Add cross-platform enhancements and legacy device credential support

Expanded Apple platform support in the podspec and Swift implementation to include macOS, watchOS, and visionOS. Refactored Android biometric authentication to support legacy device credential prompts on pre-Android 10 devices via a new DeviceCredentialPromptFragment. Improved coroutine handling, code documentation, and metadata consistency across platforms. Updated TypeScript types and documentation to clarify cross-platform behavior and security tier downgrades.

Author: mCodex

SensitiveInfo.podspec

@@ -10,7 +10,12 @@ Pod::Spec.new do |s|
   s.license      = package["license"]
   s.authors      = package["author"]
 
-  s.platforms    = { :ios => min_ios_version_supported, :visionos => 1.0 }
+  s.platforms    = {
+    :ios => min_ios_version_supported,
+    :osx => '11.0',
+    :watchos => '7.0',
+    :visionos => '1.0'
+  }
   s.source       = { :git => "https://github.com/mateusandrade/react-native-sensitive-info.git", :tag => "#{s.version}" }
 
   s.source_files = [
@@ -27,5 +32,6 @@ Pod::Spec.new do |s|
 
   s.dependency 'React-jsi'
   s.dependency 'React-callinvoker'
+  s.frameworks = ['LocalAuthentication', 'Security']
   install_modules_dependencies(s)
 end

…com/sensitiveinfo/HybridSensitiveInfo.kt …tro/sensitiveinfo/HybridSensitiveInfo.ktandroid/src/main/java/com/sensitiveinfo/HybridSensitiveInfo.kt renamed to android/src/main/java/com/margelo/nitro/sensitiveinfo/HybridSensitiveInfo.kt android/src/main/java/com/sensitiveinfo/HybridSensitiveInfo.kt renamed to android/src/main/java/com/margelo/nitro/sensitiveinfo/HybridSensitiveInfo.kt

@@ -1,5 +1,6 @@
-package com.sensitiveinfo
+package com.margelo.nitro.sensitiveinfo
 
+import androidx.annotation.Keep
 import com.margelo.nitro.core.Promise
 import com.margelo.nitro.sensitiveinfo.AccessControl
 import com.margelo.nitro.sensitiveinfo.AuthenticationPrompt
@@ -47,6 +48,7 @@ import kotlin.text.Charsets
  * The class resolves the appropriate storage backend, encrypts values with the Android Keystore,
  * and keeps metadata so JavaScript consumers always know which security tier saved an entry.
  */
+@Keep
 class HybridSensitiveInfo : HybridSensitiveInfoSpec() {
     private val applicationContext get() = ReactContextHolder.requireContext()
 
@@ -57,21 +59,29 @@ class HybridSensitiveInfo : HybridSensitiveInfoSpec() {
     private val authenticator by lazy { BiometricAuthenticator() }
     private val cryptoManager by lazy { CryptoManager(authenticator) }
 
+    private fun resolveService(service: String?): String = serviceResolver.resolve(service)
+
+    /** Dispatches a block to the IO dispatcher while keeping call-sites succinct. */
+    private suspend fun <T> io(block: suspend () -> T): T = withContext(Dispatchers.IO) { block() }
+
+    /** Wrapper that fetches an entry from disk using the canonical dispatcher. */
+    private suspend fun readEntry(service: String, key: String): PersistedEntry? = io {
+        storage.read(service, key)
+    }
+
     /**
      * Encrypts and stores a secret for the requested service/key pair.
      *
      * @return Metadata describing the security level used, mirroring the JS `MutationResult` type.
      */
     override fun setItem(request: SensitiveInfoSetRequest): Promise<MutationResult> {
         return Promise.async {
-            val service = serviceResolver.resolve(request.service)
+            val service = resolveService(request.service)
             val strongOnly = request.androidBiometricsStrongOnly == true
             val resolution = accessControlResolver.resolve(request.accessControl, strongOnly)
             val alias = AliasGenerator.create(service, resolution.signature)
 
-            val previousEntry = withContext(Dispatchers.IO) {
-                storage.read(service, request.key)
-            }
+            val previousEntry = readEntry(service, request.key)
 
             val metadata = StorageMetadata(
                 securityLevel = resolution.securityLevel,
@@ -98,9 +108,7 @@ class HybridSensitiveInfo : HybridSensitiveInfoSpec() {
                 useStrongBox = resolution.useStrongBox
             )
 
-            withContext(Dispatchers.IO) {
-                storage.save(service, request.key, persisted)
-            }
+            io { storage.save(service, request.key, persisted) }
 
             if (previousEntry != null && previousEntry.alias != alias) {
                 maybeDeleteAlias(service, previousEntry.alias)
@@ -116,9 +124,9 @@ class HybridSensitiveInfo : HybridSensitiveInfoSpec() {
     override fun getItem(request: SensitiveInfoGetRequest): Promise<SensitiveInfoItem?> {
         return Promise.async {
             val includeValue = request.includeValue ?: true
-            val service = serviceResolver.resolve(request.service)
-                        val entry = withContext(Dispatchers.IO) { storage.read(service, request.key) }
-                            ?: throw SensitiveInfoException.NotFound(request.key, service)
+            val service = resolveService(request.service)
+            val entry = readEntry(service, request.key)
+                ?: throw SensitiveInfoException.NotFound(request.key, service)
 
             val metadata = entry.metadata.toStorageMetadata() ?: fallbackMetadata(entry)
 
@@ -142,9 +150,9 @@ class HybridSensitiveInfo : HybridSensitiveInfoSpec() {
      */
     override fun deleteItem(request: SensitiveInfoDeleteRequest): Promise<Boolean> {
         return Promise.async {
-            val service = serviceResolver.resolve(request.service)
-            val existing = withContext(Dispatchers.IO) { storage.read(service, request.key) }
-            val removed = withContext(Dispatchers.IO) { storage.delete(service, request.key) }
+            val service = resolveService(request.service)
+            val existing = readEntry(service, request.key)
+            val removed = io { storage.delete(service, request.key) }
             if (removed && existing != null) {
                 maybeDeleteAlias(service, existing.alias)
             }
@@ -157,21 +165,23 @@ class HybridSensitiveInfo : HybridSensitiveInfoSpec() {
      */
     override fun hasItem(request: SensitiveInfoHasRequest): Promise<Boolean> {
         return Promise.async {
-            val service = serviceResolver.resolve(request.service)
-            withContext(Dispatchers.IO) {
-                storage.contains(service, request.key)
-            }
+            val service = resolveService(request.service)
+            io { storage.contains(service, request.key) }
         }
     }
 
     /**
-     * Enumerates every entry in a service. When `includeValues` is false the secrets stay encrypted.
+        * Enumerates every entry in a service. When `includeValues` is false the secrets stay encrypted.
+        *
+        * ```ts
+        * const items = await SensitiveInfo.getAllItems({ service: 'vault', includeValues: true })
+        * ```
      */
     override fun getAllItems(request: SensitiveInfoEnumerateRequest?): Promise<Array<SensitiveInfoItem>> {
         return Promise.async {
             val includeValues = request?.includeValues == true
-            val service = serviceResolver.resolve(request?.service)
-            val items = withContext(Dispatchers.IO) { storage.readAll(service) }
+            val service = resolveService(request?.service)
+            val items = io { storage.readAll(service) }
 
             val result = items.mapNotNull { (key, entry) ->
                 val metadata = entry.metadata.toStorageMetadata() ?: fallbackMetadata(entry)
@@ -198,11 +208,9 @@ class HybridSensitiveInfo : HybridSensitiveInfoSpec() {
      */
     override fun clearService(request: SensitiveInfoOptions?): Promise<Unit> {
         return Promise.async {
-            val service = serviceResolver.resolve(request?.service)
-            val existing = withContext(Dispatchers.IO) { storage.readAll(service) }
-            withContext(Dispatchers.IO) {
-                storage.clear(service)
-            }
+            val service = resolveService(request?.service)
+            val existing = io { storage.readAll(service) }
+            io { storage.clear(service) }
             existing.map { it.second.alias }
                 .distinct()
                 .forEach { alias -> cryptoManager.deleteKey(alias) }
@@ -220,6 +228,10 @@ class HybridSensitiveInfo : HybridSensitiveInfoSpec() {
         return Promise.resolved(snapshot)
     }
 
+    /**
+     * Rehydrates a ciphertext/IV pair using the alias captured in the persisted metadata. When the
+     * item requires user presence the associated biometric/device-credential prompt is displayed.
+     */
     private suspend fun decryptValue(
         entry: PersistedEntry,
         metadata: StorageMetadata,
@@ -247,6 +259,7 @@ class HybridSensitiveInfo : HybridSensitiveInfoSpec() {
         return String(decrypted, Charsets.UTF_8)
     }
 
+    /** Fallback metadata path used when a legacy record predates the richer JSON payload. */
     private fun fallbackMetadata(entry: PersistedEntry): StorageMetadata {
         val accessControl = accessControlFromPersisted(entry.metadata.accessControl) ?: AccessControl.NONE
         val backend = storageBackendFromPersisted(entry.metadata.backend) ?: StorageBackend.ANDROIDKEYSTORE
@@ -270,8 +283,13 @@ class HybridSensitiveInfo : HybridSensitiveInfoSpec() {
 
     private fun nowSeconds(): Double = System.currentTimeMillis() / 1000.0
 
+    /**
+     * Deletes the keystore alias once there are no persisted entries referencing it anymore. We
+     * keep this work off the main thread as SharedPreferences iteration can be slow on older
+     * devices.
+     */
     private suspend fun maybeDeleteAlias(service: String, alias: String) {
-        val remaining = withContext(Dispatchers.IO) { storage.readAll(service) }
+        val remaining = io { storage.readAll(service) }
         val stillReferenced = remaining.any { (_, entry) -> entry.alias == alias }
         if (!stillReferenced) {
             cryptoManager.deleteKey(alias)

android/src/main/java/com/sensitiveinfo/SensitiveInfoPackage.kt

@@ -1,21 +1,18 @@
 package com.sensitiveinfo
 
-import com.facebook.react.TurboReactPackage
 import com.facebook.react.bridge.NativeModule
 import com.facebook.react.bridge.ReactApplicationContext
-import com.facebook.react.module.model.ReactModuleInfoProvider
+import com.facebook.react.ReactPackage
 import com.facebook.react.uimanager.ViewManager
 import com.margelo.nitro.sensitiveinfo.SensitiveInfoOnLoad
 import com.sensitiveinfo.internal.util.ReactContextHolder
 
-class SensitiveInfoPackage : TurboReactPackage() {
-  override fun getModule(name: String, reactContext: ReactApplicationContext): NativeModule? {
+class SensitiveInfoPackage : ReactPackage {
+  override fun createNativeModules(reactContext: ReactApplicationContext): List<NativeModule> {
     ReactContextHolder.install(reactContext)
-    return null
+    return emptyList()
   }
 
-  override fun getReactModuleInfoProvider(): ReactModuleInfoProvider = ReactModuleInfoProvider { emptyMap() }
-
   override fun createViewManagers(reactContext: ReactApplicationContext): List<ViewManager<*, *>> {
     ReactContextHolder.install(reactContext)
     return emptyList()

android/src/main/java/com/sensitiveinfo/internal/auth/BiometricAuthenticator.kt

@@ -11,6 +11,7 @@ import kotlinx.coroutines.suspendCancellableCoroutine
 import kotlinx.coroutines.withContext
 import com.sensitiveinfo.internal.util.ReactContextHolder
 import javax.crypto.Cipher
+import kotlin.coroutines.cancellation.CancellationException
 import kotlin.coroutines.resume
 import kotlin.coroutines.resumeWithException
 
@@ -22,55 +23,107 @@ import kotlin.coroutines.resumeWithException
  * the surface used by the Nitro Promise bridge.
  */
 internal class BiometricAuthenticator {
+  private val applicationContext get() = ReactContextHolder.requireContext()
+
+  /**
+   * Prompts the user for biometric/device-credential authentication and returns the cipher once it
+   * can be used. The coroutine cooperatively cancels when the caller abandons the operation.
+   */
   suspend fun authenticate(
     prompt: AuthenticationPrompt?,
     allowedAuthenticators: Int,
-    cipher: Cipher
-  ): Cipher {
+    cipher: Cipher?
+  ): Cipher? {
     val activity = currentFragmentActivity()
-    return withContext(Dispatchers.Main) {
-      suspendCancellableCoroutine { continuation ->
-        val executor = ContextCompat.getMainExecutor(activity)
-        val promptInfo = buildPromptInfo(prompt, allowedAuthenticators)
-        val biometricPrompt = BiometricPrompt(activity, executor, object : BiometricPrompt.AuthenticationCallback() {
-          override fun onAuthenticationSucceeded(result: BiometricPrompt.AuthenticationResult) {
-            val authCipher = result.cryptoObject?.cipher
-              ?: return continuation.resumeWithException(IllegalStateException("Missing cipher from authentication result."))
-            continuation.resume(authCipher)
-          }
+    val effectivePrompt = prompt ?: AuthenticationPrompt(DEFAULT_TITLE, null, null, DEFAULT_CANCEL)
+    val allowDeviceCredential = allowedAuthenticators and BiometricManager.Authenticators.DEVICE_CREDENTIAL != 0
+    val supportsInlineDeviceCredential = allowDeviceCredential && Build.VERSION.SDK_INT >= Build.VERSION_CODES.Q
+    val allowLegacyDeviceCredential = allowDeviceCredential && Build.VERSION.SDK_INT < Build.VERSION_CODES.Q
 
-          override fun onAuthenticationError(errorCode: Int, errString: CharSequence) {
-            if (errorCode == BiometricPrompt.ERROR_CANCELED ||
-              errorCode == BiometricPrompt.ERROR_USER_CANCELED ||
-              errorCode == BiometricPrompt.ERROR_NEGATIVE_BUTTON
-            ) {
-              continuation.cancel()
-            } else {
-              continuation.resumeWithException(IllegalStateException(errString.toString()))
+    return withContext(Dispatchers.Main) {
+      if (cipher == null && allowLegacyDeviceCredential && !canUseBiometric()) {
+        if (DeviceCredentialPromptFragment.authenticate(activity, effectivePrompt)) {
+          cipher
+        } else {
+          throw IllegalStateException("Device credential authentication canceled.")
+        }
+      } else {
+        try {
+          authenticateWithBiometricPrompt(
+            activity = activity,
+            prompt = effectivePrompt,
+            allowedAuthenticators = allowedAuthenticators,
+            supportsInlineDeviceCredential = supportsInlineDeviceCredential,
+            cipher = cipher
+          )
+        } catch (error: Throwable) {
+          if (error is CancellationException) throw error
+          if (allowLegacyDeviceCredential) {
+            if (DeviceCredentialPromptFragment.authenticate(activity, effectivePrompt)) {
+              return@withContext cipher
             }
           }
+          throw error
+        }
+      }
+    }
+  }
+
+  private suspend fun authenticateWithBiometricPrompt(
+    activity: FragmentActivity,
+    prompt: AuthenticationPrompt,
+    allowedAuthenticators: Int,
+    supportsInlineDeviceCredential: Boolean,
+    cipher: Cipher?
+  ): Cipher? {
+    return suspendCancellableCoroutine { continuation ->
+      val executor = ContextCompat.getMainExecutor(activity)
+      val promptInfo = buildPromptInfo(prompt, allowedAuthenticators, supportsInlineDeviceCredential)
+      val biometricPrompt = BiometricPrompt(activity, executor, object : BiometricPrompt.AuthenticationCallback() {
+        override fun onAuthenticationSucceeded(result: BiometricPrompt.AuthenticationResult) {
+          val authCipher = result.cryptoObject?.cipher ?: cipher
+          continuation.resume(authCipher)
+        }
 
-          override fun onAuthenticationFailed() {
-            // Keep waiting for a successful attempt.
+        override fun onAuthenticationError(errorCode: Int, errString: CharSequence) {
+          if (errorCode == BiometricPrompt.ERROR_CANCELED ||
+            errorCode == BiometricPrompt.ERROR_USER_CANCELED ||
+            errorCode == BiometricPrompt.ERROR_NEGATIVE_BUTTON
+          ) {
+            continuation.cancel()
+          } else {
+            continuation.resumeWithException(IllegalStateException(errString.toString()))
           }
-        })
+        }
 
-        continuation.invokeOnCancellation {
-          biometricPrompt.cancelAuthentication()
+        override fun onAuthenticationFailed() {
+          // Keep waiting for another attempt.
         }
+      })
+
+      continuation.invokeOnCancellation {
+        biometricPrompt.cancelAuthentication()
+      }
 
+      if (cipher != null) {
         val cryptoObject = BiometricPrompt.CryptoObject(cipher)
         biometricPrompt.authenticate(promptInfo, cryptoObject)
+      } else {
+        biometricPrompt.authenticate(promptInfo)
       }
     }
   }
 
-  private fun buildPromptInfo(prompt: AuthenticationPrompt?, allowedAuthenticators: Int): BiometricPrompt.PromptInfo {
+  private fun buildPromptInfo(
+    prompt: AuthenticationPrompt,
+    allowedAuthenticators: Int,
+    supportsInlineDeviceCredential: Boolean
+  ): BiometricPrompt.PromptInfo {
     val builder = BiometricPrompt.PromptInfo.Builder()
-      .setTitle(prompt?.title ?: DEFAULT_TITLE)
+      .setTitle(prompt.title)
 
-    prompt?.subtitle?.let(builder::setSubtitle)
-    prompt?.description?.let(builder::setDescription)
+    prompt.subtitle?.let(builder::setSubtitle)
+    prompt.description?.let(builder::setDescription)
 
     var promptAuthenticators = if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.R) {
       allowedAuthenticators
@@ -87,20 +140,35 @@ internal class BiometricAuthenticator {
     if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.R) {
       builder.setAllowedAuthenticators(promptAuthenticators)
       if (!allowsDeviceCredential) {
-        builder.setNegativeButtonText(prompt?.cancel ?: DEFAULT_CANCEL)
+        builder.setNegativeButtonText(prompt.cancel ?: DEFAULT_CANCEL)
       }
     } else {
-      if (allowsDeviceCredential) {
+      if (allowsDeviceCredential && supportsInlineDeviceCredential && Build.VERSION.SDK_INT >= Build.VERSION_CODES.Q) {
         @Suppress("DEPRECATION")
         builder.setDeviceCredentialAllowed(true)
       } else {
-        builder.setNegativeButtonText(prompt?.cancel ?: DEFAULT_CANCEL)
+        builder.setNegativeButtonText(prompt.cancel ?: DEFAULT_CANCEL)
       }
     }
 
     return builder.build()
   }
 
+  private fun canUseBiometric(): Boolean {
+    val biometricManager = BiometricManager.from(applicationContext)
+    return if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.R) {
+      val strong = biometricManager.canAuthenticate(BiometricManager.Authenticators.BIOMETRIC_STRONG)
+      if (strong == BiometricManager.BIOMETRIC_SUCCESS) {
+        true
+      } else {
+        biometricManager.canAuthenticate(BiometricManager.Authenticators.BIOMETRIC_WEAK) == BiometricManager.BIOMETRIC_SUCCESS
+      }
+    } else {
+      @Suppress("DEPRECATION")
+      biometricManager.canAuthenticate() == BiometricManager.BIOMETRIC_SUCCESS
+    }
+  }
+
   private fun currentFragmentActivity(): FragmentActivity {
     val activity = ReactContextHolder.currentActivity()
       ?: throw IllegalStateException("Unable to show authentication prompt: no active React activity.")