[Breaking Change] Add allowedAuthenticatorsOn{Enable,Authenticate}

Author: louischan-oursky

packages/authgear-capacitor/android/src/main/java/com/authgear/capacitor/Authgear.java

@@ -237,19 +237,19 @@ JSONObject getDeviceInfo(Context ctx) throws Exception {
         return rootMap;
     }
 
-    int checkBiometricSupported(Context ctx, int flags) throws Exception {
+    int checkBiometricSupported(Context ctx, int allowedAuthenticatorsOnEnableFlags, int allowedAuthenticatorsOnAuthenticateFlags) throws Exception {
         if (Build.VERSION.SDK_INT < Build.VERSION_CODES.M) {
             throw this.makeBiometricMinimumAPILevelException();
         }
 
         BiometricManager manager = BiometricManager.from(ctx);
-        int result = manager.canAuthenticate(flags);
+        int result = manager.canAuthenticate(allowedAuthenticatorsOnEnableFlags);
 
         if (result == BiometricManager.BIOMETRIC_SUCCESS) {
             // Further test if the key pair generator can be initialized.
             // https://issuetracker.google.com/issues/147374428#comment9
             try {
-                this.createKeyPairGenerator(this.makeGenerateKeyPairSpec("__test__", true, flags, true));
+                this.createKeyPairGenerator(this.makeGenerateKeyPairSpec("__test__", true, allowedAuthenticatorsOnAuthenticateFlags, true));
             } catch (Exception e) {
                 // This branch is reachable only when there is a weak face and no strong fingerprints.
                 // So we treat this situation as BIOMETRIC_ERROR_NONE_ENROLLED.
@@ -266,11 +266,11 @@ void createBiometricPrivateKey(AppCompatActivity activity, BiometricOptions opti
             throw this.makeBiometricMinimumAPILevelException();
         }
 
-        BiometricPrompt.PromptInfo promptInfo = this.buildPromptInfo(options);
+        BiometricPrompt.PromptInfo promptInfo = this.buildPromptInfo(options, options.allowedAuthenticatorsOnEnableFlags);
         KeyGenParameterSpec spec = this.makeGenerateKeyPairSpec(
                 options.alias,
                 true,
-                this.authenticatorTypesToKeyProperties(options.flags),
+                this.authenticatorTypesToKeyProperties(options.allowedAuthenticatorsOnAuthenticateFlags),
                 options.invalidatedByBiometricEnrollment
         );
         KeyPair keyPair = this.createKeyPair(spec);
@@ -289,7 +289,7 @@ void signWithBiometricPrivateKey(AppCompatActivity activity, BiometricOptions op
             throw this.makeBiometricMinimumAPILevelException();
         }
 
-        BiometricPrompt.PromptInfo promptInfo = this.buildPromptInfo(options);
+        BiometricPrompt.PromptInfo promptInfo = this.buildPromptInfo(options, options.allowedAuthenticatorsOnAuthenticateFlags);
         KeyPair keyPair = this.getPrivateKey(options.alias);
         this.signBiometricJWT(
                 activity,
@@ -435,14 +435,15 @@ private KeyPair getPrivateKey(String alias) throws Exception {
     }
 
     private BiometricPrompt.PromptInfo buildPromptInfo(
-            BiometricOptions options
+            BiometricOptions options,
+            int flags
     ) {
         BiometricPrompt.PromptInfo.Builder builder = new BiometricPrompt.PromptInfo.Builder();
         builder.setTitle(options.title);
         builder.setSubtitle(options.subtitle);
         builder.setDescription(options.description);
-        builder.setAllowedAuthenticators(options.flags);
-        if ((options.flags & BiometricManager.Authenticators.DEVICE_CREDENTIAL) == 0) {
+        builder.setAllowedAuthenticators(flags);
+        if ((flags & BiometricManager.Authenticators.DEVICE_CREDENTIAL) == 0) {
             builder.setNegativeButtonText(options.negativeButtonText);
         }
         return builder.build();

packages/authgear-capacitor/android/src/main/java/com/authgear/capacitor/AuthgearPlugin.java

@@ -189,12 +189,14 @@ private void handleOpenAuthorizeURLWithWebView(PluginCall call, ActivityResult a
     @PluginMethod
     public void checkBiometricSupported(PluginCall call) {
         JSObject android = call.getObject("android");
-        JSONArray constraint = this.jsObjectGetArray(android, "constraint");
-        int flags = this.constraintToFlag(constraint);
+        JSONArray allowedAuthenticatorsOnEnable = this.jsObjectGetArray(android, "allowedAuthenticatorsOnEnable");
+        JSONArray allowedAuthenticatorsOnAuthenticate = this.jsObjectGetArray(android, "allowedAuthenticatorsOnAuthenticate");
+        int allowedAuthenticatorsOnEnableFlags = this.constraintToFlag(allowedAuthenticatorsOnEnable);
+        int allowedAuthenticatorsOnAuthenticateFlags = this.constraintToFlag(allowedAuthenticatorsOnAuthenticate);
 
         Context ctx = this.getContext();
         try {
-            int result = this.implementation.checkBiometricSupported(ctx, flags);
+            int result = this.implementation.checkBiometricSupported(ctx, allowedAuthenticatorsOnEnableFlags, allowedAuthenticatorsOnAuthenticateFlags);
             if (result == BiometricManager.BIOMETRIC_SUCCESS) {
                 call.resolve();
             } else {
@@ -214,19 +216,23 @@ public void createBiometricPrivateKey(PluginCall call) {
         String kid = call.getString("kid");
         String alias = "com.authgear.keys.biometric." + kid;
         JSObject android = call.getObject("android");
-        JSONArray constraint = this.jsObjectGetArray(android, "constraint");
         boolean invalidatedByBiometricEnrollment = android.getBool("invalidatedByBiometricEnrollment");
-        int flags = this.constraintToFlag(constraint);
         String title = android.getString("title");
         String subtitle = android.getString("subtitle");
         String description = android.getString("description");
         String negativeButtonText = android.getString("negativeButtonText");
 
+        JSONArray allowedAuthenticatorsOnEnable = this.jsObjectGetArray(android, "allowedAuthenticatorsOnEnable");
+        JSONArray allowedAuthenticatorsOnAuthenticate = this.jsObjectGetArray(android, "allowedAuthenticatorsOnAuthenticate");
+        int allowedAuthenticatorsOnEnableFlags = this.constraintToFlag(allowedAuthenticatorsOnEnable);
+        int allowedAuthenticatorsOnAuthenticateFlags = this.constraintToFlag(allowedAuthenticatorsOnAuthenticate);
+
         BiometricOptions options = new BiometricOptions();
         options.payload = payload;
         options.kid = kid;
         options.alias = alias;
-        options.flags = flags;
+        options.allowedAuthenticatorsOnEnableFlags = allowedAuthenticatorsOnEnableFlags;
+        options.allowedAuthenticatorsOnAuthenticateFlags = allowedAuthenticatorsOnAuthenticateFlags;
         options.invalidatedByBiometricEnrollment = invalidatedByBiometricEnrollment;
         options.title = title;
         options.subtitle = subtitle;
@@ -269,19 +275,23 @@ public void signWithBiometricPrivateKey(PluginCall call) {
         String kid = call.getString("kid");
         String alias = "com.authgear.keys.biometric." + kid;
         JSObject android = call.getObject("android");
-        JSONArray constraint = this.jsObjectGetArray(android, "constraint");
         boolean invalidatedByBiometricEnrollment = android.getBool("invalidatedByBiometricEnrollment");
-        int flags = this.constraintToFlag(constraint);
         String title = android.getString("title");
         String subtitle = android.getString("subtitle");
         String description = android.getString("description");
         String negativeButtonText = android.getString("negativeButtonText");
 
+        JSONArray allowedAuthenticatorsOnEnable = this.jsObjectGetArray(android, "allowedAuthenticatorsOnEnable");
+        JSONArray allowedAuthenticatorsOnAuthenticate = this.jsObjectGetArray(android, "allowedAuthenticatorsOnAuthenticate");
+        int allowedAuthenticatorsOnEnableFlags = this.constraintToFlag(allowedAuthenticatorsOnEnable);
+        int allowedAuthenticatorsOnAuthenticateFlags = this.constraintToFlag(allowedAuthenticatorsOnAuthenticate);
+
         BiometricOptions options = new BiometricOptions();
         options.payload = payload;
         options.kid = kid;
         options.alias = alias;
-        options.flags = flags;
+        options.allowedAuthenticatorsOnEnableFlags = allowedAuthenticatorsOnEnableFlags;
+        options.allowedAuthenticatorsOnAuthenticateFlags = allowedAuthenticatorsOnAuthenticateFlags;
         options.invalidatedByBiometricEnrollment = invalidatedByBiometricEnrollment;
         options.title = title;
         options.subtitle = subtitle;

packages/authgear-capacitor/android/src/main/java/com/authgear/capacitor/BiometricOptions.java

@@ -6,7 +6,8 @@ class BiometricOptions {
     JSObject payload;
     String kid;
     String alias;
-    int flags;
+    int allowedAuthenticatorsOnEnableFlags;
+    int allowedAuthenticatorsOnAuthenticateFlags;
     boolean invalidatedByBiometricEnrollment;
     String title;
     String subtitle;

packages/authgear-capacitor/src/types.ts

@@ -297,7 +297,7 @@ export interface BiometricOptionsIOS {
  *
  * @public
  */
-export enum BiometricAccessConstraintAndroid {
+export enum BiometricAuthenticatorAndroid {
   /**
    * The user can use Class 3 biometric to authenticate.
    *
@@ -346,7 +346,28 @@ export interface BiometricOptionsAndroid {
    * @public
    */
   negativeButtonText: string;
-  constraint: BiometricAccessConstraintAndroid[];
+  /**
+   * Set the allowed authenticators when the user enables biometric.
+   * This must be a subset of allowedAuthenticatorsOnAuthenticate because
+   * you normally want to ensure the user performed at least once biometric authentication during setup,
+   * but allow the user to fallback to passcode for subsequent biometric authentication.
+   *
+   * See {@link BiometricAuthenticatorAndroid}
+   *
+   * @public
+   */
+  allowedAuthenticatorsOnEnable: BiometricAuthenticatorAndroid[];
+  /**
+   * Set the allowed authenticators when the user performs biometric authentication.
+   * This must be a superset of allowedAuthenticatorsOnEnable because
+   * you normally want to ensure the user performed at least once biometric authentication during setup,
+   * but allow the user to fallback to passcode for subsequent biometric authentication.
+   *
+   * See {@link BiometricAuthenticatorAndroid}
+   *
+   * @public
+   */
+  allowedAuthenticatorsOnAuthenticate: BiometricAuthenticatorAndroid[];
   /**
    * The user needs to set up biometric again when a new biometric is enrolled or all enrolled biometrics are removed.
    *