Signify to the server when Restore Credential passkeys are created. Don't show them in settins or passkey management UI, and delete from the server when the user signs out

cy245 · cy245 · commit 691285ea1a28 · 2025-07-29T14:04:12.000-04:00
diff --git a/Shrine/app/src/main/java/com/authentication/shrine/api/AuthApiService.kt b/Shrine/app/src/main/java/com/authentication/shrine/api/AuthApiService.kt
@@ -83,6 +83,8 @@ interface AuthApiService {
      * to complete the passkey registration.
      *
      * @param cookie The session cookie for authentication.
+     * @param type The type of credential. Only used to specify Restore Credential passkeys to the
+     * server.
      * @param requestBody The request body containing the client's attestation response
      *                    to the registration challenge.
      * @return A Retrofit {@link Response} wrapping a {@link GenericAuthResponse},
@@ -91,6 +93,7 @@ interface AuthApiService {
     @POST("webauthn/registerResponse")
     suspend fun registerResponse(
         @Header("Cookie") cookie: String,
+        @Query("type") type: String?,
         @Body requestBody: RegisterResponseRequestBody,
     ): Response<GenericAuthResponse>
 
diff --git a/Shrine/app/src/main/java/com/authentication/shrine/repository/AuthRepository.kt b/Shrine/app/src/main/java/com/authentication/shrine/repository/AuthRepository.kt
@@ -43,7 +43,6 @@ import com.authentication.shrine.utility.getSessionId
 import com.google.android.gms.fido.fido2.api.common.PublicKeyCredentialType
 import kotlinx.coroutines.flow.first
 import kotlinx.coroutines.flow.map
-import okhttp3.HttpUrl
 import org.json.JSONObject
 import javax.inject.Inject
 import javax.inject.Singleton
@@ -68,6 +67,10 @@ class AuthRepository @Inject constructor(
         val USERNAME = stringPreferencesKey("username")
         val IS_SIGNED_IN_THROUGH_PASSKEYS = booleanPreferencesKey("is_signed_passkeys")
         val SESSION_ID = stringPreferencesKey("session_id")
+        val RESTORE_KEY_CREDENTIAL_ID = stringPreferencesKey("restore_key_credential_id")
+
+        // Value for restore credential AuthApiService parameter
+        const val RESTORE_KEY_TYPE_PARAMETER = "rc"
 
         suspend fun <T> DataStore<Preferences>.read(key: Preferences.Key<T>): T? {
             return data.map { it[key] }.first()
@@ -175,6 +178,7 @@ class AuthRepository @Inject constructor(
             prefs.remove(USERNAME)
             prefs.remove(SESSION_ID)
             prefs.remove(IS_SIGNED_IN_THROUGH_PASSKEYS)
+            prefs.remove(RESTORE_KEY_CREDENTIAL_ID)
         }
     }
 
@@ -221,12 +225,16 @@ class AuthRepository @Inject constructor(
         credentialResponse: CreateCredentialResponse,
     ): Boolean {
         try {
+            // Field to pass as query parameter to authApiService.
+            val typeParam: String?
             val registrationResponseJson = when (credentialResponse) {
                 is CreatePublicKeyCredentialResponse -> {
+                    typeParam = null
                     JSONObject(credentialResponse.registrationResponseJson)
                 }
 
                 is CreateRestoreCredentialResponse -> {
+                    typeParam = RESTORE_KEY_TYPE_PARAMETER
                     JSONObject(credentialResponse.responseJson)
                 }
 
@@ -241,6 +249,7 @@ class AuthRepository @Inject constructor(
             if (!sessionId.isNullOrBlank()) {
                 val apiResult = authApiService.registerResponse(
                     cookie = sessionId.createCookieHeader(),
+                    type = typeParam,
                     requestBody = RegisterResponseRequestBody(
                         id = rawId,
                         type = PublicKeyCredentialType.PUBLIC_KEY.toString(),
@@ -253,10 +262,16 @@ class AuthRepository @Inject constructor(
                 )
                 if (apiResult.isSuccessful) {
                     dataStore.edit { prefs ->
+                        if (credentialResponse is CreateRestoreCredentialResponse) {
+                            val responseData = credentialResponse.data.getString(
+                                "androidx.credentials.BUNDLE_KEY_CREATE_RESTORE_CREDENTIAL_RESPONSE"
+                            )
+                            val responseJSON = JSONObject(responseData!!)
+                            val credentialId = responseJSON.getString("rawId")
+                            prefs[RESTORE_KEY_CREDENTIAL_ID] = credentialId
+                        }
                         apiResult.getSessionId()?.also {
                             prefs[SESSION_ID] = it
-                        } ?: run {
-                            signOut()
                         }
                     }
                     return true
@@ -469,4 +484,24 @@ class AuthRepository @Inject constructor(
         return false
     }
 
+    suspend fun deleteRestoreKeyFromServer(): Boolean {
+        val sessionId = dataStore.read(SESSION_ID)
+        val credentialId = dataStore.read(RESTORE_KEY_CREDENTIAL_ID)
+        // Construct endpoint for deleting passkeys.
+        try {
+            if (!sessionId.isNullOrEmpty() && !credentialId.isNullOrEmpty()) {
+                val response = authApiService.deletePasskey(
+                    cookie = sessionId.createCookieHeader(),
+                    credentialId = credentialId,
+                )
+                if (response.isSuccessful) {
+                    return true
+                }
+            }
+        }catch (e: Exception) {
+            Log.e(TAG, "Cannot call deleteRestoreKey", e)
+        }
+        return false
+    }
+
 }
diff --git a/Shrine/app/src/main/java/com/authentication/shrine/ui/PasskeyManagementScreen.kt b/Shrine/app/src/main/java/com/authentication/shrine/ui/PasskeyManagementScreen.kt
@@ -80,16 +80,20 @@ fun PasskeyManagementScreen(
     credentialManagerUtils: CredentialManagerUtils,
 ) {
     val uiState = viewModel.uiState.collectAsState().value
-    val onDeleteClicked = { credentialId: String -> viewModel.deletePasskey(credentialId) }
+    // remember is added to callbacks so LazyColumn doesn't recompose when each one loads
+    val onDeleteClicked =
+        remember { { credentialId: String -> viewModel.deletePasskey(credentialId) } }
     val context = LocalContext.current
-    val onCreatePasskeyClicked = {
-        viewModel.createPasskey(
-            { data ->
-                credentialManagerUtils.createPasskey(
-                    requestResult = data,
-                    context = context,
-                )
-            })
+    val onCreatePasskeyClicked = remember {
+        {
+            viewModel.createPasskey(
+                { data ->
+                    credentialManagerUtils.createPasskey(
+                        requestResult = data,
+                        context = context,
+                    )
+                })
+        }
     }
 
     PasskeyManagementScreen(
diff --git a/Shrine/app/src/main/java/com/authentication/shrine/ui/viewmodel/HomeViewModel.kt b/Shrine/app/src/main/java/com/authentication/shrine/ui/viewmodel/HomeViewModel.kt
@@ -42,8 +42,9 @@ class HomeViewModel @Inject constructor(
         deleteRestoreKey: suspend () -> Unit,
     ) {
         viewModelScope.launch {
-            repository.signOut()
             deleteRestoreKey()
+            repository.deleteRestoreKeyFromServer()
+            repository.signOut()
         }
     }
 }
diff --git a/Shrine/app/src/main/java/com/authentication/shrine/ui/viewmodel/PasskeyManagementViewModel.kt b/Shrine/app/src/main/java/com/authentication/shrine/ui/viewmodel/PasskeyManagementViewModel.kt
@@ -94,11 +94,13 @@ class PasskeyManagementViewModel @Inject constructor(
             try {
                 val data = authRepository.getListOfPasskeys()
                 if (data != null) {
+                    val filteredPasskeysList =
+                        data.credentials.filter({ passkey -> passkey.aaguid != RESTORE_CREDENTIAL_AAGUID })
                     _uiState.update {
                         it.copy(
                             isLoading = false,
-                            userHasPasskeys = data.credentials.isNotEmpty(),
-                            passkeysList = data.credentials,
+                            userHasPasskeys = filteredPasskeysList.isNotEmpty(),
+                            passkeysList = filteredPasskeysList,
                         )
                     }
                 } else {
@@ -142,12 +144,23 @@ class PasskeyManagementViewModel @Inject constructor(
                             authRepository.registerPasskeyCreationResponse(createPasskeyResponse.createPasskeyResponse)
                         if (isRegisterResponse) {
                             val passkeysList = authRepository.getListOfPasskeys()
-                            _uiState.update {
-                                it.copy(
-                                    isLoading = false,
-                                    passkeysList = passkeysList?.credentials ?: emptyList(),
-                                    messageResourceId = R.string.passkey_created
-                                )
+                            if (passkeysList != null) {
+                                val filteredPasskeysList =
+                                    passkeysList.credentials.filter({ passkey -> passkey.aaguid != RESTORE_CREDENTIAL_AAGUID })
+                                _uiState.update {
+                                    it.copy(
+                                        isLoading = false,
+                                        passkeysList = filteredPasskeysList,
+                                        messageResourceId = R.string.passkey_created
+                                    )
+                                }
+                            } else {
+                                _uiState.update {
+                                    it.copy(
+                                        isLoading = false,
+                                        messageResourceId = R.string.get_keys_error,
+                                    )
+                                }
                             }
                         } else {
                             _uiState.update {
@@ -202,13 +215,24 @@ class PasskeyManagementViewModel @Inject constructor(
                 if (authRepository.deletePasskey(credentialId)) {
                     // Refresh passkeys list after deleting a passkey
                     val data = authRepository.getListOfPasskeys()
-                    _uiState.update {
-                        it.copy(
-                            isLoading = false,
-                            userHasPasskeys = data?.credentials?.isNotEmpty() ?: false,
-                            passkeysList = data?.credentials ?: emptyList(),
-                            messageResourceId = R.string.delete_passkey_successful
-                        )
+                    if (data != null) {
+                        val filteredPasskeysList =
+                            data.credentials.filter({ passkey -> passkey.aaguid != RESTORE_CREDENTIAL_AAGUID })
+                        _uiState.update {
+                            it.copy(
+                                isLoading = false,
+                                userHasPasskeys = filteredPasskeysList.isNotEmpty(),
+                                passkeysList = filteredPasskeysList,
+                                messageResourceId = R.string.delete_passkey_successful
+                            )
+                        }
+                    } else {
+                        _uiState.update {
+                            it.copy(
+                                isLoading = false,
+                                messageResourceId = R.string.get_keys_error,
+                            )
+                        }
                     }
                 } else {
                     _uiState.update {
@@ -228,6 +252,10 @@ class PasskeyManagementViewModel @Inject constructor(
             }
         }
     }
+
+    companion object {
+        const val RESTORE_CREDENTIAL_AAGUID = "restore-credential"
+    }
 }
 
 /**
diff --git a/Shrine/app/src/main/java/com/authentication/shrine/ui/viewmodel/SettingsViewModel.kt b/Shrine/app/src/main/java/com/authentication/shrine/ui/viewmodel/SettingsViewModel.kt
@@ -21,6 +21,7 @@ import androidx.lifecycle.viewModelScope
 import com.authentication.shrine.R
 import com.authentication.shrine.model.PasskeyCredential
 import com.authentication.shrine.repository.AuthRepository
+import com.authentication.shrine.ui.viewmodel.PasskeyManagementViewModel.Companion.RESTORE_CREDENTIAL_AAGUID
 import dagger.hilt.android.lifecycle.HiltViewModel
 import kotlinx.coroutines.flow.MutableStateFlow
 import kotlinx.coroutines.flow.asStateFlow
@@ -65,12 +66,14 @@ class SettingsViewModel @Inject constructor(
             try {
                 val data = authRepository.getListOfPasskeys()
                 if (data != null) {
+                    val filteredPasskeysList =
+                        data.credentials.filter({ passkey -> passkey.aaguid != RESTORE_CREDENTIAL_AAGUID })
                     _uiState.update {
                         it.copy(
                             isLoading = false,
-                            userHasPasskeys = data.credentials.isNotEmpty(),
+                            userHasPasskeys = filteredPasskeysList.isNotEmpty(),
                             username = authRepository.getUsername(),
-                            passkeysList = data.credentials,
+                            passkeysList = filteredPasskeysList,
                         )
                     }
                 } else {

Original file line number	Diff line number	Diff line change
`@@ -42,8 +42,9 @@ class HomeViewModel @Inject constructor(`
`42`	`42`	`deleteRestoreKey: suspend () -> Unit,`
`43`	`43`	`) {`
`44`	`44`	`viewModelScope.launch {`
`45`		`- repository.signOut()`
`46`	`45`	`deleteRestoreKey()`
	`46`	`+ repository.deleteRestoreKeyFromServer()`
	`47`	`+ repository.signOut()`
`47`	`48`	`}`
`48`	`49`	`}`
`49`	`50`	`}`