react-native-nitro-storage 0.4.5 → 0.5.0

package/src/index.ts

@@ -21,6 +21,8 @@ import type {
 import {
   getStorageErrorCode,
   isLockedStorageErrorCode,
+  type SecureStorageMetadata,
+  type SecurityCapabilities,
   type StorageCapabilities,
   type StorageErrorCode,
 } from "./storage-runtime";
@@ -30,6 +32,8 @@ export type { Storage } from "./Storage.nitro";
 export { migrateFromMMKV } from "./migration";
 export {
   getStorageErrorCode,
+  type SecureStorageMetadata,
+  type SecurityCapabilities,
   type StorageCapabilities,
   type StorageErrorCode,
 } from "./storage-runtime";
@@ -162,6 +166,7 @@ const metricsCounters = new Map<
   string,
   { count: number; totalDurationMs: number; maxDurationMs: number }
 >();
+const nativeSecureBackend = "platform-secure-storage";
 
 function recordMetric(
   operation: string,
@@ -803,7 +808,7 @@ export const storage = {
     platform: "native",
     backend: {
       disk: "platform-preferences",
-      secure: "platform-secure-storage",
+      secure: nativeSecureBackend,
     },
     writeBuffering: {
       disk: true,
@@ -811,6 +816,67 @@ export const storage = {
     },
     errorClassification: true,
   }),
+  getSecurityCapabilities: (): SecurityCapabilities => ({
+    platform: "native",
+    secureStorage: {
+      backend: nativeSecureBackend,
+      encrypted: "available",
+      accessControl: "unknown",
+      keychainAccessGroup: "unknown",
+      hardwareBacked: "unknown",
+    },
+    biometric: {
+      storage: "unknown",
+      prompt: "unknown",
+      biometryOnly: "unknown",
+      biometryOrPasscode: "unknown",
+    },
+    metadata: {
+      perKey: true,
+      listsWithoutValues: true,
+      persistsTimestamps: false,
+    },
+  }),
+  getSecureMetadata: (key: string): SecureStorageMetadata => {
+    return measureOperation(
+      "storage:getSecureMetadata",
+      StorageScope.Secure,
+      () => {
+        flushSecureWrites();
+        const storageModule = getStorageModule();
+        const biometricProtected = storageModule.hasSecureBiometric(key);
+        const exists =
+          biometricProtected || storageModule.has(key, StorageScope.Secure);
+        let kind: SecureStorageMetadata["kind"] = "missing";
+        if (exists) {
+          kind = biometricProtected ? "biometric" : "secure";
+        }
+
+        return {
+          key,
+          exists,
+          kind,
+          backend: nativeSecureBackend,
+          encrypted: "available",
+          hardwareBacked: "unknown",
+          biometricProtected,
+          valueExposed: false,
+        };
+      },
+    );
+  },
+  getAllSecureMetadata: (): SecureStorageMetadata[] => {
+    return measureOperation(
+      "storage:getAllSecureMetadata",
+      StorageScope.Secure,
+      () => {
+        flushSecureWrites();
+        return getStorageModule()
+          .getAllKeys(StorageScope.Secure)
+          .map((key) => storage.getSecureMetadata(key));
+      },
+    );
+  },
   getString: (key: string, scope: StorageScope): string | undefined => {
     return measureOperation("storage:getString", scope, () => {
       return getRawValue(key, scope);

package/src/index.web.ts

@@ -21,6 +21,8 @@ import {
 import {
   getStorageErrorCode,
   isLockedStorageErrorCode,
+  type SecureStorageMetadata,
+  type SecurityCapabilities,
   type StorageCapabilities,
   type StorageErrorCode,
 } from "./storage-runtime";
@@ -29,6 +31,8 @@ export { StorageScope, AccessControl, BiometricLevel } from "./Storage.types";
 export { migrateFromMMKV } from "./migration";
 export {
   getStorageErrorCode,
+  type SecureStorageMetadata,
+  type SecurityCapabilities,
   type StorageCapabilities,
   type StorageErrorCode,
 } from "./storage-runtime";
@@ -261,6 +265,12 @@ function getBackendName(
   return backend?.name ?? `web:${scopeName}`;
 }
 
+function getWebSecureEncryptionStatus(
+  backend: WebSecureStorageBackend | undefined,
+): "unavailable" | "unknown" {
+  return backend?.name === "localStorage:secure" ? "unavailable" : "unknown";
+}
+
 function createWebStorageError(
   scope: NonMemoryScope,
   operation: string,
@@ -1307,6 +1317,72 @@ export const storage = {
     },
     errorClassification: true,
   }),
+  getSecurityCapabilities: (): SecurityCapabilities => {
+    const secureBackend = getBackendName(
+      StorageScope.Secure,
+      webSecureStorageBackend,
+    );
+    return {
+      platform: "web",
+      secureStorage: {
+        backend: secureBackend,
+        encrypted: getWebSecureEncryptionStatus(webSecureStorageBackend),
+        accessControl: "unavailable",
+        keychainAccessGroup: "unavailable",
+        hardwareBacked: "unavailable",
+      },
+      biometric: {
+        storage: "unavailable",
+        prompt: "unavailable",
+        biometryOnly: "unavailable",
+        biometryOrPasscode: "unavailable",
+      },
+      metadata: {
+        perKey: true,
+        listsWithoutValues: true,
+        persistsTimestamps: false,
+      },
+    };
+  },
+  getSecureMetadata: (key: string): SecureStorageMetadata => {
+    return measureOperation(
+      "storage:getSecureMetadata",
+      StorageScope.Secure,
+      () => {
+        flushSecureWrites();
+        const biometricProtected = WebStorage.hasSecureBiometric(key);
+        const exists =
+          biometricProtected || WebStorage.has(key, StorageScope.Secure);
+        let kind: SecureStorageMetadata["kind"] = "missing";
+        if (exists) {
+          kind = biometricProtected ? "biometric" : "secure";
+        }
+
+        return {
+          key,
+          exists,
+          kind,
+          backend: getBackendName(StorageScope.Secure, webSecureStorageBackend),
+          encrypted: getWebSecureEncryptionStatus(webSecureStorageBackend),
+          hardwareBacked: "unavailable",
+          biometricProtected,
+          valueExposed: false,
+        };
+      },
+    );
+  },
+  getAllSecureMetadata: (): SecureStorageMetadata[] => {
+    return measureOperation(
+      "storage:getAllSecureMetadata",
+      StorageScope.Secure,
+      () => {
+        flushSecureWrites();
+        return WebStorage.getAllKeys(StorageScope.Secure).map((key) =>
+          storage.getSecureMetadata(key),
+        );
+      },
+    );
+  },
   getString: (key: string, scope: StorageScope): string | undefined => {
     return measureOperation("storage:getString", scope, () => {
       return getRawValue(key, scope);

package/src/storage-runtime.ts

@@ -19,6 +19,41 @@ export type StorageCapabilities = {
   errorClassification: boolean;
 };
 
+export type SecurityCapabilityStatus = "available" | "unavailable" | "unknown";
+
+export type SecurityCapabilities = {
+  platform: "native" | "web";
+  secureStorage: {
+    backend: string;
+    encrypted: SecurityCapabilityStatus;
+    accessControl: SecurityCapabilityStatus;
+    keychainAccessGroup: SecurityCapabilityStatus;
+    hardwareBacked: SecurityCapabilityStatus;
+  };
+  biometric: {
+    storage: SecurityCapabilityStatus;
+    prompt: SecurityCapabilityStatus;
+    biometryOnly: SecurityCapabilityStatus;
+    biometryOrPasscode: SecurityCapabilityStatus;
+  };
+  metadata: {
+    perKey: boolean;
+    listsWithoutValues: boolean;
+    persistsTimestamps: boolean;
+  };
+};
+
+export type SecureStorageMetadata = {
+  key: string;
+  exists: boolean;
+  kind: "secure" | "biometric" | "missing";
+  backend: string;
+  encrypted: SecurityCapabilityStatus;
+  hardwareBacked: SecurityCapabilityStatus;
+  biometricProtected: boolean;
+  valueExposed: false;
+};
+
 const STORAGE_ERROR_TAG_PATTERN = /\[nitro-error:([a-z_]+)\]/;
 
 export function getStorageErrorCode(