react-native-nitro-storage 0.3.0 → 0.3.2

package/lib/module/index.web.js

@@ -1,10 +1,18 @@
 "use strict";
 
-import { useRef, useSyncExternalStore } from "react";
-import { StorageScope } from "./Storage.types";
-import { MIGRATION_VERSION_KEY, isStoredEnvelope, assertBatchScope, assertValidScope, serializeWithPrimitiveFastPath, deserializeWithPrimitiveFastPath } from "./internal";
-export { StorageScope } from "./Storage.types";
+import { StorageScope, AccessControl } from "./Storage.types";
+import { MIGRATION_VERSION_KEY, isStoredEnvelope, assertBatchScope, assertValidScope, serializeWithPrimitiveFastPath, deserializeWithPrimitiveFastPath, prefixKey, isNamespaced } from "./internal";
+export { StorageScope, AccessControl, BiometricLevel } from "./Storage.types";
 export { migrateFromMMKV } from "./migration";
+function asInternal(item) {
+  return item;
+}
+function isUpdater(valueOrFn) {
+  return typeof valueOrFn === "function";
+}
+function typedKeys(record) {
+  return Object.keys(record);
+}
 const registeredMigrations = new Map();
 const runMicrotask = typeof queueMicrotask === "function" ? queueMicrotask : task => {
   Promise.resolve().then(task);
@@ -13,17 +21,71 @@ const memoryStore = new Map();
 const memoryListeners = new Map();
 const webScopeListeners = new Map([[StorageScope.Disk, new Map()], [StorageScope.Secure, new Map()]]);
 const scopedRawCache = new Map([[StorageScope.Disk, new Map()], [StorageScope.Secure, new Map()]]);
+const webScopeKeyIndex = new Map([[StorageScope.Disk, new Set()], [StorageScope.Secure, new Set()]]);
+const hydratedWebScopeKeyIndex = new Set();
 const pendingSecureWrites = new Map();
 let secureFlushScheduled = false;
+const SECURE_WEB_PREFIX = "__secure_";
+const BIOMETRIC_WEB_PREFIX = "__bio_";
+let hasWarnedAboutWebBiometricFallback = false;
 function getBrowserStorage(scope) {
   if (scope === StorageScope.Disk) {
     return globalThis.localStorage;
   }
   if (scope === StorageScope.Secure) {
-    return globalThis.sessionStorage;
+    return globalThis.localStorage;
   }
   return undefined;
 }
+function toSecureStorageKey(key) {
+  return `${SECURE_WEB_PREFIX}${key}`;
+}
+function fromSecureStorageKey(key) {
+  return key.slice(SECURE_WEB_PREFIX.length);
+}
+function toBiometricStorageKey(key) {
+  return `${BIOMETRIC_WEB_PREFIX}${key}`;
+}
+function fromBiometricStorageKey(key) {
+  return key.slice(BIOMETRIC_WEB_PREFIX.length);
+}
+function getWebScopeKeyIndex(scope) {
+  return webScopeKeyIndex.get(scope);
+}
+function hydrateWebScopeKeyIndex(scope) {
+  if (hydratedWebScopeKeyIndex.has(scope)) {
+    return;
+  }
+  const storage = getBrowserStorage(scope);
+  const keyIndex = getWebScopeKeyIndex(scope);
+  keyIndex.clear();
+  if (storage) {
+    for (let index = 0; index < storage.length; index += 1) {
+      const key = storage.key(index);
+      if (!key) {
+        continue;
+      }
+      if (scope === StorageScope.Disk) {
+        if (!key.startsWith(SECURE_WEB_PREFIX) && !key.startsWith(BIOMETRIC_WEB_PREFIX)) {
+          keyIndex.add(key);
+        }
+        continue;
+      }
+      if (key.startsWith(SECURE_WEB_PREFIX)) {
+        keyIndex.add(fromSecureStorageKey(key));
+        continue;
+      }
+      if (key.startsWith(BIOMETRIC_WEB_PREFIX)) {
+        keyIndex.add(fromBiometricStorageKey(key));
+      }
+    }
+  }
+  hydratedWebScopeKeyIndex.add(scope);
+}
+function ensureWebScopeKeyIndex(scope) {
+  hydrateWebScopeKeyIndex(scope);
+  return getWebScopeKeyIndex(scope);
+}
 function getScopedListeners(scope) {
   return webScopeListeners.get(scope);
 }
@@ -122,26 +184,65 @@ const WebStorage = {
   dispose: () => {},
   set: (key, value, scope) => {
     const storage = getBrowserStorage(scope);
-    storage?.setItem(key, value);
+    if (!storage) {
+      return;
+    }
+    const storageKey = scope === StorageScope.Secure ? toSecureStorageKey(key) : key;
+    storage.setItem(storageKey, value);
     if (scope === StorageScope.Disk || scope === StorageScope.Secure) {
+      ensureWebScopeKeyIndex(scope).add(key);
       notifyKeyListeners(getScopedListeners(scope), key);
     }
   },
   get: (key, scope) => {
     const storage = getBrowserStorage(scope);
-    return storage?.getItem(key) ?? undefined;
+    const storageKey = scope === StorageScope.Secure ? toSecureStorageKey(key) : key;
+    return storage?.getItem(storageKey) ?? undefined;
   },
   remove: (key, scope) => {
     const storage = getBrowserStorage(scope);
-    storage?.removeItem(key);
+    if (!storage) {
+      return;
+    }
+    if (scope === StorageScope.Secure) {
+      storage.removeItem(toSecureStorageKey(key));
+      storage.removeItem(toBiometricStorageKey(key));
+    } else {
+      storage.removeItem(key);
+    }
     if (scope === StorageScope.Disk || scope === StorageScope.Secure) {
+      ensureWebScopeKeyIndex(scope).delete(key);
       notifyKeyListeners(getScopedListeners(scope), key);
     }
   },
   clear: scope => {
     const storage = getBrowserStorage(scope);
-    storage?.clear();
+    if (!storage) {
+      return;
+    }
+    if (scope === StorageScope.Secure) {
+      const keysToRemove = [];
+      for (let i = 0; i < storage.length; i++) {
+        const key = storage.key(i);
+        if (key?.startsWith(SECURE_WEB_PREFIX) || key?.startsWith(BIOMETRIC_WEB_PREFIX)) {
+          keysToRemove.push(key);
+        }
+      }
+      keysToRemove.forEach(key => storage.removeItem(key));
+    } else if (scope === StorageScope.Disk) {
+      const keysToRemove = [];
+      for (let i = 0; i < storage.length; i++) {
+        const key = storage.key(i);
+        if (key && !key.startsWith(SECURE_WEB_PREFIX) && !key.startsWith(BIOMETRIC_WEB_PREFIX)) {
+          keysToRemove.push(key);
+        }
+      }
+      keysToRemove.forEach(key => storage.removeItem(key));
+    } else {
+      storage.clear();
+    }
     if (scope === StorageScope.Disk || scope === StorageScope.Secure) {
+      ensureWebScopeKeyIndex(scope).clear();
       notifyAllListeners(getScopedListeners(scope));
     }
   },
@@ -151,32 +252,129 @@ const WebStorage = {
       return;
     }
     keys.forEach((key, index) => {
-      storage.setItem(key, values[index]);
+      const value = values[index];
+      if (value === undefined) {
+        return;
+      }
+      const storageKey = scope === StorageScope.Secure ? toSecureStorageKey(key) : key;
+      storage.setItem(storageKey, value);
     });
     if (scope === StorageScope.Disk || scope === StorageScope.Secure) {
+      const keyIndex = ensureWebScopeKeyIndex(scope);
+      keys.forEach(key => keyIndex.add(key));
       const listeners = getScopedListeners(scope);
       keys.forEach(key => notifyKeyListeners(listeners, key));
     }
   },
   getBatch: (keys, scope) => {
     const storage = getBrowserStorage(scope);
-    return keys.map(key => storage?.getItem(key) ?? undefined);
+    return keys.map(key => {
+      const storageKey = scope === StorageScope.Secure ? toSecureStorageKey(key) : key;
+      return storage?.getItem(storageKey) ?? undefined;
+    });
   },
   removeBatch: (keys, scope) => {
     const storage = getBrowserStorage(scope);
     if (!storage) {
       return;
     }
-    keys.forEach(key => {
-      storage.removeItem(key);
-    });
+    if (scope === StorageScope.Secure) {
+      keys.forEach(key => {
+        storage.removeItem(toSecureStorageKey(key));
+        storage.removeItem(toBiometricStorageKey(key));
+      });
+    } else {
+      keys.forEach(key => {
+        storage.removeItem(key);
+      });
+    }
     if (scope === StorageScope.Disk || scope === StorageScope.Secure) {
+      const keyIndex = ensureWebScopeKeyIndex(scope);
+      keys.forEach(key => keyIndex.delete(key));
       const listeners = getScopedListeners(scope);
       keys.forEach(key => notifyKeyListeners(listeners, key));
     }
   },
+  removeByPrefix: (prefix, scope) => {
+    if (scope !== StorageScope.Disk && scope !== StorageScope.Secure) {
+      return;
+    }
+    const keyIndex = ensureWebScopeKeyIndex(scope);
+    const keys = Array.from(keyIndex).filter(key => key.startsWith(prefix));
+    if (keys.length === 0) {
+      return;
+    }
+    WebStorage.removeBatch(keys, scope);
+  },
   addOnChange: (_scope, _callback) => {
     return () => {};
+  },
+  has: (key, scope) => {
+    const storage = getBrowserStorage(scope);
+    if (scope === StorageScope.Secure) {
+      return storage?.getItem(toSecureStorageKey(key)) !== null || storage?.getItem(toBiometricStorageKey(key)) !== null;
+    }
+    return storage?.getItem(key) !== null;
+  },
+  getAllKeys: scope => {
+    if (scope !== StorageScope.Disk && scope !== StorageScope.Secure) {
+      return [];
+    }
+    return Array.from(ensureWebScopeKeyIndex(scope));
+  },
+  size: scope => {
+    if (scope === StorageScope.Disk || scope === StorageScope.Secure) {
+      return ensureWebScopeKeyIndex(scope).size;
+    }
+    return 0;
+  },
+  setSecureAccessControl: () => {},
+  setSecureWritesAsync: _enabled => {},
+  setKeychainAccessGroup: () => {},
+  setSecureBiometric: (key, value) => {
+    if (typeof __DEV__ !== "undefined" && __DEV__ && !hasWarnedAboutWebBiometricFallback) {
+      hasWarnedAboutWebBiometricFallback = true;
+      console.warn("[NitroStorage] Biometric storage is not supported on web. Using localStorage.");
+    }
+    globalThis.localStorage?.setItem(toBiometricStorageKey(key), value);
+    ensureWebScopeKeyIndex(StorageScope.Secure).add(key);
+    notifyKeyListeners(getScopedListeners(StorageScope.Secure), key);
+  },
+  getSecureBiometric: key => {
+    return globalThis.localStorage?.getItem(toBiometricStorageKey(key)) ?? undefined;
+  },
+  deleteSecureBiometric: key => {
+    const storage = globalThis.localStorage;
+    storage?.removeItem(toBiometricStorageKey(key));
+    if (storage?.getItem(toSecureStorageKey(key)) === null) {
+      ensureWebScopeKeyIndex(StorageScope.Secure).delete(key);
+    }
+    notifyKeyListeners(getScopedListeners(StorageScope.Secure), key);
+  },
+  hasSecureBiometric: key => {
+    return globalThis.localStorage?.getItem(toBiometricStorageKey(key)) !== null;
+  },
+  clearSecureBiometric: () => {
+    const storage = globalThis.localStorage;
+    if (!storage) return;
+    const keysToNotify = [];
+    const toRemove = [];
+    for (let i = 0; i < storage.length; i++) {
+      const k = storage.key(i);
+      if (k?.startsWith(BIOMETRIC_WEB_PREFIX)) {
+        toRemove.push(k);
+        keysToNotify.push(fromBiometricStorageKey(k));
+      }
+    }
+    toRemove.forEach(k => storage.removeItem(k));
+    const keyIndex = ensureWebScopeKeyIndex(StorageScope.Secure);
+    keysToNotify.forEach(key => {
+      if (storage.getItem(toSecureStorageKey(key)) === null) {
+        keyIndex.delete(key);
+      }
+    });
+    const listeners = getScopedListeners(StorageScope.Secure);
+    keysToNotify.forEach(key => notifyKeyListeners(listeners, key));
   }
 };
 function getRawValue(key, scope) {
@@ -247,10 +445,71 @@ export const storage = {
     storage.clear(StorageScope.Memory);
     storage.clear(StorageScope.Disk);
     storage.clear(StorageScope.Secure);
-  }
+  },
+  clearNamespace: (namespace, scope) => {
+    assertValidScope(scope);
+    if (scope === StorageScope.Memory) {
+      for (const key of memoryStore.keys()) {
+        if (isNamespaced(key, namespace)) {
+          memoryStore.delete(key);
+        }
+      }
+      notifyAllListeners(memoryListeners);
+      return;
+    }
+    const keyPrefix = prefixKey(namespace, "");
+    if (scope === StorageScope.Secure) {
+      flushSecureWrites();
+    }
+    clearScopeRawCache(scope);
+    WebStorage.removeByPrefix(keyPrefix, scope);
+  },
+  clearBiometric: () => {
+    WebStorage.clearSecureBiometric();
+  },
+  has: (key, scope) => {
+    assertValidScope(scope);
+    if (scope === StorageScope.Memory) return memoryStore.has(key);
+    return WebStorage.has(key, scope);
+  },
+  getAllKeys: scope => {
+    assertValidScope(scope);
+    if (scope === StorageScope.Memory) return Array.from(memoryStore.keys());
+    return WebStorage.getAllKeys(scope);
+  },
+  getAll: scope => {
+    assertValidScope(scope);
+    const result = {};
+    if (scope === StorageScope.Memory) {
+      memoryStore.forEach((value, key) => {
+        if (typeof value === "string") result[key] = value;
+      });
+      return result;
+    }
+    const keys = WebStorage.getAllKeys(scope);
+    keys.forEach(key => {
+      const val = WebStorage.get(key, scope);
+      if (val !== undefined) result[key] = val;
+    });
+    return result;
+  },
+  size: scope => {
+    assertValidScope(scope);
+    if (scope === StorageScope.Memory) return memoryStore.size;
+    return WebStorage.size(scope);
+  },
+  setAccessControl: _level => {},
+  setSecureWritesAsync: _enabled => {},
+  flushSecureWrites: () => {
+    flushSecureWrites();
+  },
+  setKeychainAccessGroup: _group => {}
 };
 function canUseRawBatchPath(item) {
-  return item._hasExpiration === false && item._hasValidation === false;
+  return item._hasExpiration === false && item._hasValidation === false && item._isBiometric !== true && item._secureAccessControl === undefined;
+}
+function canUseSecureRawBatchPath(item) {
+  return item._hasExpiration === false && item._hasValidation === false && item._isBiometric !== true;
 }
 function defaultSerialize(value) {
   return serializeWithPrimitiveFastPath(value);
@@ -259,16 +518,21 @@ function defaultDeserialize(value) {
   return deserializeWithPrimitiveFastPath(value);
 }
 export function createStorageItem(config) {
+  const storageKey = prefixKey(config.namespace, config.key);
   const serialize = config.serialize ?? defaultSerialize;
   const deserialize = config.deserialize ?? defaultDeserialize;
   const isMemory = config.scope === StorageScope.Memory;
+  const isBiometric = config.biometric === true && config.scope === StorageScope.Secure;
+  const secureAccessControl = config.accessControl;
   const validate = config.validate;
   const onValidationError = config.onValidationError;
   const expiration = config.expiration;
+  const onExpired = config.onExpired;
   const expirationTtlMs = expiration?.ttlMs;
   const memoryExpiration = expiration && isMemory ? new Map() : null;
   const readCache = !isMemory && config.readCache === true;
-  const coalesceSecureWrites = config.scope === StorageScope.Secure && config.coalesceSecureWrites === true;
+  const coalesceSecureWrites = config.scope === StorageScope.Secure && config.coalesceSecureWrites === true && !isBiometric && secureAccessControl === undefined;
+  const defaultValue = config.defaultValue;
   const nonMemoryScope = config.scope === StorageScope.Disk ? StorageScope.Disk : config.scope === StorageScope.Secure ? StorageScope.Secure : null;
   if (expiration && expiration.ttlMs <= 0) {
     throw new Error("expiration.ttlMs must be greater than 0.");
@@ -278,10 +542,12 @@ export function createStorageItem(config) {
   let lastRaw = undefined;
   let lastValue;
   let hasLastValue = false;
+  let lastExpiresAt = undefined;
   const invalidateParsedCache = () => {
     lastRaw = undefined;
     lastValue = undefined;
     hasLastValue = false;
+    lastExpiresAt = undefined;
   };
   const ensureSubscription = () => {
     if (unsubscribe) {
@@ -292,65 +558,77 @@ export function createStorageItem(config) {
       listeners.forEach(callback => callback());
     };
     if (isMemory) {
-      unsubscribe = addKeyListener(memoryListeners, config.key, listener);
+      unsubscribe = addKeyListener(memoryListeners, storageKey, listener);
       return;
     }
-    unsubscribe = addKeyListener(getScopedListeners(nonMemoryScope), config.key, listener);
+    unsubscribe = addKeyListener(getScopedListeners(nonMemoryScope), storageKey, listener);
   };
   const readStoredRaw = () => {
     if (isMemory) {
       if (memoryExpiration) {
-        const expiresAt = memoryExpiration.get(config.key);
+        const expiresAt = memoryExpiration.get(storageKey);
         if (expiresAt !== undefined && expiresAt <= Date.now()) {
-          memoryExpiration.delete(config.key);
-          memoryStore.delete(config.key);
-          notifyKeyListeners(memoryListeners, config.key);
+          memoryExpiration.delete(storageKey);
+          memoryStore.delete(storageKey);
+          notifyKeyListeners(memoryListeners, storageKey);
+          onExpired?.(storageKey);
           return undefined;
         }
       }
-      return memoryStore.get(config.key);
+      return memoryStore.get(storageKey);
     }
-    if (nonMemoryScope === StorageScope.Secure && hasPendingSecureWrite(config.key)) {
-      return readPendingSecureWrite(config.key);
+    if (nonMemoryScope === StorageScope.Secure && !isBiometric && hasPendingSecureWrite(storageKey)) {
+      return readPendingSecureWrite(storageKey);
     }
     if (readCache) {
-      if (hasCachedRawValue(nonMemoryScope, config.key)) {
-        return readCachedRawValue(nonMemoryScope, config.key);
+      if (hasCachedRawValue(nonMemoryScope, storageKey)) {
+        return readCachedRawValue(nonMemoryScope, storageKey);
       }
     }
-    const raw = WebStorage.get(config.key, config.scope);
-    cacheRawValue(nonMemoryScope, config.key, raw);
+    if (isBiometric) {
+      return WebStorage.getSecureBiometric(storageKey);
+    }
+    const raw = WebStorage.get(storageKey, config.scope);
+    cacheRawValue(nonMemoryScope, storageKey, raw);
     return raw;
   };
   const writeStoredRaw = rawValue => {
-    cacheRawValue(nonMemoryScope, config.key, rawValue);
+    if (isBiometric) {
+      WebStorage.setSecureBiometric(storageKey, rawValue);
+      return;
+    }
+    cacheRawValue(nonMemoryScope, storageKey, rawValue);
     if (coalesceSecureWrites) {
-      scheduleSecureWrite(config.key, rawValue);
+      scheduleSecureWrite(storageKey, rawValue);
       return;
     }
     if (nonMemoryScope === StorageScope.Secure) {
-      clearPendingSecureWrite(config.key);
+      clearPendingSecureWrite(storageKey);
     }
-    WebStorage.set(config.key, rawValue, config.scope);
+    WebStorage.set(storageKey, rawValue, config.scope);
   };
   const removeStoredRaw = () => {
-    cacheRawValue(nonMemoryScope, config.key, undefined);
+    if (isBiometric) {
+      WebStorage.deleteSecureBiometric(storageKey);
+      return;
+    }
+    cacheRawValue(nonMemoryScope, storageKey, undefined);
     if (coalesceSecureWrites) {
-      scheduleSecureWrite(config.key, undefined);
+      scheduleSecureWrite(storageKey, undefined);
       return;
     }
     if (nonMemoryScope === StorageScope.Secure) {
-      clearPendingSecureWrite(config.key);
+      clearPendingSecureWrite(storageKey);
     }
-    WebStorage.remove(config.key, config.scope);
+    WebStorage.remove(storageKey, config.scope);
   };
   const writeValueWithoutValidation = value => {
     if (isMemory) {
       if (memoryExpiration) {
-        memoryExpiration.set(config.key, Date.now() + (expirationTtlMs ?? 0));
+        memoryExpiration.set(storageKey, Date.now() + (expirationTtlMs ?? 0));
       }
-      memoryStore.set(config.key, value);
-      notifyKeyListeners(memoryListeners, config.key);
+      memoryStore.set(storageKey, value);
+      notifyKeyListeners(memoryListeners, storageKey);
       return;
     }
     const serialized = serialize(value);
@@ -369,7 +647,7 @@ export function createStorageItem(config) {
     if (onValidationError) {
       return onValidationError(invalidValue);
     }
-    return config.defaultValue;
+    return defaultValue;
   };
   const ensureValidatedValue = (candidate, hadStoredValue) => {
     if (!validate || validate(candidate)) {
@@ -377,7 +655,7 @@ export function createStorageItem(config) {
     }
     const resolved = resolveInvalidValue(candidate);
     if (validate && !validate(resolved)) {
-      return config.defaultValue;
+      return defaultValue;
     }
     if (hadStoredValue) {
       writeValueWithoutValidation(resolved);
@@ -386,30 +664,53 @@ export function createStorageItem(config) {
   };
   const get = () => {
     const raw = readStoredRaw();
-    const canUseCachedValue = !expiration && !memoryExpiration;
-    if (canUseCachedValue && raw === lastRaw && hasLastValue) {
-      return lastValue;
+    if (!memoryExpiration && raw === lastRaw && hasLastValue) {
+      if (!expiration || lastExpiresAt === null) {
+        return lastValue;
+      }
+      if (typeof lastExpiresAt === "number") {
+        if (lastExpiresAt > Date.now()) {
+          return lastValue;
+        }
+        removeStoredRaw();
+        invalidateParsedCache();
+        onExpired?.(storageKey);
+        lastValue = ensureValidatedValue(defaultValue, false);
+        hasLastValue = true;
+        return lastValue;
+      }
     }
     lastRaw = raw;
     if (raw === undefined) {
-      lastValue = ensureValidatedValue(config.defaultValue, false);
+      lastExpiresAt = undefined;
+      lastValue = ensureValidatedValue(defaultValue, false);
       hasLastValue = true;
       return lastValue;
     }
     if (isMemory) {
+      lastExpiresAt = undefined;
       lastValue = ensureValidatedValue(raw, true);
       hasLastValue = true;
       return lastValue;
     }
+    if (typeof raw !== "string") {
+      lastExpiresAt = undefined;
+      lastValue = ensureValidatedValue(defaultValue, false);
+      hasLastValue = true;
+      return lastValue;
+    }
     let deserializableRaw = raw;
     if (expiration) {
+      let envelopeExpiresAt = null;
       try {
         const parsed = JSON.parse(raw);
         if (isStoredEnvelope(parsed)) {
+          envelopeExpiresAt = parsed.expiresAt;
           if (parsed.expiresAt <= Date.now()) {
             removeStoredRaw();
             invalidateParsedCache();
-            lastValue = ensureValidatedValue(config.defaultValue, false);
+            onExpired?.(storageKey);
+            lastValue = ensureValidatedValue(defaultValue, false);
             hasLastValue = true;
             return lastValue;
           }
@@ -418,17 +719,19 @@ export function createStorageItem(config) {
       } catch {
         // Keep backward compatibility with legacy raw values.
       }
+      lastExpiresAt = envelopeExpiresAt;
+    } else {
+      lastExpiresAt = undefined;
     }
     lastValue = ensureValidatedValue(deserialize(deserializableRaw), true);
     hasLastValue = true;
     return lastValue;
   };
   const set = valueOrFn => {
-    const currentValue = get();
-    const newValue = typeof valueOrFn === "function" ? valueOrFn(currentValue) : valueOrFn;
+    const newValue = isUpdater(valueOrFn) ? valueOrFn(get()) : valueOrFn;
     invalidateParsedCache();
     if (validate && !validate(newValue)) {
-      throw new Error(`Validation failed for key "${config.key}" in scope "${StorageScope[config.scope]}".`);
+      throw new Error(`Validation failed for key "${storageKey}" in scope "${StorageScope[config.scope]}".`);
     }
     writeValueWithoutValidation(newValue);
   };
@@ -436,14 +739,19 @@ export function createStorageItem(config) {
     invalidateParsedCache();
     if (isMemory) {
       if (memoryExpiration) {
-        memoryExpiration.delete(config.key);
+        memoryExpiration.delete(storageKey);
       }
-      memoryStore.delete(config.key);
-      notifyKeyListeners(memoryListeners, config.key);
+      memoryStore.delete(storageKey);
+      notifyKeyListeners(memoryListeners, storageKey);
       return;
     }
     removeStoredRaw();
   };
+  const hasItem = () => {
+    if (isMemory) return memoryStore.has(storageKey);
+    if (isBiometric) return WebStorage.hasSecureBiometric(storageKey);
+    return WebStorage.has(storageKey, config.scope);
+  };
   const subscribe = callback => {
     ensureSubscription();
     listeners.add(callback);
@@ -459,6 +767,7 @@ export function createStorageItem(config) {
     get,
     set,
     delete: deleteItem,
+    has: hasItem,
     subscribe,
     serialize,
     deserialize,
@@ -469,43 +778,22 @@ export function createStorageItem(config) {
     _hasValidation: validate !== undefined,
     _hasExpiration: expiration !== undefined,
     _readCacheEnabled: readCache,
+    _isBiometric: isBiometric,
+    ...(secureAccessControl !== undefined ? {
+      _secureAccessControl: secureAccessControl
+    } : {}),
     scope: config.scope,
-    key: config.key
+    key: storageKey
   };
   return storageItem;
 }
-export function useStorage(item) {
-  const value = useSyncExternalStore(item.subscribe, item.get, item.get);
-  return [value, item.set];
-}
-export function useStorageSelector(item, selector, isEqual = Object.is) {
-  const selectedRef = useRef({
-    hasValue: false
-  });
-  const getSelectedSnapshot = () => {
-    const nextSelected = selector(item.get());
-    const current = selectedRef.current;
-    if (current.hasValue && isEqual(current.value, nextSelected)) {
-      return current.value;
-    }
-    selectedRef.current = {
-      hasValue: true,
-      value: nextSelected
-    };
-    return nextSelected;
-  };
-  const selectedValue = useSyncExternalStore(item.subscribe, getSelectedSnapshot, getSelectedSnapshot);
-  return [selectedValue, item.set];
-}
-export function useSetStorage(item) {
-  return item.set;
-}
+export { useStorage, useStorageSelector, useSetStorage } from "./storage-hooks";
 export function getBatch(items, scope) {
   assertBatchScope(items, scope);
   if (scope === StorageScope.Memory) {
     return items.map(item => item.get());
   }
-  const useRawBatchPath = items.every(item => canUseRawBatchPath(item));
+  const useRawBatchPath = items.every(item => scope === StorageScope.Secure ? canUseSecureRawBatchPath(item) : canUseRawBatchPath(item));
   if (!useRawBatchPath) {
     return items.map(item => item.get());
   }
@@ -534,6 +822,9 @@ export function getBatch(items, scope) {
     fetchedValues.forEach((value, index) => {
       const key = keysToFetch[index];
       const targetIndex = keyIndexes[index];
+      if (key === undefined || targetIndex === undefined) {
+        return;
+      }
       rawValues[targetIndex] = value;
       cacheRawValue(scope, key, value);
     });
@@ -555,9 +846,54 @@ export function setBatch(items, scope) {
     }) => item.set(value));
     return;
   }
+  if (scope === StorageScope.Secure) {
+    const secureEntries = items.map(({
+      item,
+      value
+    }) => ({
+      item,
+      value,
+      internal: asInternal(item)
+    }));
+    const canUseSecureBatchPath = secureEntries.every(({
+      internal
+    }) => canUseSecureRawBatchPath(internal));
+    if (!canUseSecureBatchPath) {
+      items.forEach(({
+        item,
+        value
+      }) => item.set(value));
+      return;
+    }
+    flushSecureWrites();
+    const groupedByAccessControl = new Map();
+    secureEntries.forEach(({
+      item,
+      value,
+      internal
+    }) => {
+      const accessControl = internal._secureAccessControl ?? AccessControl.WhenUnlocked;
+      const existingGroup = groupedByAccessControl.get(accessControl);
+      const group = existingGroup ?? {
+        keys: [],
+        values: []
+      };
+      group.keys.push(item.key);
+      group.values.push(item.serialize(value));
+      if (!existingGroup) {
+        groupedByAccessControl.set(accessControl, group);
+      }
+    });
+    groupedByAccessControl.forEach((group, accessControl) => {
+      WebStorage.setSecureAccessControl(accessControl);
+      WebStorage.setBatch(group.keys, group.values, scope);
+      group.keys.forEach((key, index) => cacheRawValue(scope, key, group.values[index]));
+    });
+    return;
+  }
   const useRawBatchPath = items.every(({
     item
-  }) => canUseRawBatchPath(item));
+  }) => canUseRawBatchPath(asInternal(item)));
   if (!useRawBatchPath) {
     items.forEach(({
       item,
@@ -567,9 +903,6 @@ export function setBatch(items, scope) {
   }
   const keys = items.map(entry => entry.item.key);
   const values = items.map(entry => entry.item.serialize(entry.value));
-  if (scope === StorageScope.Secure) {
-    flushSecureWrites();
-  }
   WebStorage.setBatch(keys, values, scope);
   keys.forEach((key, index) => cacheRawValue(scope, key, values[index]));
 }
@@ -668,4 +1001,30 @@ export function runTransaction(scope, transaction) {
     throw error;
   }
 }
+export function createSecureAuthStorage(config, options) {
+  const ns = options?.namespace ?? "auth";
+  const result = {};
+  for (const key of typedKeys(config)) {
+    const itemConfig = config[key];
+    const expirationConfig = itemConfig.ttlMs !== undefined ? {
+      ttlMs: itemConfig.ttlMs
+    } : undefined;
+    result[key] = createStorageItem({
+      key,
+      scope: StorageScope.Secure,
+      defaultValue: "",
+      namespace: ns,
+      ...(itemConfig.biometric !== undefined ? {
+        biometric: itemConfig.biometric
+      } : {}),
+      ...(itemConfig.accessControl !== undefined ? {
+        accessControl: itemConfig.accessControl
+      } : {}),
+      ...(expirationConfig !== undefined ? {
+        expiration: expirationConfig
+      } : {})
+    });
+  }
+  return result;
+}
 //# sourceMappingURL=index.web.js.map