main/java/expo/modules/securestore/AuthenticationPrompt.kt

@@ -0,0 +1,44 @@
+package expo.modules.securestore
+
+import android.content.Context
+import androidx.biometric.BiometricPrompt
+import androidx.biometric.BiometricPrompt.PromptInfo
+import androidx.core.content.ContextCompat
+import androidx.fragment.app.FragmentActivity
+import java.util.concurrent.Executor
+import javax.crypto.Cipher
+import kotlin.coroutines.resume
+import kotlin.coroutines.resumeWithException
+import kotlin.coroutines.suspendCoroutine
+
+class AuthenticationPrompt(private val currentActivity: FragmentActivity, context: Context, title: String) {
+  private var executor: Executor = ContextCompat.getMainExecutor(context)
+  private var promptInfo = PromptInfo.Builder()
+    .setTitle(title)
+    .setNegativeButtonText(context.getString(android.R.string.cancel))
+    .build()
+
+  suspend fun authenticate(cipher: Cipher): BiometricPrompt.AuthenticationResult? =
+    suspendCoroutine { continuation ->
+      BiometricPrompt(
+        currentActivity,
+        executor,
+        object : BiometricPrompt.AuthenticationCallback() {
+          override fun onAuthenticationError(errorCode: Int, errString: CharSequence) {
+            super.onAuthenticationError(errorCode, errString)
+
+            if (errorCode == BiometricPrompt.ERROR_USER_CANCELED || errorCode == BiometricPrompt.ERROR_NEGATIVE_BUTTON) {
+              continuation.resumeWithException(AuthenticationException("User canceled the authentication"))
+            } else {
+              continuation.resumeWithException(AuthenticationException("Could not authenticate the user"))
+            }
+          }
+
+          override fun onAuthenticationSucceeded(result: BiometricPrompt.AuthenticationResult) {
+            super.onAuthenticationSucceeded(result)
+            continuation.resume(result)
+          }
+        }
+      ).authenticate(promptInfo, BiometricPrompt.CryptoObject(cipher))
+    }
+}

package/android/src/main/java/expo/modules/securestore/SecureStoreExceptions.kt

@@ -1,27 +1,24 @@
 package expo.modules.securestore
 
-import expo.modules.core.errors.CodedException
+import expo.modules.kotlin.exception.CodedException
 
 internal class NullKeyException :
   CodedException("SecureStore keys must not be null")
 
-internal class WriteException(message: String?, cause: Throwable?) :
-  CodedException(message ?: "An unexpected error occurred when writing to SecureStore", cause)
+internal class WriteException(message: String?, key: String, keychain: String, cause: Throwable? = null) :
+  CodedException("An error occurred when writing to key: '$key' under keychain: '$keychain'. Caused by: ${message ?: "unknown"}", cause)
 
-internal class ReadException(cause: Throwable?) :
-  CodedException("An unexpected error occurred when reading from SecureStore", cause)
+internal class EncryptException(message: String?, key: String, keychain: String, cause: Throwable? = null) :
+  CodedException("Could not encrypt the value for key '$key' under keychain '$keychain'. Caused by: ${message ?: "unknown"}", cause)
 
-internal class SecureStoreIOException(cause: Throwable?) :
-  CodedException("There was an I/O error loading the keystore for SecureStore", cause)
+internal class DecryptException(message: String?, key: String, keychain: String, cause: Throwable? = null) :
+  CodedException("Could not decrypt the value for key '$key' under keychain '$keychain'. Caused by: ${message ?: "unknown"}", cause)
 
-internal class EncryptException(message: String?, cause: Throwable?) :
-  CodedException(message ?: "Could not encrypt the value for SecureStore", cause)
+internal class DeleteException(message: String?, key: String, keychain: String, cause: Throwable? = null) :
+  CodedException("Could not delete the value for key '$key' under keychain '$keychain'. Caused by: ${message ?: "unknown"}", cause)
 
-internal class DecryptException(message: String?, cause: Throwable?) :
-  CodedException(message ?: "Could not decrypt the value for SecureStore", cause)
+internal class AuthenticationException(message: String?, cause: Throwable? = null) :
+  CodedException("Could not Authenticate the user: ${message ?: "unknown"}", cause)
 
-internal class SecureStoreJSONException(message: String?, cause: Throwable?) :
-  CodedException(message, cause)
-
-internal class DeleteException(message: String?, cause: Throwable?) :
-  CodedException(message ?: "An unexpected error occurred when deleting from SecureStore", cause)
+internal class KeyStoreException(message: String?) :
+  CodedException("An error occurred when accessing the keystore: ${message ?: "unknown"}")