feat: isPasscodeAuthAvailable (#743)

Author: DorianMazur

android/src/main/java/com/oblador/keychain/DeviceAvailability.kt

@@ -28,10 +28,14 @@ object DeviceAvailability {
       BiometricManager.BIOMETRIC_SUCCESS
   }
 
-  fun isDeviceCredentialAuthAvailable(context: Context): Boolean {
-    return BiometricManager.from(context)
-      .canAuthenticate(BiometricManager.Authenticators.DEVICE_CREDENTIAL) ==
-      BiometricManager.BIOMETRIC_SUCCESS && Build.VERSION.SDK_INT >= Build.VERSION_CODES.R
+  fun isDevicePasscodeAvailable(context: Context): Boolean {
+    return if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.R) {
+      BiometricManager.from(context)
+        .canAuthenticate(BiometricManager.Authenticators.DEVICE_CREDENTIAL) ==
+        BiometricManager.BIOMETRIC_SUCCESS
+    } else {
+      false
+    }
   }
 
   fun isFingerprintAuthAvailable(context: Context): Boolean {

android/src/main/java/com/oblador/keychain/KeychainModule.kt

@@ -186,7 +186,11 @@ class KeychainModule(reactContext: ReactApplicationContext) :
           val level = getSecurityLevelOrDefault(options)
           val storage = getSelectedStorage(options)
           throwIfInsufficientLevel(storage, level)
-          val promptInfo = getPromptInfo(options)
+          val accessControl = getAccessControlOrDefault(options)
+          val usePasscode = getUsePasscode(accessControl) && isPasscodeAvailable
+          val useBiometry =
+            getUseBiometry(accessControl) && (isFingerprintAuthAvailable || isFaceAuthAvailable || isIrisAuthAvailable)
+          val promptInfo = getPromptInfo(options, usePasscode, useBiometry)
           val result =
             encryptToResult(alias, storage, username, password, level, promptInfo)
           prefsStorage.storeEncryptedEntry(alias, result)
@@ -249,7 +253,11 @@ class KeychainModule(reactContext: ReactApplicationContext) :
             return@launch
           }
           val storageName = resultSet.cipherStorageName
-          val promptInfo = getPromptInfo(options)
+          val accessControl = getAccessControlOrDefault(options)
+          val usePasscode = getUsePasscode(accessControl) && isPasscodeAvailable
+          val useBiometry =
+            getUseBiometry(accessControl) && (isFingerprintAuthAvailable || isFaceAuthAvailable || isIrisAuthAvailable)
+          val promptInfo = getPromptInfo(options, usePasscode, useBiometry)
           val cipher = getCipherStorageByName(storageName)
           val decryptionResult =
             decryptCredentials(alias, cipher!!, resultSet, promptInfo)
@@ -295,9 +303,7 @@ class KeychainModule(reactContext: ReactApplicationContext) :
     for (cipher in ciphers) {
       val aliases = cipher!!.getAllKeys()
       for (alias in aliases) {
-        if (alias != WARMING_UP_ALIAS) {
-          result.add(alias)
-        }
+        result.add(alias)
       }
     }
     return result
@@ -384,6 +390,17 @@ class KeychainModule(reactContext: ReactApplicationContext) :
     resetGenericPassword(alias, promise)
   }
 
+  @ReactMethod
+  fun isPasscodeAuthAvailable(promise: Promise) {
+    try {
+      val reply: Boolean = DeviceAvailability.isDevicePasscodeAvailable(reactApplicationContext)
+      promise.resolve(reply)
+    } catch (fail: Throwable) {
+      Log.e(KEYCHAIN_MODULE, fail.message, fail)
+      promise.reject(Errors.E_UNKNOWN_ERROR, fail)
+    }
+  }
+
   @ReactMethod
   fun getSupportedBiometryType(promise: Promise) {
     try {
@@ -542,14 +559,6 @@ class KeychainModule(reactContext: ReactApplicationContext) :
     oldCipherStorage.removeKey(service)
   }
 
-  @get:Throws(CryptoFailedException::class)
-  val cipherStorageForCurrentAPILevel: CipherStorage
-    /**
-     * The "Current" CipherStorage is the cipherStorage with the highest API level that is lower
-     * than or equal to the current API level
-     */
-    get() = getCipherStorageForCurrentAPILevel(true, true)
-
   /**
    * The "Current" CipherStorage is the cipherStorage with the highest API level that is lower than
    * or equal to the current API level. Parameter allow to reduce level.
@@ -620,7 +629,7 @@ class KeychainModule(reactContext: ReactApplicationContext) :
 
   val isPasscodeAvailable: Boolean
     /** Is secured hardware a part of current storage or not. */
-    get() = DeviceAvailability.isDeviceCredentialAuthAvailable(reactApplicationContext)
+    get() = DeviceAvailability.isDevicePasscodeAvailable(reactApplicationContext)
 
   /** Resolve storage to security level it provides. */
   private fun getSecurityLevel(useBiometry: Boolean, usePasscode: Boolean): SecurityLevel {
@@ -646,7 +655,6 @@ class KeychainModule(reactContext: ReactApplicationContext) :
     const val FACE_SUPPORTED_NAME = "Face"
     const val IRIS_SUPPORTED_NAME = "Iris"
     const val EMPTY_STRING = ""
-    const val WARMING_UP_ALIAS = "warmingUp"
     private val LOG_TAG = KeychainModule::class.java.simpleName
 
 
@@ -731,10 +739,11 @@ class KeychainModule(reactContext: ReactApplicationContext) :
     }
 
     /** Extract user specified prompt info from options. */
-    private fun getPromptInfo(options: ReadableMap?): PromptInfo {
-      val accessControl = getAccessControlOrDefault(options)
-      val usePasscode = getUsePasscode(accessControl)
-      val useBiometry = getUseBiometry(accessControl)
+    private fun getPromptInfo(
+      options: ReadableMap?,
+      usePasscode: Boolean,
+      useBiometry: Boolean
+    ): PromptInfo {
       val promptInfoOptionsMap =
         if (options != null && options.hasKey(Maps.AUTH_PROMPT)) options.getMap(Maps.AUTH_PROMPT)
         else null
@@ -750,22 +759,20 @@ class KeychainModule(reactContext: ReactApplicationContext) :
         promptInfoBuilder.setDescription(it)
       }
 
-      val allowedAuthenticators = if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.R) {
-        when {
-          usePasscode && useBiometry ->
-            BiometricManager.Authenticators.BIOMETRIC_STRONG or BiometricManager.Authenticators.DEVICE_CREDENTIAL
+      val allowedAuthenticators = when {
+        usePasscode && useBiometry ->
+          BiometricManager.Authenticators.BIOMETRIC_STRONG or BiometricManager.Authenticators.DEVICE_CREDENTIAL
 
-          usePasscode ->
-            BiometricManager.Authenticators.DEVICE_CREDENTIAL
+        usePasscode ->
+          BiometricManager.Authenticators.DEVICE_CREDENTIAL
 
-          else ->
-            BiometricManager.Authenticators.BIOMETRIC_STRONG
-        }
-      } else {
-        BiometricManager.Authenticators.BIOMETRIC_STRONG
+        else ->
+          null
       }
 
-      promptInfoBuilder.setAllowedAuthenticators(allowedAuthenticators)
+      if (allowedAuthenticators != null) {
+        promptInfoBuilder.setAllowedAuthenticators(allowedAuthenticators)
+      }
 
       if (!usePasscode) {
         promptInfoOptionsMap?.getString(AuthPromptOptions.CANCEL)?.let {

android/src/main/java/com/oblador/keychain/cipherStorage/CipherCache.kt

@@ -11,26 +11,23 @@ import javax.crypto.NoSuchPaddingException
  */
 object CipherCache {
     private val LOG_TAG = CipherCache::class.java.simpleName
-    
+
     private val cipherCache = ThreadLocal<MutableMap<String, Cipher>>()
 
     /**
      * Gets or creates a Cipher instance for the specified transformation.
      * This method is thread-safe and caches Cipher instances per thread.
      *
      * @param transformation The name of the transformation, e.g., "AES/CBC/PKCS7Padding"
-     * @param prefix An optional identifier added to the cache key to distinguish between different uses of the same transformation.
-     *              The prefix only affects how the cipher is stored in the cache and does not modify the cipher's behavior.
      * @return A Cipher instance for the requested transformation
      * @throws NoSuchAlgorithmException if the transformation algorithm is not available
      * @throws NoSuchPaddingException if the padding scheme is not available
      */
     @Throws(NoSuchAlgorithmException::class, NoSuchPaddingException::class)
-    fun getCipher(transformation: String, prefix: String? = null): Cipher {
+    fun getCipher(transformation: String): Cipher {
         return synchronized(this) {
-            val cacheKey = prefix?.let { "${it}_$transformation" } ?: transformation
             (cipherCache.get() ?: mutableMapOf<String, Cipher>().also { cipherCache.set(it) })
-                .getOrPut(cacheKey) { Cipher.getInstance(transformation) }
+                .getOrPut(transformation) { Cipher.getInstance(transformation) }
         }
     }
 

ios/RNKeychainManager/RNKeychainManager.m

@@ -398,6 +398,22 @@ - (OSStatus)deleteCredentialsForServer:(NSString *)server withOptions:(NSDiction
 }
 #endif
 
+#if TARGET_OS_IOS
+RCT_EXPORT_METHOD(isPasscodeAuthAvailable:(RCTPromiseResolveBlock)resolve
+                  rejecter:(RCTPromiseRejectBlock)reject)
+{
+  NSError *aerr = nil;
+  LAContext *context = [LAContext new];
+  BOOL canBeProtected = [context canEvaluatePolicy:LAPolicyDeviceOwnerAuthentication error:&aerr];
+
+  if (!aerr && canBeProtected) {
+    return resolve(@(YES));
+  }
+
+  return resolve(@(NO));
+}
+#endif
+
 #if TARGET_OS_IOS || TARGET_OS_VISION
 RCT_EXPORT_METHOD(getSupportedBiometryType:(RCTPromiseResolveBlock)resolve
                   rejecter:(RCTPromiseRejectBlock)reject)

src/index.ts

@@ -350,6 +350,24 @@ export function getSecurityLevel(
   return RNKeychainManager.getSecurityLevel(options);
 }
 
+/**
+ * Checks if passcode authentication is available on the current device.
+ *
+ * @returns {Promise<boolean>} Resolves to `true` if passcode authentication is available, otherwise `false`.
+ *
+ * @example
+ * ```typescript
+ * const isAvailable = await Keychain.isPasscodeAuthAvailable();
+ * console.log('Passcode authentication available:', isAvailable);
+ * ```
+ */
+export function isPasscodeAuthAvailable(): Promise<boolean> {
+  if (!RNKeychainManager.isPasscodeAuthAvailable) {
+    return Promise.resolve(false);
+  }
+  return RNKeychainManager.isPasscodeAuthAvailable();
+}
+
 export * from './enums';
 export * from './types';
 /** @ignore */
@@ -364,6 +382,7 @@ export default {
   canImplyAuthentication,
   getSupportedBiometryType,
   setInternetCredentials,
+  isPasscodeAuthAvailable,
   getInternetCredentials,
   resetInternetCredentials,
   setGenericPassword,

src/types.ts

@@ -43,7 +43,6 @@ export type BaseOptions = {
   accessGroup?: string;
 };
 
-/** Base options for keychain functions. */
 export type SetOptions = {
   /** Specifies when a keychain item is accessible.
    * @platform iOS, visionOS