npm - expo-secure-store - Versions diffs - 13.0.1 → 13.0.2 - Mend

expo-secure-store 13.0.1 → 13.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/CHANGELOG.md +7 -0
package/android/build.gradle +2 -2
package/android/src/main/java/expo/modules/securestore/SecureStoreModule.kt +46 -18
package/ios/SecureStoreExceptions.swift +3 -0
package/package.json +2 -2

package/CHANGELOG.md CHANGED Viewed

@@ -10,6 +10,13 @@
 ### 💡 Others
+## 13.0.2 — 2024-06-27
+### 🐛 Bug fixes
+- [iOS] Improve error message for unhandled errors ([#29394](https://github.com/expo/expo/pull/29394) by [@hassankhan](https://github.com/hassankhan))
+- [Android] Fix decryption errors after Android Auto Backup has restored `expo-secure-store` data. ([#29943](https://github.com/expo/expo/pull/29943) by [@behenate](https://github.com/behenate))
 ## 13.0.1 — 2024-04-23
 _This version does not introduce any user-facing changes._

package/android/build.gradle CHANGED Viewed

@@ -1,7 +1,7 @@
 apply plugin: 'com.android.library'
 group = 'host.exp.exponent'
-version = '13.0.1'
+version = '13.0.2'
 def expoModulesCorePlugin = new File(project(":expo-modules-core").projectDir.absolutePath, "ExpoModulesCorePlugin.gradle")
 apply from: expoModulesCorePlugin
@@ -14,7 +14,7 @@ android {
   namespace "expo.modules.securestore"
   defaultConfig {
     versionCode 17
-    versionName '13.0.1'
+    versionName '13.0.2'
   }
 }

package/android/src/main/java/expo/modules/securestore/SecureStoreModule.kt CHANGED Viewed

@@ -133,13 +133,20 @@ open class SecureStoreModule : Module() {
     try {
       when (scheme) {
         AESEncryptor.NAME -> {
-          val secretKeyEntry = getPreferredKeyEntry(SecretKeyEntry::class.java, mAESEncryptor, options, requireAuthentication, usesKeystoreSuffix)
-            ?: throw DecryptException("Could not find a keychain for key $key$legacyReadFailedWarning", key, options.keychainService)
+          val secretKeyEntry = getKeyEntryCompat(SecretKeyEntry::class.java, mAESEncryptor, options, requireAuthentication, usesKeystoreSuffix) ?: run {
+            Log.w(
+              TAG,
+              "An entry was found for key $key under keychain ${options.keychainService}, but there is no corresponding KeyStore key. " +
+                "This situation occurs when the app is reinstalled. The value will be removed to avoid future errors. Returning null"
+            )
+            deleteItemImpl(key, options)
+            return null
+          }
           return mAESEncryptor.decryptItem(key, encryptedItem, secretKeyEntry, options, authenticationHelper)
         }
         HybridAESEncryptor.NAME -> {
-          val privateKeyEntry = getPreferredKeyEntry(PrivateKeyEntry::class.java, hybridAESEncryptor, options, requireAuthentication, usesKeystoreSuffix)
-            ?: throw DecryptException("Could not find a keychain for key $key$legacyReadFailedWarning", key, options.keychainService)
+          val privateKeyEntry = getKeyEntryCompat(PrivateKeyEntry::class.java, hybridAESEncryptor, options, requireAuthentication, usesKeystoreSuffix)
+            ?: return null
           return hybridAESEncryptor.decryptItem(key, encryptedItem, privateKeyEntry, options, authenticationHelper)
         }
         else -> {
@@ -150,7 +157,15 @@ open class SecureStoreModule : Module() {
       Log.w(TAG, "The requested key has been permanently invalidated. Returning null")
       return null
     } catch (e: BadPaddingException) {
-      throw (DecryptException("Could not decrypt the value with provided keychain $legacyReadFailedWarning", key, options.keychainService, e))
+      // The key from the KeyStore is unable to decode the entry. This is because a new key was generated, but the entries are encrypted using the old one.
+      // This usually means that the user has reinstalled the app. We can safely remove the old value and return null as it's impossible to decrypt it.
+      Log.w(
+        TAG,
+        "Failed to decrypt the entry for $key under keychain ${options.keychainService}. " +
+          "The entry in shared preferences is out of sync with the keystore. It will be removed, returning null."
+      )
+      deleteItemImpl(key, options)
+      return null
     } catch (e: GeneralSecurityException) {
       throw (DecryptException(e.message, key, options.keychainService, e))
     } catch (e: CodedException) {
@@ -185,7 +200,7 @@ open class SecureStoreModule : Module() {
        use in the encrypted JSON item so that we know how to decode and decrypt it when reading
        back a value.
        */
-      val secretKeyEntry: SecretKeyEntry = getKeyEntry(SecretKeyEntry::class.java, mAESEncryptor, options, options.requireAuthentication)
+      val secretKeyEntry: SecretKeyEntry = getOrCreateKeyEntry(SecretKeyEntry::class.java, mAESEncryptor, options, options.requireAuthentication)
       val encryptedItem = mAESEncryptor.createEncryptedItem(value, secretKeyEntry, options.requireAuthentication, options.authenticationPrompt, authenticationHelper)
       encryptedItem.put(SCHEME_PROPERTY, AESEncryptor.NAME)
       saveEncryptedItem(encryptedItem, prefs, keychainAwareKey, options.requireAuthentication, options.keychainService)
@@ -249,11 +264,14 @@ open class SecureStoreModule : Module() {
   }
   private fun removeKeyFromKeystore(keyStoreAlias: String, keychainService: String) {
+    keyStore.deleteEntry(keyStoreAlias)
+    removeAllEntriesUnderKeychainService(keychainService)
+  }
+  private fun removeAllEntriesUnderKeychainService(keychainService: String) {
     val sharedPreferences = getSharedPreferences()
     val allEntries: Map<String, *> = sharedPreferences.all
-    keyStore.deleteEntry(keyStoreAlias)
     // In order to avoid decryption failures we need to remove all entries that are using the deleted encryption key
     for ((key: String, value) in allEntries) {
       val valueString = value as? String ?: continue
@@ -302,26 +320,36 @@ open class SecureStoreModule : Module() {
     encryptor: KeyBasedEncryptor<E>,
     options: SecureStoreOptions,
     requireAuthentication: Boolean
-  ): E {
+  ): E? {
     val keystoreAlias = encryptor.getExtendedKeyStoreAlias(options, requireAuthentication)
-    val keyStoreEntry = if (!keyStore.containsAlias(keystoreAlias)) {
-      // Android won't allow us to generate the keys if the device doesn't support biometrics or no biometrics are enrolled
-      if (requireAuthentication) {
-        authenticationHelper.assertBiometricsSupport()
-      }
-      encryptor.initializeKeyStoreEntry(keyStore, options)
-    } else {
+    return if (keyStore.containsAlias(keystoreAlias)) {
       val entry = keyStore.getEntry(keystoreAlias, null)
       if (!keyStoreEntryClass.isInstance(entry)) {
         throw KeyStoreException("The entry for the keystore alias \"$keystoreAlias\" is not a ${keyStoreEntryClass.simpleName}")
       }
       keyStoreEntryClass.cast(entry)
         ?: throw KeyStoreException("The entry for the keystore alias \"$keystoreAlias\" couldn't be cast to correct class")
+    } else {
+      null
+    }
+  }
+  private fun <E : KeyStore.Entry> getOrCreateKeyEntry(
+    keyStoreEntryClass: Class<E>,
+    encryptor: KeyBasedEncryptor<E>,
+    options: SecureStoreOptions,
+    requireAuthentication: Boolean
+  ): E {
+    return getKeyEntry(keyStoreEntryClass, encryptor, options, requireAuthentication) ?: run {
+      // Android won't allow us to generate the keys if the device doesn't support biometrics or no biometrics are enrolled
+      if (requireAuthentication) {
+        authenticationHelper.assertBiometricsSupport()
+      }
+      encryptor.initializeKeyStoreEntry(keyStore, options)
     }
-    return keyStoreEntry
   }
-  private fun <E : KeyStore.Entry> getPreferredKeyEntry(
+  private fun <E : KeyStore.Entry> getKeyEntryCompat(
     keyStoreEntryClass: Class<E>,
     encryptor: KeyBasedEncryptor<E>,
     options: SecureStoreOptions,

package/ios/SecureStoreExceptions.swift CHANGED Viewed

@@ -55,6 +55,9 @@ internal class KeyChainException: GenericException<OSStatus> {
       return "Authentication failed. Provided passphrase/PIN is incorrect or there is no user authentication method configured for this device."
     default:
+      if let errorMessage = SecCopyErrorMessageString(param, nil) as? String {
+        return errorMessage
+      }
       return "Unknown Keychain Error."
     }
   }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "expo-secure-store",
-  "version": "13.0.1",
+  "version": "13.0.2",
   "description": "Provides a way to encrypt and securely store key-value pairs locally on the device.",
   "main": "build/SecureStore.js",
   "types": "build/SecureStore.d.ts",
@@ -42,5 +42,5 @@
   "peerDependencies": {
     "expo": "*"
   },
-  "gitHead": "ee4f30ef3b5fa567ad1bf94794197f7683fdd481"
+  "gitHead": "09b2d97bbc0f70f7c811ff9b6c9ad8808c5ad84b"
 }