react-native-nitro-storage 0.3.0 → 0.3.2

package/ios/IOSStorageAdapterCpp.mm

@@ -1,10 +1,14 @@
 #import "IOSStorageAdapterCpp.hpp"
 #import <Foundation/Foundation.h>
 #import <Security/Security.h>
+#import <LocalAuthentication/LocalAuthentication.h>
+#include <algorithm>
+#include <unordered_set>
 
 namespace NitroStorage {
 
 static NSString* const kKeychainService = @"com.nitrostorage.keychain";
+static NSString* const kBiometricKeychainService = @"com.nitrostorage.biometric";
 static NSString* const kDiskSuiteName = @"com.nitrostorage.disk";
 
 static NSUserDefaults* NitroDiskDefaults() {
@@ -12,9 +16,21 @@ static NSUserDefaults* NitroDiskDefaults() {
     return defaults ?: [NSUserDefaults standardUserDefaults];
 }
 
+static CFStringRef accessControlAttr(int level) {
+    switch (level) {
+        case 1: return kSecAttrAccessibleAfterFirstUnlock;
+        case 2: return kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly;
+        case 3: return kSecAttrAccessibleWhenUnlockedThisDeviceOnly;
+        case 4: return kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly;
+        default: return kSecAttrAccessibleWhenUnlocked;
+    }
+}
+
 IOSStorageAdapterCpp::IOSStorageAdapterCpp() {}
 IOSStorageAdapterCpp::~IOSStorageAdapterCpp() {}
 
+// --- Disk ---
+
 void IOSStorageAdapterCpp::setDisk(const std::string& key, const std::string& value) {
     NSString* nsKey = [NSString stringWithUTF8String:key.c_str()];
     NSString* nsValue = [NSString stringWithUTF8String:value.c_str()];
@@ -48,6 +64,25 @@ void IOSStorageAdapterCpp::deleteDisk(const std::string& key) {
     [[NSUserDefaults standardUserDefaults] removeObjectForKey:nsKey];
 }
 
+bool IOSStorageAdapterCpp::hasDisk(const std::string& key) {
+    NSString* nsKey = [NSString stringWithUTF8String:key.c_str()];
+    return [NitroDiskDefaults() objectForKey:nsKey] != nil;
+}
+
+std::vector<std::string> IOSStorageAdapterCpp::getAllKeysDisk() {
+    NSDictionary<NSString*, id>* entries = [NitroDiskDefaults() dictionaryRepresentation];
+    std::vector<std::string> keys;
+    keys.reserve(entries.count);
+    for (NSString* key in entries) {
+        keys.push_back(std::string([key UTF8String]));
+    }
+    return keys;
+}
+
+size_t IOSStorageAdapterCpp::sizeDisk() {
+    return [NitroDiskDefaults() dictionaryRepresentation].count;
+}
+
 void IOSStorageAdapterCpp::setDiskBatch(
     const std::vector<std::string>& keys,
     const std::vector<std::string>& values
@@ -78,15 +113,63 @@ void IOSStorageAdapterCpp::deleteDiskBatch(const std::vector<std::string>& keys)
     }
 }
 
+void IOSStorageAdapterCpp::clearDisk() {
+    NSUserDefaults* defaults = NitroDiskDefaults();
+    NSDictionary<NSString*, id>* entries = [defaults dictionaryRepresentation];
+    for (NSString* key in entries) {
+        [defaults removeObjectForKey:key];
+    }
+}
+
+// --- Secure (Keychain) ---
+
+static NSMutableDictionary* baseKeychainQuery(NSString* key, NSString* service, NSString* accessGroup) {
+    NSMutableDictionary* query = [@{
+        (__bridge id)kSecClass: (__bridge id)kSecClassGenericPassword,
+        (__bridge id)kSecAttrService: service,
+        (__bridge id)kSecAttrAccount: key
+    } mutableCopy];
+    if (accessGroup && accessGroup.length > 0) {
+        query[(__bridge id)kSecAttrAccessGroup] = accessGroup;
+    }
+    return query;
+}
+
+static NSMutableDictionary* allAccountsQuery(NSString* service, NSString* accessGroup) {
+    NSMutableDictionary* query = [@{
+        (__bridge id)kSecClass: (__bridge id)kSecClassGenericPassword,
+        (__bridge id)kSecAttrService: service,
+        (__bridge id)kSecReturnAttributes: @YES,
+        (__bridge id)kSecMatchLimit: (__bridge id)kSecMatchLimitAll
+    } mutableCopy];
+    if (accessGroup && accessGroup.length > 0) {
+        query[(__bridge id)kSecAttrAccessGroup] = accessGroup;
+    }
+    return query;
+}
+
+static std::vector<std::string> keychainAccountsForService(NSString* service, NSString* accessGroup) {
+    NSMutableDictionary* query = allAccountsQuery(service, accessGroup);
+    CFTypeRef result = NULL;
+    std::vector<std::string> keys;
+    if (SecItemCopyMatching((__bridge CFDictionaryRef)query, &result) == errSecSuccess && result) {
+        NSArray* items = (__bridge_transfer NSArray*)result;
+        keys.reserve(items.count);
+        for (NSDictionary* item in items) {
+            NSString* account = item[(__bridge id)kSecAttrAccount];
+            if (account) {
+                keys.push_back(std::string([account UTF8String]));
+            }
+        }
+    }
+    return keys;
+}
+
 void IOSStorageAdapterCpp::setSecure(const std::string& key, const std::string& value) {
     NSString* nsKey = [NSString stringWithUTF8String:key.c_str()];
     NSData* data = [[NSString stringWithUTF8String:value.c_str()] dataUsingEncoding:NSUTF8StringEncoding];
-
-    NSDictionary* query = @{
-        (__bridge id)kSecClass: (__bridge id)kSecClassGenericPassword,
-        (__bridge id)kSecAttrService: kKeychainService,
-        (__bridge id)kSecAttrAccount: nsKey
-    };
+    NSString* group = keychainAccessGroup_.empty() ? nil : [NSString stringWithUTF8String:keychainAccessGroup_.c_str()];
+    NSMutableDictionary* query = baseKeychainQuery(nsKey, kKeychainService, group);
 
     NSDictionary* updateAttributes = @{
         (__bridge id)kSecValueData: data
@@ -95,21 +178,18 @@ void IOSStorageAdapterCpp::setSecure(const std::string& key, const std::string&
     OSStatus status = SecItemUpdate((__bridge CFDictionaryRef)query, (__bridge CFDictionaryRef)updateAttributes);
 
     if (status == errSecItemNotFound) {
-        NSMutableDictionary* addQuery = [query mutableCopy];
-        addQuery[(__bridge id)kSecValueData] = data;
-        addQuery[(__bridge id)kSecAttrAccessible] = (__bridge id)kSecAttrAccessibleWhenUnlocked;
-        SecItemAdd((__bridge CFDictionaryRef)addQuery, NULL);
+        query[(__bridge id)kSecValueData] = data;
+        query[(__bridge id)kSecAttrAccessible] = (__bridge id)accessControlAttr(accessControlLevel_);
+        SecItemAdd((__bridge CFDictionaryRef)query, NULL);
     }
 }
 
 std::optional<std::string> IOSStorageAdapterCpp::getSecure(const std::string& key) {
-    NSDictionary* query = @{
-        (__bridge id)kSecClass: (__bridge id)kSecClassGenericPassword,
-        (__bridge id)kSecAttrService: kKeychainService,
-        (__bridge id)kSecAttrAccount: [NSString stringWithUTF8String:key.c_str()],
-        (__bridge id)kSecReturnData: @YES,
-        (__bridge id)kSecMatchLimit: (__bridge id)kSecMatchLimitOne
-    };
+    NSString* nsKey = [NSString stringWithUTF8String:key.c_str()];
+    NSString* group = keychainAccessGroup_.empty() ? nil : [NSString stringWithUTF8String:keychainAccessGroup_.c_str()];
+    NSMutableDictionary* query = baseKeychainQuery(nsKey, kKeychainService, group);
+    query[(__bridge id)kSecReturnData] = @YES;
+    query[(__bridge id)kSecMatchLimit] = (__bridge id)kSecMatchLimitOne;
 
     CFTypeRef result = NULL;
     if (SecItemCopyMatching((__bridge CFDictionaryRef)query, &result) == errSecSuccess && result) {
@@ -121,12 +201,40 @@ std::optional<std::string> IOSStorageAdapterCpp::getSecure(const std::string& ke
 }
 
 void IOSStorageAdapterCpp::deleteSecure(const std::string& key) {
-    NSDictionary* query = @{
-        (__bridge id)kSecClass: (__bridge id)kSecClassGenericPassword,
-        (__bridge id)kSecAttrService: kKeychainService,
-        (__bridge id)kSecAttrAccount: [NSString stringWithUTF8String:key.c_str()]
-    };
-    SecItemDelete((__bridge CFDictionaryRef)query);
+    NSString* nsKey = [NSString stringWithUTF8String:key.c_str()];
+    NSString* group = keychainAccessGroup_.empty() ? nil : [NSString stringWithUTF8String:keychainAccessGroup_.c_str()];
+    NSMutableDictionary* secureQuery = baseKeychainQuery(nsKey, kKeychainService, group);
+    SecItemDelete((__bridge CFDictionaryRef)secureQuery);
+    NSMutableDictionary* biometricQuery = baseKeychainQuery(nsKey, kBiometricKeychainService, group);
+    SecItemDelete((__bridge CFDictionaryRef)biometricQuery);
+}
+
+bool IOSStorageAdapterCpp::hasSecure(const std::string& key) {
+    NSString* nsKey = [NSString stringWithUTF8String:key.c_str()];
+    NSString* group = keychainAccessGroup_.empty() ? nil : [NSString stringWithUTF8String:keychainAccessGroup_.c_str()];
+    NSMutableDictionary* secureQuery = baseKeychainQuery(nsKey, kKeychainService, group);
+    if (SecItemCopyMatching((__bridge CFDictionaryRef)secureQuery, NULL) == errSecSuccess) {
+        return true;
+    }
+    NSMutableDictionary* biometricQuery = baseKeychainQuery(nsKey, kBiometricKeychainService, group);
+    return SecItemCopyMatching((__bridge CFDictionaryRef)biometricQuery, NULL) == errSecSuccess;
+}
+
+std::vector<std::string> IOSStorageAdapterCpp::getAllKeysSecure() {
+    NSString* group = keychainAccessGroup_.empty() ? nil : [NSString stringWithUTF8String:keychainAccessGroup_.c_str()];
+    std::vector<std::string> keys = keychainAccountsForService(kKeychainService, group);
+    std::unordered_set<std::string> seen(keys.begin(), keys.end());
+    const std::vector<std::string> biometricKeys = keychainAccountsForService(kBiometricKeychainService, group);
+    for (const auto& key : biometricKeys) {
+        if (seen.insert(key).second) {
+            keys.push_back(key);
+        }
+    }
+    return keys;
+}
+
+size_t IOSStorageAdapterCpp::sizeSecure() {
+    return getAllKeysSecure().size();
 }
 
 void IOSStorageAdapterCpp::setSecureBatch(
@@ -155,19 +263,118 @@ void IOSStorageAdapterCpp::deleteSecureBatch(const std::vector<std::string>& key
     }
 }
 
-void IOSStorageAdapterCpp::clearDisk() {
-    NSUserDefaults* defaults = NitroDiskDefaults();
-    NSDictionary<NSString*, id>* entries = [defaults dictionaryRepresentation];
-    for (NSString* key in entries) {
-        [defaults removeObjectForKey:key];
+void IOSStorageAdapterCpp::clearSecure() {
+    NSString* group = keychainAccessGroup_.empty() ? nil : [NSString stringWithUTF8String:keychainAccessGroup_.c_str()];
+    NSMutableDictionary* secureQuery = [@{
+        (__bridge id)kSecClass: (__bridge id)kSecClassGenericPassword,
+        (__bridge id)kSecAttrService: kKeychainService
+    } mutableCopy];
+    if (group && group.length > 0) {
+        secureQuery[(__bridge id)kSecAttrAccessGroup] = group;
     }
+    SecItemDelete((__bridge CFDictionaryRef)secureQuery);
+
+    NSMutableDictionary* biometricQuery = [@{
+        (__bridge id)kSecClass: (__bridge id)kSecClassGenericPassword,
+        (__bridge id)kSecAttrService: kBiometricKeychainService
+    } mutableCopy];
+    if (group && group.length > 0) {
+        biometricQuery[(__bridge id)kSecAttrAccessGroup] = group;
+    }
+    SecItemDelete((__bridge CFDictionaryRef)biometricQuery);
 }
 
-void IOSStorageAdapterCpp::clearSecure() {
-    NSDictionary* query = @{
+// --- Configuration ---
+
+void IOSStorageAdapterCpp::setSecureAccessControl(int level) {
+    accessControlLevel_ = level;
+}
+
+void IOSStorageAdapterCpp::setSecureWritesAsync(bool /*enabled*/) {
+    // iOS writes are synchronous by design; keep behavior unchanged.
+}
+
+void IOSStorageAdapterCpp::setKeychainAccessGroup(const std::string& group) {
+    keychainAccessGroup_ = group;
+}
+
+// --- Biometric (separate Keychain service with biometric ACL) ---
+
+void IOSStorageAdapterCpp::setSecureBiometric(const std::string& key, const std::string& value) {
+    NSString* nsKey = [NSString stringWithUTF8String:key.c_str()];
+    NSData* data = [[NSString stringWithUTF8String:value.c_str()] dataUsingEncoding:NSUTF8StringEncoding];
+    NSString* group = keychainAccessGroup_.empty() ? nil : [NSString stringWithUTF8String:keychainAccessGroup_.c_str()];
+
+    // Delete existing item first (access control can't be updated in place)
+    NSMutableDictionary* deleteQuery = baseKeychainQuery(nsKey, kBiometricKeychainService, group);
+    SecItemDelete((__bridge CFDictionaryRef)deleteQuery);
+
+    CFErrorRef error = NULL;
+    SecAccessControlRef access = SecAccessControlCreateWithFlags(
+        kCFAllocatorDefault,
+        kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly,
+        kSecAccessControlBiometryCurrentSet,
+        &error
+    );
+
+    if (error || !access) {
+        if (access) CFRelease(access);
+        throw std::runtime_error("NitroStorage: Failed to create biometric access control");
+    }
+
+    NSMutableDictionary* attrs = baseKeychainQuery(nsKey, kBiometricKeychainService, group);
+    attrs[(__bridge id)kSecValueData] = data;
+    attrs[(__bridge id)kSecAttrAccessControl] = (__bridge_transfer id)access;
+
+    OSStatus status = SecItemAdd((__bridge CFDictionaryRef)attrs, NULL);
+    if (status != errSecSuccess) {
+        throw std::runtime_error("NitroStorage: Biometric set failed with status " + std::to_string(status));
+    }
+}
+
+std::optional<std::string> IOSStorageAdapterCpp::getSecureBiometric(const std::string& key) {
+    NSString* nsKey = [NSString stringWithUTF8String:key.c_str()];
+    NSString* group = keychainAccessGroup_.empty() ? nil : [NSString stringWithUTF8String:keychainAccessGroup_.c_str()];
+    NSMutableDictionary* query = baseKeychainQuery(nsKey, kBiometricKeychainService, group);
+    query[(__bridge id)kSecReturnData] = @YES;
+    query[(__bridge id)kSecMatchLimit] = (__bridge id)kSecMatchLimitOne;
+
+    CFTypeRef result = NULL;
+    OSStatus status = SecItemCopyMatching((__bridge CFDictionaryRef)query, &result);
+    if (status == errSecSuccess && result) {
+        NSData* data = (__bridge_transfer NSData*)result;
+        NSString* str = [[NSString alloc] initWithData:data encoding:NSUTF8StringEncoding];
+        if (str) return std::string([str UTF8String]);
+    }
+    if (status == errSecUserCanceled || status == errSecAuthFailed) {
+        throw std::runtime_error("NitroStorage: Biometric authentication failed");
+    }
+    return std::nullopt;
+}
+
+void IOSStorageAdapterCpp::deleteSecureBiometric(const std::string& key) {
+    NSString* nsKey = [NSString stringWithUTF8String:key.c_str()];
+    NSString* group = keychainAccessGroup_.empty() ? nil : [NSString stringWithUTF8String:keychainAccessGroup_.c_str()];
+    NSMutableDictionary* query = baseKeychainQuery(nsKey, kBiometricKeychainService, group);
+    SecItemDelete((__bridge CFDictionaryRef)query);
+}
+
+bool IOSStorageAdapterCpp::hasSecureBiometric(const std::string& key) {
+    NSString* nsKey = [NSString stringWithUTF8String:key.c_str()];
+    NSString* group = keychainAccessGroup_.empty() ? nil : [NSString stringWithUTF8String:keychainAccessGroup_.c_str()];
+    NSMutableDictionary* query = baseKeychainQuery(nsKey, kBiometricKeychainService, group);
+    return SecItemCopyMatching((__bridge CFDictionaryRef)query, NULL) == errSecSuccess;
+}
+
+void IOSStorageAdapterCpp::clearSecureBiometric() {
+    NSString* group = keychainAccessGroup_.empty() ? nil : [NSString stringWithUTF8String:keychainAccessGroup_.c_str()];
+    NSMutableDictionary* query = [@{
         (__bridge id)kSecClass: (__bridge id)kSecClassGenericPassword,
-        (__bridge id)kSecAttrService: kKeychainService
-    };
+        (__bridge id)kSecAttrService: kBiometricKeychainService
+    } mutableCopy];
+    if (group && group.length > 0) {
+        query[(__bridge id)kSecAttrAccessGroup] = group;
+    }
     SecItemDelete((__bridge CFDictionaryRef)query);
 }
 

package/lib/commonjs/Storage.types.js

@@ -3,11 +3,33 @@
 Object.defineProperty(exports, "__esModule", {
   value: true
 });
-exports.StorageScope = void 0;
+exports.StorageScope = exports.BiometricLevel = exports.AccessControl = void 0;
 let StorageScope = exports.StorageScope = /*#__PURE__*/function (StorageScope) {
   StorageScope[StorageScope["Memory"] = 0] = "Memory";
   StorageScope[StorageScope["Disk"] = 1] = "Disk";
   StorageScope[StorageScope["Secure"] = 2] = "Secure";
   return StorageScope;
 }({});
+let AccessControl = exports.AccessControl = /*#__PURE__*/function (AccessControl) {
+  /** Accessible when unlocked (default). */
+  AccessControl[AccessControl["WhenUnlocked"] = 0] = "WhenUnlocked";
+  /** Accessible after first unlock until restart. Good for background token refresh. */
+  AccessControl[AccessControl["AfterFirstUnlock"] = 1] = "AfterFirstUnlock";
+  /** Accessible only when passcode is set, non-migratable. */
+  AccessControl[AccessControl["WhenPasscodeSetThisDeviceOnly"] = 2] = "WhenPasscodeSetThisDeviceOnly";
+  /** Same as WhenUnlocked but non-migratable between devices. */
+  AccessControl[AccessControl["WhenUnlockedThisDeviceOnly"] = 3] = "WhenUnlockedThisDeviceOnly";
+  /** Same as AfterFirstUnlock but non-migratable. */
+  AccessControl[AccessControl["AfterFirstUnlockThisDeviceOnly"] = 4] = "AfterFirstUnlockThisDeviceOnly";
+  return AccessControl;
+}({});
+let BiometricLevel = exports.BiometricLevel = /*#__PURE__*/function (BiometricLevel) {
+  /** No biometric requirement (default). */
+  BiometricLevel[BiometricLevel["None"] = 0] = "None";
+  /** Require biometric or passcode for each access. */
+  BiometricLevel[BiometricLevel["BiometryOrPasscode"] = 1] = "BiometryOrPasscode";
+  /** Require biometric only (no passcode fallback). */
+  BiometricLevel[BiometricLevel["BiometryOnly"] = 2] = "BiometryOnly";
+  return BiometricLevel;
+}({});
 //# sourceMappingURL=Storage.types.js.map

package/lib/commonjs/Storage.types.js.map

@@ -1 +1 @@
-{"version":3,"names":["StorageScope","exports"],"sourceRoot":"../../src","sources":["Storage.types.ts"],"mappings":";;;;;;IAAYA,YAAY,GAAAC,OAAA,CAAAD,YAAA,0BAAZA,YAAY;EAAZA,YAAY,CAAZA,YAAY;EAAZA,YAAY,CAAZA,YAAY;EAAZA,YAAY,CAAZA,YAAY;EAAA,OAAZA,YAAY;AAAA","ignoreList":[]}
+{"version":3,"names":["StorageScope","exports","AccessControl","BiometricLevel"],"sourceRoot":"../../src","sources":["Storage.types.ts"],"mappings":";;;;;;IAAYA,YAAY,GAAAC,OAAA,CAAAD,YAAA,0BAAZA,YAAY;EAAZA,YAAY,CAAZA,YAAY;EAAZA,YAAY,CAAZA,YAAY;EAAZA,YAAY,CAAZA,YAAY;EAAA,OAAZA,YAAY;AAAA;AAAA,IAMZE,aAAa,GAAAD,OAAA,CAAAC,aAAA,0BAAbA,aAAa;EACvB;EADUA,aAAa,CAAbA,aAAa;EAGvB;EAHUA,aAAa,CAAbA,aAAa;EAKvB;EALUA,aAAa,CAAbA,aAAa;EAOvB;EAPUA,aAAa,CAAbA,aAAa;EASvB;EATUA,aAAa,CAAbA,aAAa;EAAA,OAAbA,aAAa;AAAA;AAAA,IAabC,cAAc,GAAAF,OAAA,CAAAE,cAAA,0BAAdA,cAAc;EACxB;EADUA,cAAc,CAAdA,cAAc;EAGxB;EAHUA,cAAc,CAAdA,cAAc;EAKxB;EALUA,cAAc,CAAdA,cAAc;EAAA,OAAdA,cAAc;AAAA","ignoreList":[]}