expo-secure-store 13.0.2-canary-20240625-2333e70 → 13.1.0-canary-20240627-1402f4b

package/CHANGELOG.md

@@ -6,12 +6,17 @@
 
 ### 🎉 New features
 
+- [Android] Add a config plugin for configuring the Android backup system. ([#29944](https://github.com/expo/expo/pull/29944) by [@behenate](https://github.com/behenate))
+
 ### 🐛 Bug fixes
 
 - [iOS] Improve error message for unhandled errors ([#29394](https://github.com/expo/expo/pull/29394) by [@hassankhan](https://github.com/hassankhan))
+- [Android] Fix decryption errors after Android Auto Backup has restored `expo-secure-store` data. ([#29943](https://github.com/expo/expo/pull/29943) by [@behenate](https://github.com/behenate))
 
 ### 💡 Others
 
+- [iOS] check return value of SecAccessControlCreateWithFlags ([#29983](https://github.com/expo/expo/pull/29983) by [@vonovak](https://github.com/vonovak))
+
 ## 13.0.1 — 2024-04-23
 
 _This version does not introduce any user-facing changes._

package/README.md

@@ -11,8 +11,8 @@ Provides a way to encrypt and securely store key–value pairs locally on the de
 
 # API documentation
 
-- [Documentation for the main branch](https://github.com/expo/expo/blob/main/docs/pages/versions/unversioned/sdk/securestore.mdx)
 - [Documentation for the latest stable release](https://docs.expo.dev/versions/latest/sdk/securestore/)
+- [Documentation for the main branch](https://docs.expo.dev/versions/unversioned/sdk/securestore/)
 
 # Installation in managed Expo projects
 
@@ -28,14 +28,14 @@ For bare React Native projects, you must ensure that you have [installed and con
 npx expo install expo-secure-store
 ```
 
-### Configure for iOS
-
-Run `npx pod-install` after installing the npm package.
-
 ### Configure for Android
 
 No additional set up necessary.
 
+### Configure for iOS
+
+Run `npx pod-install` after installing the npm package.
+
 # Contributing
 
 Contributions are very welcome! Please refer to guidelines described in the [contributing guide](https://github.com/expo/expo#contributing).

package/android/src/main/java/expo/modules/securestore/SecureStoreModule.kt

@@ -133,13 +133,20 @@ open class SecureStoreModule : Module() {
     try {
       when (scheme) {
         AESEncryptor.NAME -> {
-          val secretKeyEntry = getPreferredKeyEntry(SecretKeyEntry::class.java, mAESEncryptor, options, requireAuthentication, usesKeystoreSuffix)
-            ?: throw DecryptException("Could not find a keychain for key $key$legacyReadFailedWarning", key, options.keychainService)
+          val secretKeyEntry = getKeyEntryCompat(SecretKeyEntry::class.java, mAESEncryptor, options, requireAuthentication, usesKeystoreSuffix) ?: run {
+            Log.w(
+              TAG,
+              "An entry was found for key $key under keychain ${options.keychainService}, but there is no corresponding KeyStore key. " +
+                "This situation occurs when the app is reinstalled. The value will be removed to avoid future errors. Returning null"
+            )
+            deleteItemImpl(key, options)
+            return null
+          }
           return mAESEncryptor.decryptItem(key, encryptedItem, secretKeyEntry, options, authenticationHelper)
         }
         HybridAESEncryptor.NAME -> {
-          val privateKeyEntry = getPreferredKeyEntry(PrivateKeyEntry::class.java, hybridAESEncryptor, options, requireAuthentication, usesKeystoreSuffix)
-            ?: throw DecryptException("Could not find a keychain for key $key$legacyReadFailedWarning", key, options.keychainService)
+          val privateKeyEntry = getKeyEntryCompat(PrivateKeyEntry::class.java, hybridAESEncryptor, options, requireAuthentication, usesKeystoreSuffix)
+            ?: return null
           return hybridAESEncryptor.decryptItem(key, encryptedItem, privateKeyEntry, options, authenticationHelper)
         }
         else -> {
@@ -150,7 +157,15 @@ open class SecureStoreModule : Module() {
       Log.w(TAG, "The requested key has been permanently invalidated. Returning null")
       return null
     } catch (e: BadPaddingException) {
-      throw (DecryptException("Could not decrypt the value with provided keychain $legacyReadFailedWarning", key, options.keychainService, e))
+      // The key from the KeyStore is unable to decode the entry. This is because a new key was generated, but the entries are encrypted using the old one.
+      // This usually means that the user has reinstalled the app. We can safely remove the old value and return null as it's impossible to decrypt it.
+      Log.w(
+        TAG,
+        "Failed to decrypt the entry for $key under keychain ${options.keychainService}. " +
+          "The entry in shared preferences is out of sync with the keystore. It will be removed, returning null."
+      )
+      deleteItemImpl(key, options)
+      return null
     } catch (e: GeneralSecurityException) {
       throw (DecryptException(e.message, key, options.keychainService, e))
     } catch (e: CodedException) {
@@ -185,7 +200,7 @@ open class SecureStoreModule : Module() {
        use in the encrypted JSON item so that we know how to decode and decrypt it when reading
        back a value.
        */
-      val secretKeyEntry: SecretKeyEntry = getKeyEntry(SecretKeyEntry::class.java, mAESEncryptor, options, options.requireAuthentication)
+      val secretKeyEntry: SecretKeyEntry = getOrCreateKeyEntry(SecretKeyEntry::class.java, mAESEncryptor, options, options.requireAuthentication)
       val encryptedItem = mAESEncryptor.createEncryptedItem(value, secretKeyEntry, options.requireAuthentication, options.authenticationPrompt, authenticationHelper)
       encryptedItem.put(SCHEME_PROPERTY, AESEncryptor.NAME)
       saveEncryptedItem(encryptedItem, prefs, keychainAwareKey, options.requireAuthentication, options.keychainService)
@@ -249,11 +264,14 @@ open class SecureStoreModule : Module() {
   }
 
   private fun removeKeyFromKeystore(keyStoreAlias: String, keychainService: String) {
+    keyStore.deleteEntry(keyStoreAlias)
+    removeAllEntriesUnderKeychainService(keychainService)
+  }
+
+  private fun removeAllEntriesUnderKeychainService(keychainService: String) {
     val sharedPreferences = getSharedPreferences()
     val allEntries: Map<String, *> = sharedPreferences.all
 
-    keyStore.deleteEntry(keyStoreAlias)
-
     // In order to avoid decryption failures we need to remove all entries that are using the deleted encryption key
     for ((key: String, value) in allEntries) {
       val valueString = value as? String ?: continue
@@ -302,26 +320,36 @@ open class SecureStoreModule : Module() {
     encryptor: KeyBasedEncryptor<E>,
     options: SecureStoreOptions,
     requireAuthentication: Boolean
-  ): E {
+  ): E? {
     val keystoreAlias = encryptor.getExtendedKeyStoreAlias(options, requireAuthentication)
-    val keyStoreEntry = if (!keyStore.containsAlias(keystoreAlias)) {
-      // Android won't allow us to generate the keys if the device doesn't support biometrics or no biometrics are enrolled
-      if (requireAuthentication) {
-        authenticationHelper.assertBiometricsSupport()
-      }
-      encryptor.initializeKeyStoreEntry(keyStore, options)
-    } else {
+    return if (keyStore.containsAlias(keystoreAlias)) {
       val entry = keyStore.getEntry(keystoreAlias, null)
       if (!keyStoreEntryClass.isInstance(entry)) {
         throw KeyStoreException("The entry for the keystore alias \"$keystoreAlias\" is not a ${keyStoreEntryClass.simpleName}")
       }
       keyStoreEntryClass.cast(entry)
         ?: throw KeyStoreException("The entry for the keystore alias \"$keystoreAlias\" couldn't be cast to correct class")
+    } else {
+      null
+    }
+  }
+
+  private fun <E : KeyStore.Entry> getOrCreateKeyEntry(
+    keyStoreEntryClass: Class<E>,
+    encryptor: KeyBasedEncryptor<E>,
+    options: SecureStoreOptions,
+    requireAuthentication: Boolean
+  ): E {
+    return getKeyEntry(keyStoreEntryClass, encryptor, options, requireAuthentication) ?: run {
+      // Android won't allow us to generate the keys if the device doesn't support biometrics or no biometrics are enrolled
+      if (requireAuthentication) {
+        authenticationHelper.assertBiometricsSupport()
+      }
+      encryptor.initializeKeyStoreEntry(keyStore, options)
     }
-    return keyStoreEntry
   }
 
-  private fun <E : KeyStore.Entry> getPreferredKeyEntry(
+  private fun <E : KeyStore.Entry> getKeyEntryCompat(
     keyStoreEntryClass: Class<E>,
     encryptor: KeyBasedEncryptor<E>,
     options: SecureStoreOptions,

package/android/src/main/res/xml/secure_store_backup_rules.xml

@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="utf-8"?>
+
+<!--  Auto Backup configuration for Android 11 and lower -->
+<full-backup-content>
+  <include domain="sharedpref" path="."/>
+  <exclude domain="sharedpref" path="SecureStore"/>
+</full-backup-content>

package/android/src/main/res/xml/secure_store_data_extraction_rules.xml

@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="utf-8"?>
+
+<!--  Auto Backup configuration for Android 12 and higher -->
+<data-extraction-rules>
+  <cloud-backup>
+    <include domain="sharedpref" path="."/>
+    <exclude domain="sharedpref" path="SecureStore"/>
+  </cloud-backup>
+  <device-transfer>
+    <include domain="sharedpref" path="."/>
+    <exclude domain="sharedpref" path="SecureStore"/>
+  </device-transfer>
+</data-extraction-rules>

package/build/SecureStore.d.ts

@@ -13,6 +13,8 @@ export declare const AFTER_FIRST_UNLOCK_THIS_DEVICE_ONLY: KeychainAccessibilityC
 /**
  * The data in the keychain item can always be accessed regardless of whether the device is locked.
  * This is the least secure option.
+ *
+ * @deprecated Use an accessibility level that provides some user protection, such as `AFTER_FIRST_UNLOCK`.
  */
 export declare const ALWAYS: KeychainAccessibilityConstant;
 /**
@@ -22,6 +24,8 @@ export declare const ALWAYS: KeychainAccessibilityConstant;
 export declare const WHEN_PASSCODE_SET_THIS_DEVICE_ONLY: KeychainAccessibilityConstant;
 /**
  * Similar to `ALWAYS`, except the entry is not migrated to a new device when restoring from a backup.
+ *
+ * @deprecated Use an accessibility level that provides some user protection, such as `AFTER_FIRST_UNLOCK_THIS_DEVICE_ONLY`.
  */
 export declare const ALWAYS_THIS_DEVICE_ONLY: KeychainAccessibilityConstant;
 /**
@@ -45,10 +49,13 @@ export type SecureStoreOptions = {
      * accessing data stored in SecureStore.
      * - Android: Equivalent to [`setUserAuthenticationRequired(true)`](https://developer.android.com/reference/android/security/keystore/KeyGenParameterSpec.Builder#setUserAuthenticationRequired(boolean))
      *   (requires API 23).
-     * - iOS: Equivalent to [`kSecAccessControlBiometryCurrentSet`](https://developer.apple.com/documentation/security/secaccesscontrolcreateflags/ksecaccesscontrolbiometrycurrentset/).
+     * - iOS: Equivalent to [`biometryCurrentSet`](https://developer.apple.com/documentation/security/secaccesscontrolcreateflags/2937192-biometrycurrentset).
      * Complete functionality is unlocked only with a freshly generated key - this would not work in tandem with the `keychainService`
      * value used for the others non-authenticated operations.
      *
+     * This option works slightly differently across platforms: On Android, user authentication is required for all operations.
+     * On iOS, the user is prompted to authenticate only when reading or updating an existing value (not when creating a new one).
+     *
      * Warning: This option is not supported in Expo Go when biometric authentication is available due to a missing NSFaceIDUsageDescription.
      * In release builds or when using continuous native generation, make sure to use the `expo-secure-store` config plugin.
      *
@@ -80,7 +87,7 @@ export declare function isAvailableAsync(): Promise<boolean>;
  * @param key The key that was used to store the associated value.
  * @param options An [`SecureStoreOptions`](#securestoreoptions) object.
  *
- * @return A promise that will reject if the value couldn't be deleted.
+ * @return A promise that rejects if the value can't be deleted.
  */
 export declare function deleteItemAsync(key: string, options?: SecureStoreOptions): Promise<void>;
 /**
@@ -89,8 +96,8 @@ export declare function deleteItemAsync(key: string, options?: SecureStoreOption
  * @param key The key that was used to store the associated value.
  * @param options An [`SecureStoreOptions`](#securestoreoptions) object.
  *
- * @return A promise that resolves to the previously stored value. It will return `null` if there is no entry
- * for the given key or if the key has been invalidated. It will reject if an error occurs while retrieving the value.
+ * @return A promise that resolves to the previously stored value. It resolves with `null` if there is no entry
+ * for the given key or if the key has been invalidated. It rejects if an error occurs while retrieving the value.
  *
  * > Keys are invalidated by the system when biometrics change, such as adding a new fingerprint or changing the face profile used for face recognition.
  * > After a key has been invalidated, it becomes impossible to read its value.
@@ -104,7 +111,7 @@ export declare function getItemAsync(key: string, options?: SecureStoreOptions):
  * @param value The value to store. Size limit is 2048 bytes.
  * @param options An [`SecureStoreOptions`](#securestoreoptions) object.
  *
- * @return A promise that will reject if value cannot be stored on the device.
+ * @return A promise that rejects if value cannot be stored on the device.
  */
 export declare function setItemAsync(key: string, value: string, options?: SecureStoreOptions): Promise<void>;
 /**
@@ -124,7 +131,8 @@ export declare function setItem(key: string, value: string, options?: SecureStor
  * @param key The key that was used to store the associated value.
  * @param options An [`SecureStoreOptions`](#securestoreoptions) object.
  *
- * @return Previously stored value. It will return `null` if there is no entry for the given key or if the key has been invalidated.
+ * @return Previously stored value. It resolves with `null` if there is no entry
+ * for the given key or if the key has been invalidated.
  */
 export declare function getItem(key: string, options?: SecureStoreOptions): string | null;
 /**

package/build/SecureStore.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"SecureStore.d.ts","sourceRoot":"","sources":["../src/SecureStore.ts"],"names":[],"mappings":"AAEA,MAAM,MAAM,6BAA6B,GAAG,MAAM,CAAC;AAGnD;;;;GAIG;AACH,eAAO,MAAM,kBAAkB,EAAE,6BAAkE,CAAC;AAGpG;;;GAGG;AACH,eAAO,MAAM,mCAAmC,EAAE,6BACG,CAAC;AAGtD;;;GAGG;AACH,eAAO,MAAM,MAAM,EAAE,6BAAsD,CAAC;AAG5E;;;GAGG;AACH,eAAO,MAAM,kCAAkC,EAAE,6BACG,CAAC;AAGrD;;GAEG;AACH,eAAO,MAAM,uBAAuB,EAAE,6BACG,CAAC;AAG1C;;GAEG;AACH,eAAO,MAAM,aAAa,EAAE,6BAA6D,CAAC;AAG1F;;;GAGG;AACH,eAAO,MAAM,8BAA8B,EAAE,6BACG,CAAC;AAKjD,MAAM,MAAM,kBAAkB,GAAG;IAC/B;;;;OAIG;IACH,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB;;;;;;;;;;;;OAYG;IACH,qBAAqB,CAAC,EAAE,OAAO,CAAC;IAChC;;OAEG;IACH,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B;;;;;OAKG;IACH,kBAAkB,CAAC,EAAE,6BAA6B,CAAC;CACpD,CAAC;AAGF;;;;;;GAMG;AACH,wBAAsB,gBAAgB,IAAI,OAAO,CAAC,OAAO,CAAC,CAEzD;AAGD;;;;;;;GAOG;AACH,wBAAsB,eAAe,CACnC,GAAG,EAAE,MAAM,EACX,OAAO,GAAE,kBAAuB,GAC/B,OAAO,CAAC,IAAI,CAAC,CAIf;AAGD;;;;;;;;;;;;GAYG;AACH,wBAAsB,YAAY,CAChC,GAAG,EAAE,MAAM,EACX,OAAO,GAAE,kBAAuB,GAC/B,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAGxB;AAGD;;;;;;;;GAQG;AACH,wBAAsB,YAAY,CAChC,GAAG,EAAE,MAAM,EACX,KAAK,EAAE,MAAM,EACb,OAAO,GAAE,kBAAuB,GAC/B,OAAO,CAAC,IAAI,CAAC,CASf;AAED;;;;;;;;GAQG;AACH,wBAAgB,OAAO,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,GAAE,kBAAuB,GAAG,IAAI,CAS1F;AAED;;;;;;;;GAQG;AACH,wBAAgB,OAAO,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,GAAE,kBAAuB,GAAG,MAAM,GAAG,IAAI,CAGpF;AAED;;;GAGG;AACH,wBAAgB,6BAA6B,IAAI,OAAO,CAEvD"}
+{"version":3,"file":"SecureStore.d.ts","sourceRoot":"","sources":["../src/SecureStore.ts"],"names":[],"mappings":"AAGA,MAAM,MAAM,6BAA6B,GAAG,MAAM,CAAC;AAGnD;;;;GAIG;AACH,eAAO,MAAM,kBAAkB,EAAE,6BAAkE,CAAC;AAGpG;;;GAGG;AACH,eAAO,MAAM,mCAAmC,EAAE,6BACG,CAAC;AAGtD;;;;;GAKG;AACH,eAAO,MAAM,MAAM,EAAE,6BAAsD,CAAC;AAG5E;;;GAGG;AACH,eAAO,MAAM,kCAAkC,EAAE,6BACG,CAAC;AAGrD;;;;GAIG;AACH,eAAO,MAAM,uBAAuB,EAAE,6BACG,CAAC;AAG1C;;GAEG;AACH,eAAO,MAAM,aAAa,EAAE,6BAA6D,CAAC;AAG1F;;;GAGG;AACH,eAAO,MAAM,8BAA8B,EAAE,6BACG,CAAC;AAGjD,MAAM,MAAM,kBAAkB,GAAG;IAC/B;;;;OAIG;IACH,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB;;;;;;;;;;;;;;;OAeG;IACH,qBAAqB,CAAC,EAAE,OAAO,CAAC;IAChC;;OAEG;IACH,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B;;;;;OAKG;IACH,kBAAkB,CAAC,EAAE,6BAA6B,CAAC;CACpD,CAAC;AAGF;;;;;;GAMG;AACH,wBAAsB,gBAAgB,IAAI,OAAO,CAAC,OAAO,CAAC,CAEzD;AAGD;;;;;;;GAOG;AACH,wBAAsB,eAAe,CACnC,GAAG,EAAE,MAAM,EACX,OAAO,GAAE,kBAAuB,GAC/B,OAAO,CAAC,IAAI,CAAC,CAIf;AAGD;;;;;;;;;;;;GAYG;AACH,wBAAsB,YAAY,CAChC,GAAG,EAAE,MAAM,EACX,OAAO,GAAE,kBAAuB,GAC/B,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAGxB;AAGD;;;;;;;;GAQG;AACH,wBAAsB,YAAY,CAChC,GAAG,EAAE,MAAM,EACX,KAAK,EAAE,MAAM,EACb,OAAO,GAAE,kBAAuB,GAC/B,OAAO,CAAC,IAAI,CAAC,CASf;AAED;;;;;;;;GAQG;AACH,wBAAgB,OAAO,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,GAAE,kBAAuB,GAAG,IAAI,CAS1F;AAED;;;;;;;;;GASG;AACH,wBAAgB,OAAO,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,GAAE,kBAAuB,GAAG,MAAM,GAAG,IAAI,CAGpF;AAED;;;GAGG;AACH,wBAAgB,6BAA6B,IAAI,OAAO,CAEvD"}

package/build/SecureStore.js

@@ -1,4 +1,5 @@
 import ExpoSecureStore from './ExpoSecureStore';
+import { byteCountOverLimit, VALUE_BYTES_LIMIT } from './byteCounter';
 // @needsAudit
 /**
  * The data in the keychain item cannot be accessed after a restart until the device has been
@@ -16,6 +17,8 @@ export const AFTER_FIRST_UNLOCK_THIS_DEVICE_ONLY = ExpoSecureStore.AFTER_FIRST_U
 /**
  * The data in the keychain item can always be accessed regardless of whether the device is locked.
  * This is the least secure option.
+ *
+ * @deprecated Use an accessibility level that provides some user protection, such as `AFTER_FIRST_UNLOCK`.
  */
 export const ALWAYS = ExpoSecureStore.ALWAYS;
 // @needsAudit
@@ -27,6 +30,8 @@ export const WHEN_PASSCODE_SET_THIS_DEVICE_ONLY = ExpoSecureStore.WHEN_PASSCODE_
 // @needsAudit
 /**
  * Similar to `ALWAYS`, except the entry is not migrated to a new device when restoring from a backup.
+ *
+ * @deprecated Use an accessibility level that provides some user protection, such as `AFTER_FIRST_UNLOCK_THIS_DEVICE_ONLY`.
  */
 export const ALWAYS_THIS_DEVICE_ONLY = ExpoSecureStore.ALWAYS_THIS_DEVICE_ONLY;
 // @needsAudit
@@ -40,7 +45,6 @@ export const WHEN_UNLOCKED = ExpoSecureStore.WHEN_UNLOCKED;
  * a backup.
  */
 export const WHEN_UNLOCKED_THIS_DEVICE_ONLY = ExpoSecureStore.WHEN_UNLOCKED_THIS_DEVICE_ONLY;
-const VALUE_BYTES_LIMIT = 2048;
 // @needsAudit
 /**
  * Returns whether the SecureStore API is enabled on the current device. This does not check the app
@@ -59,7 +63,7 @@ export async function isAvailableAsync() {
  * @param key The key that was used to store the associated value.
  * @param options An [`SecureStoreOptions`](#securestoreoptions) object.
  *
- * @return A promise that will reject if the value couldn't be deleted.
+ * @return A promise that rejects if the value can't be deleted.
  */
 export async function deleteItemAsync(key, options = {}) {
     ensureValidKey(key);
@@ -72,8 +76,8 @@ export async function deleteItemAsync(key, options = {}) {
  * @param key The key that was used to store the associated value.
  * @param options An [`SecureStoreOptions`](#securestoreoptions) object.
  *
- * @return A promise that resolves to the previously stored value. It will return `null` if there is no entry
- * for the given key or if the key has been invalidated. It will reject if an error occurs while retrieving the value.
+ * @return A promise that resolves to the previously stored value. It resolves with `null` if there is no entry
+ * for the given key or if the key has been invalidated. It rejects if an error occurs while retrieving the value.
  *
  * > Keys are invalidated by the system when biometrics change, such as adding a new fingerprint or changing the face profile used for face recognition.
  * > After a key has been invalidated, it becomes impossible to read its value.
@@ -91,7 +95,7 @@ export async function getItemAsync(key, options = {}) {
  * @param value The value to store. Size limit is 2048 bytes.
  * @param options An [`SecureStoreOptions`](#securestoreoptions) object.
  *
- * @return A promise that will reject if value cannot be stored on the device.
+ * @return A promise that rejects if value cannot be stored on the device.
  */
 export async function setItemAsync(key, value, options = {}) {
     ensureValidKey(key);
@@ -123,7 +127,8 @@ export function setItem(key, value, options = {}) {
  * @param key The key that was used to store the associated value.
  * @param options An [`SecureStoreOptions`](#securestoreoptions) object.
  *
- * @return Previously stored value. It will return `null` if there is no entry for the given key or if the key has been invalidated.
+ * @return Previously stored value. It resolves with `null` if there is no entry
+ * for the given key or if the key has been invalidated.
  */
 export function getItem(key, options = {}) {
     ensureValidKey(key);
@@ -148,29 +153,9 @@ function isValidValue(value) {
     if (typeof value !== 'string') {
         return false;
     }
-    if (byteCount(value) > VALUE_BYTES_LIMIT) {
-        console.warn('Value being stored in SecureStore is larger than 2048 bytes and it may not be stored successfully. In a future SDK version, this call may throw an error.');
+    if (byteCountOverLimit(value, VALUE_BYTES_LIMIT)) {
+        console.warn(`Value being stored in SecureStore is larger than ${VALUE_BYTES_LIMIT} bytes and it may not be stored successfully. In a future SDK version, this call may throw an error.`);
     }
     return true;
 }
-// copy-pasted from https://stackoverflow.com/a/39488643
-function byteCount(value) {
-    let bytes = 0;
-    for (let i = 0; i < value.length; i++) {
-        const codePoint = value.charCodeAt(i);
-        // Lone surrogates cannot be passed to encodeURI
-        if (codePoint >= 0xd800 && codePoint < 0xe000) {
-            if (codePoint < 0xdc00 && i + 1 < value.length) {
-                const next = value.charCodeAt(i + 1);
-                if (next >= 0xdc00 && next < 0xe000) {
-                    bytes += 4;
-                    i++;
-                    continue;
-                }
-            }
-        }
-        bytes += codePoint < 0x80 ? 1 : codePoint < 0x800 ? 2 : 3;
-    }
-    return bytes;
-}
 //# sourceMappingURL=SecureStore.js.map

package/build/SecureStore.js.map

@@ -1 +1 @@
-{"version":3,"file":"SecureStore.js","sourceRoot":"","sources":["../src/SecureStore.ts"],"names":[],"mappings":"AAAA,OAAO,eAAe,MAAM,mBAAmB,CAAC;AAIhD,cAAc;AACd;;;;GAIG;AACH,MAAM,CAAC,MAAM,kBAAkB,GAAkC,eAAe,CAAC,kBAAkB,CAAC;AAEpG,cAAc;AACd;;;GAGG;AACH,MAAM,CAAC,MAAM,mCAAmC,GAC9C,eAAe,CAAC,mCAAmC,CAAC;AAEtD,cAAc;AACd;;;GAGG;AACH,MAAM,CAAC,MAAM,MAAM,GAAkC,eAAe,CAAC,MAAM,CAAC;AAE5E,cAAc;AACd;;;GAGG;AACH,MAAM,CAAC,MAAM,kCAAkC,GAC7C,eAAe,CAAC,kCAAkC,CAAC;AAErD,cAAc;AACd;;GAEG;AACH,MAAM,CAAC,MAAM,uBAAuB,GAClC,eAAe,CAAC,uBAAuB,CAAC;AAE1C,cAAc;AACd;;GAEG;AACH,MAAM,CAAC,MAAM,aAAa,GAAkC,eAAe,CAAC,aAAa,CAAC;AAE1F,cAAc;AACd;;;GAGG;AACH,MAAM,CAAC,MAAM,8BAA8B,GACzC,eAAe,CAAC,8BAA8B,CAAC;AAEjD,MAAM,iBAAiB,GAAG,IAAI,CAAC;AAqC/B,cAAc;AACd;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB;IACpC,OAAO,CAAC,CAAC,eAAe,CAAC,oBAAoB,CAAC;AAChD,CAAC;AAED,cAAc;AACd;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,GAAW,EACX,UAA8B,EAAE;IAEhC,cAAc,CAAC,GAAG,CAAC,CAAC;IAEpB,MAAM,eAAe,CAAC,uBAAuB,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;AAC9D,CAAC;AAED,cAAc;AACd;;;;;;;;;;;;GAYG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,GAAW,EACX,UAA8B,EAAE;IAEhC,cAAc,CAAC,GAAG,CAAC,CAAC;IACpB,OAAO,MAAM,eAAe,CAAC,oBAAoB,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;AAClE,CAAC;AAED,cAAc;AACd;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,GAAW,EACX,KAAa,EACb,UAA8B,EAAE;IAEhC,cAAc,CAAC,GAAG,CAAC,CAAC;IACpB,IAAI,CAAC,YAAY,CAAC,KAAK,CAAC,EAAE;QACxB,MAAM,IAAI,KAAK,CACb,6HAA6H,CAC9H,CAAC;KACH;IAED,MAAM,eAAe,CAAC,oBAAoB,CAAC,KAAK,EAAE,GAAG,EAAE,OAAO,CAAC,CAAC;AAClE,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,OAAO,CAAC,GAAW,EAAE,KAAa,EAAE,UAA8B,EAAE;IAClF,cAAc,CAAC,GAAG,CAAC,CAAC;IACpB,IAAI,CAAC,YAAY,CAAC,KAAK,CAAC,EAAE;QACxB,MAAM,IAAI,KAAK,CACb,6HAA6H,CAC9H,CAAC;KACH;IAED,OAAO,eAAe,CAAC,mBAAmB,CAAC,KAAK,EAAE,GAAG,EAAE,OAAO,CAAC,CAAC;AAClE,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,OAAO,CAAC,GAAW,EAAE,UAA8B,EAAE;IACnE,cAAc,CAAC,GAAG,CAAC,CAAC;IACpB,OAAO,eAAe,CAAC,mBAAmB,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;AAC3D,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,6BAA6B;IAC3C,OAAO,eAAe,CAAC,6BAA6B,EAAE,CAAC;AACzD,CAAC;AAED,SAAS,cAAc,CAAC,GAAW;IACjC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE;QACpB,MAAM,IAAI,KAAK,CACb,0HAA0H,CAC3H,CAAC;KACH;AACH,CAAC;AAED,SAAS,UAAU,CAAC,GAAW;IAC7B,OAAO,OAAO,GAAG,KAAK,QAAQ,IAAI,WAAW,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC1D,CAAC;AAED,SAAS,YAAY,CAAC,KAAa;IACjC,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE;QAC7B,OAAO,KAAK,CAAC;KACd;IACD,IAAI,SAAS,CAAC,KAAK,CAAC,GAAG,iBAAiB,EAAE;QACxC,OAAO,CAAC,IAAI,CACV,2JAA2J,CAC5J,CAAC;KACH;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,wDAAwD;AACxD,SAAS,SAAS,CAAC,KAAa;IAC9B,IAAI,KAAK,GAAG,CAAC,CAAC;IAEd,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE;QACrC,MAAM,SAAS,GAAG,KAAK,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;QAEtC,gDAAgD;QAChD,IAAI,SAAS,IAAI,MAAM,IAAI,SAAS,GAAG,MAAM,EAAE;YAC7C,IAAI,SAAS,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE;gBAC9C,MAAM,IAAI,GAAG,KAAK,CAAC,UAAU,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;gBAErC,IAAI,IAAI,IAAI,MAAM,IAAI,IAAI,GAAG,MAAM,EAAE;oBACnC,KAAK,IAAI,CAAC,CAAC;oBACX,CAAC,EAAE,CAAC;oBACJ,SAAS;iBACV;aACF;SACF;QAED,KAAK,IAAI,SAAS,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;KAC3D;IAED,OAAO,KAAK,CAAC;AACf,CAAC","sourcesContent":["import ExpoSecureStore from './ExpoSecureStore';\n\nexport type KeychainAccessibilityConstant = number;\n\n// @needsAudit\n/**\n * The data in the keychain item cannot be accessed after a restart until the device has been\n * unlocked once by the user. This may be useful if you need to access the item when the phone\n * is locked.\n */\nexport const AFTER_FIRST_UNLOCK: KeychainAccessibilityConstant = ExpoSecureStore.AFTER_FIRST_UNLOCK;\n\n// @needsAudit\n/**\n * Similar to `AFTER_FIRST_UNLOCK`, except the entry is not migrated to a new device when restoring\n * from a backup.\n */\nexport const AFTER_FIRST_UNLOCK_THIS_DEVICE_ONLY: KeychainAccessibilityConstant =\n  ExpoSecureStore.AFTER_FIRST_UNLOCK_THIS_DEVICE_ONLY;\n\n// @needsAudit\n/**\n * The data in the keychain item can always be accessed regardless of whether the device is locked.\n * This is the least secure option.\n */\nexport const ALWAYS: KeychainAccessibilityConstant = ExpoSecureStore.ALWAYS;\n\n// @needsAudit\n/**\n * Similar to `WHEN_UNLOCKED_THIS_DEVICE_ONLY`, except the user must have set a passcode in order to\n * store an entry. If the user removes their passcode, the entry will be deleted.\n */\nexport const WHEN_PASSCODE_SET_THIS_DEVICE_ONLY: KeychainAccessibilityConstant =\n  ExpoSecureStore.WHEN_PASSCODE_SET_THIS_DEVICE_ONLY;\n\n// @needsAudit\n/**\n * Similar to `ALWAYS`, except the entry is not migrated to a new device when restoring from a backup.\n */\nexport const ALWAYS_THIS_DEVICE_ONLY: KeychainAccessibilityConstant =\n  ExpoSecureStore.ALWAYS_THIS_DEVICE_ONLY;\n\n// @needsAudit\n/**\n * The data in the keychain item can be accessed only while the device is unlocked by the user.\n */\nexport const WHEN_UNLOCKED: KeychainAccessibilityConstant = ExpoSecureStore.WHEN_UNLOCKED;\n\n// @needsAudit\n/**\n * Similar to `WHEN_UNLOCKED`, except the entry is not migrated to a new device when restoring from\n * a backup.\n */\nexport const WHEN_UNLOCKED_THIS_DEVICE_ONLY: KeychainAccessibilityConstant =\n  ExpoSecureStore.WHEN_UNLOCKED_THIS_DEVICE_ONLY;\n\nconst VALUE_BYTES_LIMIT = 2048;\n\n// @needsAudit\nexport type SecureStoreOptions = {\n  /**\n   * - Android: Equivalent of the public/private key pair `Alias`.\n   * - iOS: The item's service, equivalent to [`kSecAttrService`](https://developer.apple.com/documentation/security/ksecattrservice/).\n   * > If the item is set with the `keychainService` option, it will be required to later fetch the value.\n   */\n  keychainService?: string;\n  /**\n   * Option responsible for enabling the usage of the user authentication methods available on the device while\n   * accessing data stored in SecureStore.\n   * - Android: Equivalent to [`setUserAuthenticationRequired(true)`](https://developer.android.com/reference/android/security/keystore/KeyGenParameterSpec.Builder#setUserAuthenticationRequired(boolean))\n   *   (requires API 23).\n   * - iOS: Equivalent to [`kSecAccessControlBiometryCurrentSet`](https://developer.apple.com/documentation/security/secaccesscontrolcreateflags/ksecaccesscontrolbiometrycurrentset/).\n   * Complete functionality is unlocked only with a freshly generated key - this would not work in tandem with the `keychainService`\n   * value used for the others non-authenticated operations.\n   *\n   * Warning: This option is not supported in Expo Go when biometric authentication is available due to a missing NSFaceIDUsageDescription.\n   * In release builds or when using continuous native generation, make sure to use the `expo-secure-store` config plugin.\n   *\n   */\n  requireAuthentication?: boolean;\n  /**\n   * Custom message displayed to the user while `requireAuthentication` option is turned on.\n   */\n  authenticationPrompt?: string;\n  /**\n   * Specifies when the stored entry is accessible, using iOS's `kSecAttrAccessible` property.\n   * @see Apple's documentation on [keychain item accessibility](https://developer.apple.com/documentation/security/ksecattraccessible/).\n   * @default SecureStore.WHEN_UNLOCKED\n   * @platform ios\n   */\n  keychainAccessible?: KeychainAccessibilityConstant;\n};\n\n// @needsAudit\n/**\n * Returns whether the SecureStore API is enabled on the current device. This does not check the app\n * permissions.\n *\n * @return Promise which fulfils witch `boolean`, indicating whether the SecureStore API is available\n * on the current device. Currently, this resolves `true` on Android and iOS only.\n */\nexport async function isAvailableAsync(): Promise<boolean> {\n  return !!ExpoSecureStore.getValueWithKeyAsync;\n}\n\n// @needsAudit\n/**\n * Delete the value associated with the provided key.\n *\n * @param key The key that was used to store the associated value.\n * @param options An [`SecureStoreOptions`](#securestoreoptions) object.\n *\n * @return A promise that will reject if the value couldn't be deleted.\n */\nexport async function deleteItemAsync(\n  key: string,\n  options: SecureStoreOptions = {}\n): Promise<void> {\n  ensureValidKey(key);\n\n  await ExpoSecureStore.deleteValueWithKeyAsync(key, options);\n}\n\n// @needsAudit\n/**\n * Reads the stored value associated with the provided key.\n *\n * @param key The key that was used to store the associated value.\n * @param options An [`SecureStoreOptions`](#securestoreoptions) object.\n *\n * @return A promise that resolves to the previously stored value. It will return `null` if there is no entry\n * for the given key or if the key has been invalidated. It will reject if an error occurs while retrieving the value.\n *\n * > Keys are invalidated by the system when biometrics change, such as adding a new fingerprint or changing the face profile used for face recognition.\n * > After a key has been invalidated, it becomes impossible to read its value.\n * > This only applies to values stored with `requireAuthentication` set to `true`.\n */\nexport async function getItemAsync(\n  key: string,\n  options: SecureStoreOptions = {}\n): Promise<string | null> {\n  ensureValidKey(key);\n  return await ExpoSecureStore.getValueWithKeyAsync(key, options);\n}\n\n// @needsAudit\n/**\n * Stores a key–value pair.\n *\n * @param key The key to associate with the stored value. Keys may contain alphanumeric characters, `.`, `-`, and `_`.\n * @param value The value to store. Size limit is 2048 bytes.\n * @param options An [`SecureStoreOptions`](#securestoreoptions) object.\n *\n * @return A promise that will reject if value cannot be stored on the device.\n */\nexport async function setItemAsync(\n  key: string,\n  value: string,\n  options: SecureStoreOptions = {}\n): Promise<void> {\n  ensureValidKey(key);\n  if (!isValidValue(value)) {\n    throw new Error(\n      `Invalid value provided to SecureStore. Values must be strings; consider JSON-encoding your values if they are serializable.`\n    );\n  }\n\n  await ExpoSecureStore.setValueWithKeyAsync(value, key, options);\n}\n\n/**\n * Stores a key–value pair synchronously.\n * > **Note:** This function blocks the JavaScript thread, so the application may not be interactive when the `requireAuthentication` option is set to `true` until the user authenticates.\n *\n * @param key The key to associate with the stored value. Keys may contain alphanumeric characters, `.`, `-`, and `_`.\n * @param value The value to store. Size limit is 2048 bytes.\n * @param options An [`SecureStoreOptions`](#securestoreoptions) object.\n *\n */\nexport function setItem(key: string, value: string, options: SecureStoreOptions = {}): void {\n  ensureValidKey(key);\n  if (!isValidValue(value)) {\n    throw new Error(\n      `Invalid value provided to SecureStore. Values must be strings; consider JSON-encoding your values if they are serializable.`\n    );\n  }\n\n  return ExpoSecureStore.setValueWithKeySync(value, key, options);\n}\n\n/**\n * Synchronously reads the stored value associated with the provided key.\n * > **Note:** This function blocks the JavaScript thread, so the application may not be interactive when reading a value with `requireAuthentication`\n * > option set to `true` until the user authenticates.\n * @param key The key that was used to store the associated value.\n * @param options An [`SecureStoreOptions`](#securestoreoptions) object.\n *\n * @return Previously stored value. It will return `null` if there is no entry for the given key or if the key has been invalidated.\n */\nexport function getItem(key: string, options: SecureStoreOptions = {}): string | null {\n  ensureValidKey(key);\n  return ExpoSecureStore.getValueWithKeySync(key, options);\n}\n\n/**\n * Checks if the value can be saved with `requireAuthentication` option enabled.\n * @return `true` if the device supports biometric authentication and the enrolled method is sufficiently secure. Otherwise, returns `false`.\n */\nexport function canUseBiometricAuthentication(): boolean {\n  return ExpoSecureStore.canUseBiometricAuthentication();\n}\n\nfunction ensureValidKey(key: string) {\n  if (!isValidKey(key)) {\n    throw new Error(\n      `Invalid key provided to SecureStore. Keys must not be empty and contain only alphanumeric characters, \".\", \"-\", and \"_\".`\n    );\n  }\n}\n\nfunction isValidKey(key: string) {\n  return typeof key === 'string' && /^[\\w.-]+$/.test(key);\n}\n\nfunction isValidValue(value: string) {\n  if (typeof value !== 'string') {\n    return false;\n  }\n  if (byteCount(value) > VALUE_BYTES_LIMIT) {\n    console.warn(\n      'Value being stored in SecureStore is larger than 2048 bytes and it may not be stored successfully. In a future SDK version, this call may throw an error.'\n    );\n  }\n  return true;\n}\n\n// copy-pasted from https://stackoverflow.com/a/39488643\nfunction byteCount(value: string) {\n  let bytes = 0;\n\n  for (let i = 0; i < value.length; i++) {\n    const codePoint = value.charCodeAt(i);\n\n    // Lone surrogates cannot be passed to encodeURI\n    if (codePoint >= 0xd800 && codePoint < 0xe000) {\n      if (codePoint < 0xdc00 && i + 1 < value.length) {\n        const next = value.charCodeAt(i + 1);\n\n        if (next >= 0xdc00 && next < 0xe000) {\n          bytes += 4;\n          i++;\n          continue;\n        }\n      }\n    }\n\n    bytes += codePoint < 0x80 ? 1 : codePoint < 0x800 ? 2 : 3;\n  }\n\n  return bytes;\n}\n"]}
+{"version":3,"file":"SecureStore.js","sourceRoot":"","sources":["../src/SecureStore.ts"],"names":[],"mappings":"AAAA,OAAO,eAAe,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,kBAAkB,EAAE,iBAAiB,EAAE,MAAM,eAAe,CAAC;AAItE,cAAc;AACd;;;;GAIG;AACH,MAAM,CAAC,MAAM,kBAAkB,GAAkC,eAAe,CAAC,kBAAkB,CAAC;AAEpG,cAAc;AACd;;;GAGG;AACH,MAAM,CAAC,MAAM,mCAAmC,GAC9C,eAAe,CAAC,mCAAmC,CAAC;AAEtD,cAAc;AACd;;;;;GAKG;AACH,MAAM,CAAC,MAAM,MAAM,GAAkC,eAAe,CAAC,MAAM,CAAC;AAE5E,cAAc;AACd;;;GAGG;AACH,MAAM,CAAC,MAAM,kCAAkC,GAC7C,eAAe,CAAC,kCAAkC,CAAC;AAErD,cAAc;AACd;;;;GAIG;AACH,MAAM,CAAC,MAAM,uBAAuB,GAClC,eAAe,CAAC,uBAAuB,CAAC;AAE1C,cAAc;AACd;;GAEG;AACH,MAAM,CAAC,MAAM,aAAa,GAAkC,eAAe,CAAC,aAAa,CAAC;AAE1F,cAAc;AACd;;;GAGG;AACH,MAAM,CAAC,MAAM,8BAA8B,GACzC,eAAe,CAAC,8BAA8B,CAAC;AAwCjD,cAAc;AACd;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB;IACpC,OAAO,CAAC,CAAC,eAAe,CAAC,oBAAoB,CAAC;AAChD,CAAC;AAED,cAAc;AACd;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,GAAW,EACX,UAA8B,EAAE;IAEhC,cAAc,CAAC,GAAG,CAAC,CAAC;IAEpB,MAAM,eAAe,CAAC,uBAAuB,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;AAC9D,CAAC;AAED,cAAc;AACd;;;;;;;;;;;;GAYG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,GAAW,EACX,UAA8B,EAAE;IAEhC,cAAc,CAAC,GAAG,CAAC,CAAC;IACpB,OAAO,MAAM,eAAe,CAAC,oBAAoB,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;AAClE,CAAC;AAED,cAAc;AACd;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,GAAW,EACX,KAAa,EACb,UAA8B,EAAE;IAEhC,cAAc,CAAC,GAAG,CAAC,CAAC;IACpB,IAAI,CAAC,YAAY,CAAC,KAAK,CAAC,EAAE;QACxB,MAAM,IAAI,KAAK,CACb,6HAA6H,CAC9H,CAAC;KACH;IAED,MAAM,eAAe,CAAC,oBAAoB,CAAC,KAAK,EAAE,GAAG,EAAE,OAAO,CAAC,CAAC;AAClE,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,OAAO,CAAC,GAAW,EAAE,KAAa,EAAE,UAA8B,EAAE;IAClF,cAAc,CAAC,GAAG,CAAC,CAAC;IACpB,IAAI,CAAC,YAAY,CAAC,KAAK,CAAC,EAAE;QACxB,MAAM,IAAI,KAAK,CACb,6HAA6H,CAC9H,CAAC;KACH;IAED,OAAO,eAAe,CAAC,mBAAmB,CAAC,KAAK,EAAE,GAAG,EAAE,OAAO,CAAC,CAAC;AAClE,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,OAAO,CAAC,GAAW,EAAE,UAA8B,EAAE;IACnE,cAAc,CAAC,GAAG,CAAC,CAAC;IACpB,OAAO,eAAe,CAAC,mBAAmB,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;AAC3D,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,6BAA6B;IAC3C,OAAO,eAAe,CAAC,6BAA6B,EAAE,CAAC;AACzD,CAAC;AAED,SAAS,cAAc,CAAC,GAAW;IACjC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE;QACpB,MAAM,IAAI,KAAK,CACb,0HAA0H,CAC3H,CAAC;KACH;AACH,CAAC;AAED,SAAS,UAAU,CAAC,GAAW;IAC7B,OAAO,OAAO,GAAG,KAAK,QAAQ,IAAI,WAAW,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC1D,CAAC;AAED,SAAS,YAAY,CAAC,KAAa;IACjC,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE;QAC7B,OAAO,KAAK,CAAC;KACd;IACD,IAAI,kBAAkB,CAAC,KAAK,EAAE,iBAAiB,CAAC,EAAE;QAChD,OAAO,CAAC,IAAI,CACV,oDAAoD,iBAAiB,sGAAsG,CAC5K,CAAC;KACH;IACD,OAAO,IAAI,CAAC;AACd,CAAC","sourcesContent":["import ExpoSecureStore from './ExpoSecureStore';\nimport { byteCountOverLimit, VALUE_BYTES_LIMIT } from './byteCounter';\n\nexport type KeychainAccessibilityConstant = number;\n\n// @needsAudit\n/**\n * The data in the keychain item cannot be accessed after a restart until the device has been\n * unlocked once by the user. This may be useful if you need to access the item when the phone\n * is locked.\n */\nexport const AFTER_FIRST_UNLOCK: KeychainAccessibilityConstant = ExpoSecureStore.AFTER_FIRST_UNLOCK;\n\n// @needsAudit\n/**\n * Similar to `AFTER_FIRST_UNLOCK`, except the entry is not migrated to a new device when restoring\n * from a backup.\n */\nexport const AFTER_FIRST_UNLOCK_THIS_DEVICE_ONLY: KeychainAccessibilityConstant =\n  ExpoSecureStore.AFTER_FIRST_UNLOCK_THIS_DEVICE_ONLY;\n\n// @needsAudit\n/**\n * The data in the keychain item can always be accessed regardless of whether the device is locked.\n * This is the least secure option.\n *\n * @deprecated Use an accessibility level that provides some user protection, such as `AFTER_FIRST_UNLOCK`.\n */\nexport const ALWAYS: KeychainAccessibilityConstant = ExpoSecureStore.ALWAYS;\n\n// @needsAudit\n/**\n * Similar to `WHEN_UNLOCKED_THIS_DEVICE_ONLY`, except the user must have set a passcode in order to\n * store an entry. If the user removes their passcode, the entry will be deleted.\n */\nexport const WHEN_PASSCODE_SET_THIS_DEVICE_ONLY: KeychainAccessibilityConstant =\n  ExpoSecureStore.WHEN_PASSCODE_SET_THIS_DEVICE_ONLY;\n\n// @needsAudit\n/**\n * Similar to `ALWAYS`, except the entry is not migrated to a new device when restoring from a backup.\n *\n * @deprecated Use an accessibility level that provides some user protection, such as `AFTER_FIRST_UNLOCK_THIS_DEVICE_ONLY`.\n */\nexport const ALWAYS_THIS_DEVICE_ONLY: KeychainAccessibilityConstant =\n  ExpoSecureStore.ALWAYS_THIS_DEVICE_ONLY;\n\n// @needsAudit\n/**\n * The data in the keychain item can be accessed only while the device is unlocked by the user.\n */\nexport const WHEN_UNLOCKED: KeychainAccessibilityConstant = ExpoSecureStore.WHEN_UNLOCKED;\n\n// @needsAudit\n/**\n * Similar to `WHEN_UNLOCKED`, except the entry is not migrated to a new device when restoring from\n * a backup.\n */\nexport const WHEN_UNLOCKED_THIS_DEVICE_ONLY: KeychainAccessibilityConstant =\n  ExpoSecureStore.WHEN_UNLOCKED_THIS_DEVICE_ONLY;\n\n// @needsAudit\nexport type SecureStoreOptions = {\n  /**\n   * - Android: Equivalent of the public/private key pair `Alias`.\n   * - iOS: The item's service, equivalent to [`kSecAttrService`](https://developer.apple.com/documentation/security/ksecattrservice/).\n   * > If the item is set with the `keychainService` option, it will be required to later fetch the value.\n   */\n  keychainService?: string;\n  /**\n   * Option responsible for enabling the usage of the user authentication methods available on the device while\n   * accessing data stored in SecureStore.\n   * - Android: Equivalent to [`setUserAuthenticationRequired(true)`](https://developer.android.com/reference/android/security/keystore/KeyGenParameterSpec.Builder#setUserAuthenticationRequired(boolean))\n   *   (requires API 23).\n   * - iOS: Equivalent to [`biometryCurrentSet`](https://developer.apple.com/documentation/security/secaccesscontrolcreateflags/2937192-biometrycurrentset).\n   * Complete functionality is unlocked only with a freshly generated key - this would not work in tandem with the `keychainService`\n   * value used for the others non-authenticated operations.\n   *\n   * This option works slightly differently across platforms: On Android, user authentication is required for all operations.\n   * On iOS, the user is prompted to authenticate only when reading or updating an existing value (not when creating a new one).\n   *\n   * Warning: This option is not supported in Expo Go when biometric authentication is available due to a missing NSFaceIDUsageDescription.\n   * In release builds or when using continuous native generation, make sure to use the `expo-secure-store` config plugin.\n   *\n   */\n  requireAuthentication?: boolean;\n  /**\n   * Custom message displayed to the user while `requireAuthentication` option is turned on.\n   */\n  authenticationPrompt?: string;\n  /**\n   * Specifies when the stored entry is accessible, using iOS's `kSecAttrAccessible` property.\n   * @see Apple's documentation on [keychain item accessibility](https://developer.apple.com/documentation/security/ksecattraccessible/).\n   * @default SecureStore.WHEN_UNLOCKED\n   * @platform ios\n   */\n  keychainAccessible?: KeychainAccessibilityConstant;\n};\n\n// @needsAudit\n/**\n * Returns whether the SecureStore API is enabled on the current device. This does not check the app\n * permissions.\n *\n * @return Promise which fulfils witch `boolean`, indicating whether the SecureStore API is available\n * on the current device. Currently, this resolves `true` on Android and iOS only.\n */\nexport async function isAvailableAsync(): Promise<boolean> {\n  return !!ExpoSecureStore.getValueWithKeyAsync;\n}\n\n// @needsAudit\n/**\n * Delete the value associated with the provided key.\n *\n * @param key The key that was used to store the associated value.\n * @param options An [`SecureStoreOptions`](#securestoreoptions) object.\n *\n * @return A promise that rejects if the value can't be deleted.\n */\nexport async function deleteItemAsync(\n  key: string,\n  options: SecureStoreOptions = {}\n): Promise<void> {\n  ensureValidKey(key);\n\n  await ExpoSecureStore.deleteValueWithKeyAsync(key, options);\n}\n\n// @needsAudit\n/**\n * Reads the stored value associated with the provided key.\n *\n * @param key The key that was used to store the associated value.\n * @param options An [`SecureStoreOptions`](#securestoreoptions) object.\n *\n * @return A promise that resolves to the previously stored value. It resolves with `null` if there is no entry\n * for the given key or if the key has been invalidated. It rejects if an error occurs while retrieving the value.\n *\n * > Keys are invalidated by the system when biometrics change, such as adding a new fingerprint or changing the face profile used for face recognition.\n * > After a key has been invalidated, it becomes impossible to read its value.\n * > This only applies to values stored with `requireAuthentication` set to `true`.\n */\nexport async function getItemAsync(\n  key: string,\n  options: SecureStoreOptions = {}\n): Promise<string | null> {\n  ensureValidKey(key);\n  return await ExpoSecureStore.getValueWithKeyAsync(key, options);\n}\n\n// @needsAudit\n/**\n * Stores a key–value pair.\n *\n * @param key The key to associate with the stored value. Keys may contain alphanumeric characters, `.`, `-`, and `_`.\n * @param value The value to store. Size limit is 2048 bytes.\n * @param options An [`SecureStoreOptions`](#securestoreoptions) object.\n *\n * @return A promise that rejects if value cannot be stored on the device.\n */\nexport async function setItemAsync(\n  key: string,\n  value: string,\n  options: SecureStoreOptions = {}\n): Promise<void> {\n  ensureValidKey(key);\n  if (!isValidValue(value)) {\n    throw new Error(\n      `Invalid value provided to SecureStore. Values must be strings; consider JSON-encoding your values if they are serializable.`\n    );\n  }\n\n  await ExpoSecureStore.setValueWithKeyAsync(value, key, options);\n}\n\n/**\n * Stores a key–value pair synchronously.\n * > **Note:** This function blocks the JavaScript thread, so the application may not be interactive when the `requireAuthentication` option is set to `true` until the user authenticates.\n *\n * @param key The key to associate with the stored value. Keys may contain alphanumeric characters, `.`, `-`, and `_`.\n * @param value The value to store. Size limit is 2048 bytes.\n * @param options An [`SecureStoreOptions`](#securestoreoptions) object.\n *\n */\nexport function setItem(key: string, value: string, options: SecureStoreOptions = {}): void {\n  ensureValidKey(key);\n  if (!isValidValue(value)) {\n    throw new Error(\n      `Invalid value provided to SecureStore. Values must be strings; consider JSON-encoding your values if they are serializable.`\n    );\n  }\n\n  return ExpoSecureStore.setValueWithKeySync(value, key, options);\n}\n\n/**\n * Synchronously reads the stored value associated with the provided key.\n * > **Note:** This function blocks the JavaScript thread, so the application may not be interactive when reading a value with `requireAuthentication`\n * > option set to `true` until the user authenticates.\n * @param key The key that was used to store the associated value.\n * @param options An [`SecureStoreOptions`](#securestoreoptions) object.\n *\n * @return Previously stored value. It resolves with `null` if there is no entry\n * for the given key or if the key has been invalidated.\n */\nexport function getItem(key: string, options: SecureStoreOptions = {}): string | null {\n  ensureValidKey(key);\n  return ExpoSecureStore.getValueWithKeySync(key, options);\n}\n\n/**\n * Checks if the value can be saved with `requireAuthentication` option enabled.\n * @return `true` if the device supports biometric authentication and the enrolled method is sufficiently secure. Otherwise, returns `false`.\n */\nexport function canUseBiometricAuthentication(): boolean {\n  return ExpoSecureStore.canUseBiometricAuthentication();\n}\n\nfunction ensureValidKey(key: string) {\n  if (!isValidKey(key)) {\n    throw new Error(\n      `Invalid key provided to SecureStore. Keys must not be empty and contain only alphanumeric characters, \".\", \"-\", and \"_\".`\n    );\n  }\n}\n\nfunction isValidKey(key: string) {\n  return typeof key === 'string' && /^[\\w.-]+$/.test(key);\n}\n\nfunction isValidValue(value: string) {\n  if (typeof value !== 'string') {\n    return false;\n  }\n  if (byteCountOverLimit(value, VALUE_BYTES_LIMIT)) {\n    console.warn(\n      `Value being stored in SecureStore is larger than ${VALUE_BYTES_LIMIT} bytes and it may not be stored successfully. In a future SDK version, this call may throw an error.`\n    );\n  }\n  return true;\n}\n"]}

package/build/byteCounter.d.ts

@@ -0,0 +1,3 @@
+export declare const VALUE_BYTES_LIMIT = 2048;
+export declare function byteCountOverLimit(value: string, limit: number): boolean;
+//# sourceMappingURL=byteCounter.d.ts.map

package/build/byteCounter.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"byteCounter.d.ts","sourceRoot":"","sources":["../src/byteCounter.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,iBAAiB,OAAO,CAAC;AAItC,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CA6BxE"}

package/build/byteCounter.js

@@ -0,0 +1,29 @@
+export const VALUE_BYTES_LIMIT = 2048;
+// note this probably could be JS-engine dependent
+// inspired by https://stackoverflow.com/a/39488643
+export function byteCountOverLimit(value, limit) {
+    let bytes = 0;
+    for (let i = 0; i < value.length; i++) {
+        const codePoint = value.charCodeAt(i);
+        // Lone surrogates cannot be passed to encodeURI
+        if (codePoint >= 0xd800 && codePoint < 0xe000) {
+            if (codePoint < 0xdc00 && i + 1 < value.length) {
+                const next = value.charCodeAt(i + 1);
+                if (next >= 0xdc00 && next < 0xe000) {
+                    bytes += 4;
+                    if (bytes > limit) {
+                        return true;
+                    }
+                    i++;
+                    continue;
+                }
+            }
+        }
+        bytes += codePoint < 0x80 ? 1 : codePoint < 0x800 ? 2 : 3;
+        if (bytes > limit) {
+            return true;
+        }
+    }
+    return bytes > limit;
+}
+//# sourceMappingURL=byteCounter.js.map

package/build/byteCounter.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"byteCounter.js","sourceRoot":"","sources":["../src/byteCounter.ts"],"names":[],"mappings":"AAAA,MAAM,CAAC,MAAM,iBAAiB,GAAG,IAAI,CAAC;AAEtC,kDAAkD;AAClD,mDAAmD;AACnD,MAAM,UAAU,kBAAkB,CAAC,KAAa,EAAE,KAAa;IAC7D,IAAI,KAAK,GAAG,CAAC,CAAC;IAEd,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE;QACrC,MAAM,SAAS,GAAG,KAAK,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;QAEtC,gDAAgD;QAChD,IAAI,SAAS,IAAI,MAAM,IAAI,SAAS,GAAG,MAAM,EAAE;YAC7C,IAAI,SAAS,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE;gBAC9C,MAAM,IAAI,GAAG,KAAK,CAAC,UAAU,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;gBAErC,IAAI,IAAI,IAAI,MAAM,IAAI,IAAI,GAAG,MAAM,EAAE;oBACnC,KAAK,IAAI,CAAC,CAAC;oBACX,IAAI,KAAK,GAAG,KAAK,EAAE;wBACjB,OAAO,IAAI,CAAC;qBACb;oBACD,CAAC,EAAE,CAAC;oBACJ,SAAS;iBACV;aACF;SACF;QAED,KAAK,IAAI,SAAS,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QAC1D,IAAI,KAAK,GAAG,KAAK,EAAE;YACjB,OAAO,IAAI,CAAC;SACb;KACF;IAED,OAAO,KAAK,GAAG,KAAK,CAAC;AACvB,CAAC","sourcesContent":["export const VALUE_BYTES_LIMIT = 2048;\n\n// note this probably could be JS-engine dependent\n// inspired by https://stackoverflow.com/a/39488643\nexport function byteCountOverLimit(value: string, limit: number): boolean {\n  let bytes = 0;\n\n  for (let i = 0; i < value.length; i++) {\n    const codePoint = value.charCodeAt(i);\n\n    // Lone surrogates cannot be passed to encodeURI\n    if (codePoint >= 0xd800 && codePoint < 0xe000) {\n      if (codePoint < 0xdc00 && i + 1 < value.length) {\n        const next = value.charCodeAt(i + 1);\n\n        if (next >= 0xdc00 && next < 0xe000) {\n          bytes += 4;\n          if (bytes > limit) {\n            return true;\n          }\n          i++;\n          continue;\n        }\n      }\n    }\n\n    bytes += codePoint < 0x80 ? 1 : codePoint < 0x800 ? 2 : 3;\n    if (bytes > limit) {\n      return true;\n    }\n  }\n\n  return bytes > limit;\n}\n"]}

package/ios/SecureStoreExceptions.swift

@@ -12,6 +12,12 @@ internal class MissingPlistKeyException: Exception {
   }
 }
 
+internal class SecAccessControlError: GenericException<Int?> {
+  override var reason: String {
+    return "Unable to construct SecAccessControl: \(param.map { "code " + String($0) } ?? "unknown error")"
+  }
+}
+
 internal class KeyChainException: GenericException<OSStatus> {
   override var reason: String {
     switch param {

package/ios/SecureStoreModule.swift

@@ -96,7 +96,12 @@ public final class SecureStoreModule: Module {
       guard let _ = Bundle.main.infoDictionary?["NSFaceIDUsageDescription"] as? String else {
         throw MissingPlistKeyException()
       }
-      let accessOptions = SecAccessControlCreateWithFlags(kCFAllocatorDefault, accessibility, SecAccessControlCreateFlags.biometryCurrentSet, nil)
+
+      var error: Unmanaged<CFError>? = nil
+      guard let accessOptions = SecAccessControlCreateWithFlags(kCFAllocatorDefault, accessibility, .biometryCurrentSet, &error) else {
+        let errorCode = error.map { CFErrorGetCode($0.takeRetainedValue()) }
+        throw SecAccessControlError(errorCode)
+      }
       setItemQuery[kSecAttrAccessControl as String] = accessOptions
     }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "expo-secure-store",
-  "version": "13.0.2-canary-20240625-2333e70",
+  "version": "13.1.0-canary-20240627-1402f4b",
   "description": "Provides a way to encrypt and securely store key-value pairs locally on the device.",
   "main": "build/SecureStore.js",
   "types": "build/SecureStore.d.ts",
@@ -37,10 +37,10 @@
   },
   "dependencies": {},
   "devDependencies": {
-    "expo-module-scripts": "3.6.0-canary-20240625-2333e70"
+    "expo-module-scripts": "3.6.0-canary-20240627-1402f4b"
   },
   "peerDependencies": {
     "expo": "*"
   },
-  "gitHead": "2333e70a4bd3ac91895402dac77ae8ae0ed25995"
+  "gitHead": "1402f4bcfdfcec328fc1e20cf1656bbefe7c3b7b"
 }

package/plugin/build/withSecureStore.d.ts

@@ -1,5 +1,6 @@
-import { ConfigPlugin } from '@expo/config-plugins';
+import { ConfigPlugin } from 'expo/config-plugins';
 declare const _default: ConfigPlugin<void | {
     faceIDPermission?: string | false | undefined;
+    configureAndroidBackup?: boolean | undefined;
 }>;
 export default _default;

package/plugin/build/withSecureStore.js

@@ -1,13 +1,37 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-const config_plugins_1 = require("@expo/config-plugins");
+const config_plugins_1 = require("expo/config-plugins");
 const pkg = require('expo-secure-store/package.json');
+const BACKUP_RULES_PATH = '@xml/secure_store_backup_rules';
+const EXTRACTION_RULES_PATH = '@xml/secure_store_data_extraction_rules';
 const FACEID_USAGE = 'Allow $(PRODUCT_NAME) to access your Face ID biometric data.';
-const withSecureStore = (config, { faceIDPermission } = {}) => {
-    return config_plugins_1.IOSConfig.Permissions.createPermissionsPlugin({
+const withSecureStore = (config, { faceIDPermission, configureAndroidBackup = true } = {}) => {
+    config_plugins_1.IOSConfig.Permissions.createPermissionsPlugin({
         NSFaceIDUsageDescription: FACEID_USAGE,
     })(config, {
         NSFaceIDUsageDescription: faceIDPermission,
     });
+    (0, config_plugins_1.withAndroidManifest)(config, (config) => {
+        const mainApplication = config_plugins_1.AndroidConfig.Manifest.getMainApplicationOrThrow(config.modResults);
+        const backupConfig = mainApplication.$['android:fullBackupContent']; // SDK <= 30
+        const dataExtractionRules = mainApplication.$['android:dataExtractionRules']; // SDK >= 31
+        if (!configureAndroidBackup) {
+            backupConfig === BACKUP_RULES_PATH && delete mainApplication.$['android:fullBackupContent'];
+            dataExtractionRules === EXTRACTION_RULES_PATH &&
+                delete mainApplication.$['android:dataExtractionRules'];
+            return config;
+        }
+        const canApplyBackupConfig = !backupConfig || backupConfig === BACKUP_RULES_PATH;
+        const canApplyDataExtractionRules = !dataExtractionRules || dataExtractionRules === EXTRACTION_RULES_PATH;
+        if (canApplyBackupConfig && canApplyDataExtractionRules) {
+            mainApplication.$['android:fullBackupContent'] = BACKUP_RULES_PATH;
+            mainApplication.$['android:dataExtractionRules'] = EXTRACTION_RULES_PATH;
+            return config;
+        }
+        console.warn('Expo-secure-store tried to apply Android Auto Backup rules, but other backup rules are already present. ' +
+            'Refer to the expo-secure-store docs (https://docs.expo.dev/versions/latest/sdk/securestore/) to configure your backup rules.');
+        return config;
+    });
+    return config;
 };
 exports.default = (0, config_plugins_1.createRunOncePlugin)(withSecureStore, pkg.name, pkg.version);

package/plugin/src/withSecureStore.ts

@@ -1,19 +1,58 @@
-import { ConfigPlugin, IOSConfig, createRunOncePlugin } from '@expo/config-plugins';
+import {
+  ConfigPlugin,
+  IOSConfig,
+  createRunOncePlugin,
+  withAndroidManifest,
+  AndroidConfig,
+} from 'expo/config-plugins';
 
 const pkg = require('expo-secure-store/package.json');
 
+const BACKUP_RULES_PATH = '@xml/secure_store_backup_rules';
+const EXTRACTION_RULES_PATH = '@xml/secure_store_data_extraction_rules';
 const FACEID_USAGE = 'Allow $(PRODUCT_NAME) to access your Face ID biometric data.';
 
 const withSecureStore: ConfigPlugin<
   {
     faceIDPermission?: string | false;
+    configureAndroidBackup?: boolean;
   } | void
-> = (config, { faceIDPermission } = {}) => {
-  return IOSConfig.Permissions.createPermissionsPlugin({
+> = (config, { faceIDPermission, configureAndroidBackup = true } = {}) => {
+  IOSConfig.Permissions.createPermissionsPlugin({
     NSFaceIDUsageDescription: FACEID_USAGE,
   })(config, {
     NSFaceIDUsageDescription: faceIDPermission,
   });
+
+  withAndroidManifest(config, (config) => {
+    const mainApplication = AndroidConfig.Manifest.getMainApplicationOrThrow(config.modResults);
+    const backupConfig = mainApplication.$['android:fullBackupContent']; // SDK <= 30
+    const dataExtractionRules = mainApplication.$['android:dataExtractionRules']; // SDK >= 31
+
+    if (!configureAndroidBackup) {
+      backupConfig === BACKUP_RULES_PATH && delete mainApplication.$['android:fullBackupContent'];
+      dataExtractionRules === EXTRACTION_RULES_PATH &&
+        delete mainApplication.$['android:dataExtractionRules'];
+      return config;
+    }
+
+    const canApplyBackupConfig = !backupConfig || backupConfig === BACKUP_RULES_PATH;
+    const canApplyDataExtractionRules =
+      !dataExtractionRules || dataExtractionRules === EXTRACTION_RULES_PATH;
+
+    if (canApplyBackupConfig && canApplyDataExtractionRules) {
+      mainApplication.$['android:fullBackupContent'] = BACKUP_RULES_PATH;
+      mainApplication.$['android:dataExtractionRules'] = EXTRACTION_RULES_PATH;
+      return config;
+    }
+
+    console.warn(
+      'Expo-secure-store tried to apply Android Auto Backup rules, but other backup rules are already present. ' +
+        'Refer to the expo-secure-store docs (https://docs.expo.dev/versions/latest/sdk/securestore/) to configure your backup rules.'
+    );
+    return config;
+  });
+  return config;
 };
 
 export default createRunOncePlugin(withSecureStore, pkg.name, pkg.version);

package/src/SecureStore.ts

@@ -1,4 +1,5 @@
 import ExpoSecureStore from './ExpoSecureStore';
+import { byteCountOverLimit, VALUE_BYTES_LIMIT } from './byteCounter';
 
 export type KeychainAccessibilityConstant = number;
 
@@ -22,6 +23,8 @@ export const AFTER_FIRST_UNLOCK_THIS_DEVICE_ONLY: KeychainAccessibilityConstant
 /**
  * The data in the keychain item can always be accessed regardless of whether the device is locked.
  * This is the least secure option.
+ *
+ * @deprecated Use an accessibility level that provides some user protection, such as `AFTER_FIRST_UNLOCK`.
  */
 export const ALWAYS: KeychainAccessibilityConstant = ExpoSecureStore.ALWAYS;
 
@@ -36,6 +39,8 @@ export const WHEN_PASSCODE_SET_THIS_DEVICE_ONLY: KeychainAccessibilityConstant =
 // @needsAudit
 /**
  * Similar to `ALWAYS`, except the entry is not migrated to a new device when restoring from a backup.
+ *
+ * @deprecated Use an accessibility level that provides some user protection, such as `AFTER_FIRST_UNLOCK_THIS_DEVICE_ONLY`.
  */
 export const ALWAYS_THIS_DEVICE_ONLY: KeychainAccessibilityConstant =
   ExpoSecureStore.ALWAYS_THIS_DEVICE_ONLY;
@@ -54,8 +59,6 @@ export const WHEN_UNLOCKED: KeychainAccessibilityConstant = ExpoSecureStore.WHEN
 export const WHEN_UNLOCKED_THIS_DEVICE_ONLY: KeychainAccessibilityConstant =
   ExpoSecureStore.WHEN_UNLOCKED_THIS_DEVICE_ONLY;
 
-const VALUE_BYTES_LIMIT = 2048;
-
 // @needsAudit
 export type SecureStoreOptions = {
   /**
@@ -69,10 +72,13 @@ export type SecureStoreOptions = {
    * accessing data stored in SecureStore.
    * - Android: Equivalent to [`setUserAuthenticationRequired(true)`](https://developer.android.com/reference/android/security/keystore/KeyGenParameterSpec.Builder#setUserAuthenticationRequired(boolean))
    *   (requires API 23).
-   * - iOS: Equivalent to [`kSecAccessControlBiometryCurrentSet`](https://developer.apple.com/documentation/security/secaccesscontrolcreateflags/ksecaccesscontrolbiometrycurrentset/).
+   * - iOS: Equivalent to [`biometryCurrentSet`](https://developer.apple.com/documentation/security/secaccesscontrolcreateflags/2937192-biometrycurrentset).
    * Complete functionality is unlocked only with a freshly generated key - this would not work in tandem with the `keychainService`
    * value used for the others non-authenticated operations.
    *
+   * This option works slightly differently across platforms: On Android, user authentication is required for all operations.
+   * On iOS, the user is prompted to authenticate only when reading or updating an existing value (not when creating a new one).
+   *
    * Warning: This option is not supported in Expo Go when biometric authentication is available due to a missing NSFaceIDUsageDescription.
    * In release builds or when using continuous native generation, make sure to use the `expo-secure-store` config plugin.
    *
@@ -110,7 +116,7 @@ export async function isAvailableAsync(): Promise<boolean> {
  * @param key The key that was used to store the associated value.
  * @param options An [`SecureStoreOptions`](#securestoreoptions) object.
  *
- * @return A promise that will reject if the value couldn't be deleted.
+ * @return A promise that rejects if the value can't be deleted.
  */
 export async function deleteItemAsync(
   key: string,
@@ -128,8 +134,8 @@ export async function deleteItemAsync(
  * @param key The key that was used to store the associated value.
  * @param options An [`SecureStoreOptions`](#securestoreoptions) object.
  *
- * @return A promise that resolves to the previously stored value. It will return `null` if there is no entry
- * for the given key or if the key has been invalidated. It will reject if an error occurs while retrieving the value.
+ * @return A promise that resolves to the previously stored value. It resolves with `null` if there is no entry
+ * for the given key or if the key has been invalidated. It rejects if an error occurs while retrieving the value.
  *
  * > Keys are invalidated by the system when biometrics change, such as adding a new fingerprint or changing the face profile used for face recognition.
  * > After a key has been invalidated, it becomes impossible to read its value.
@@ -151,7 +157,7 @@ export async function getItemAsync(
  * @param value The value to store. Size limit is 2048 bytes.
  * @param options An [`SecureStoreOptions`](#securestoreoptions) object.
  *
- * @return A promise that will reject if value cannot be stored on the device.
+ * @return A promise that rejects if value cannot be stored on the device.
  */
 export async function setItemAsync(
   key: string,
@@ -195,7 +201,8 @@ export function setItem(key: string, value: string, options: SecureStoreOptions
  * @param key The key that was used to store the associated value.
  * @param options An [`SecureStoreOptions`](#securestoreoptions) object.
  *
- * @return Previously stored value. It will return `null` if there is no entry for the given key or if the key has been invalidated.
+ * @return Previously stored value. It resolves with `null` if there is no entry
+ * for the given key or if the key has been invalidated.
  */
 export function getItem(key: string, options: SecureStoreOptions = {}): string | null {
   ensureValidKey(key);
@@ -226,36 +233,10 @@ function isValidValue(value: string) {
   if (typeof value !== 'string') {
     return false;
   }
-  if (byteCount(value) > VALUE_BYTES_LIMIT) {
+  if (byteCountOverLimit(value, VALUE_BYTES_LIMIT)) {
     console.warn(
-      'Value being stored in SecureStore is larger than 2048 bytes and it may not be stored successfully. In a future SDK version, this call may throw an error.'
+      `Value being stored in SecureStore is larger than ${VALUE_BYTES_LIMIT} bytes and it may not be stored successfully. In a future SDK version, this call may throw an error.`
     );
   }
   return true;
 }
-
-// copy-pasted from https://stackoverflow.com/a/39488643
-function byteCount(value: string) {
-  let bytes = 0;
-
-  for (let i = 0; i < value.length; i++) {
-    const codePoint = value.charCodeAt(i);
-
-    // Lone surrogates cannot be passed to encodeURI
-    if (codePoint >= 0xd800 && codePoint < 0xe000) {
-      if (codePoint < 0xdc00 && i + 1 < value.length) {
-        const next = value.charCodeAt(i + 1);
-
-        if (next >= 0xdc00 && next < 0xe000) {
-          bytes += 4;
-          i++;
-          continue;
-        }
-      }
-    }
-
-    bytes += codePoint < 0x80 ? 1 : codePoint < 0x800 ? 2 : 3;
-  }
-
-  return bytes;
-}

package/src/byteCounter.ts

@@ -0,0 +1,34 @@
+export const VALUE_BYTES_LIMIT = 2048;
+
+// note this probably could be JS-engine dependent
+// inspired by https://stackoverflow.com/a/39488643
+export function byteCountOverLimit(value: string, limit: number): boolean {
+  let bytes = 0;
+
+  for (let i = 0; i < value.length; i++) {
+    const codePoint = value.charCodeAt(i);
+
+    // Lone surrogates cannot be passed to encodeURI
+    if (codePoint >= 0xd800 && codePoint < 0xe000) {
+      if (codePoint < 0xdc00 && i + 1 < value.length) {
+        const next = value.charCodeAt(i + 1);
+
+        if (next >= 0xdc00 && next < 0xe000) {
+          bytes += 4;
+          if (bytes > limit) {
+            return true;
+          }
+          i++;
+          continue;
+        }
+      }
+    }
+
+    bytes += codePoint < 0x80 ? 1 : codePoint < 0x800 ? 2 : 3;
+    if (bytes > limit) {
+      return true;
+    }
+  }
+
+  return bytes > limit;
+}