Use SimpleKeychain to save local data

This update switches from using the unencrypted SwiftUI
`@AppStorage` to using Auth0's `SimpleKeychain` library to
save the user account information locally.

Author: shepazon

swift/example_code/apple/Buckets/Buckets.xcodeproj/project.pbxproj

@@ -16,6 +16,7 @@
 		283FA3A72C5D3628003CF6D9 /* AWSSTS in Frameworks */ = {isa = PBXBuildFile; productRef = 283FA3A62C5D3628003CF6D9 /* AWSSTS */; };
 		283FA3A92C5D3697003CF6D9 /* IDString.swift in Sources */ = {isa = PBXBuildFile; fileRef = 283FA3A82C5D3697003CF6D9 /* IDString.swift */; };
 		283FA3AB2C5D36BC003CF6D9 /* BucketsAppError.swift in Sources */ = {isa = PBXBuildFile; fileRef = 283FA3AA2C5D36BC003CF6D9 /* BucketsAppError.swift */; };
+		286E157D2CA46392001D1009 /* SimpleKeychain in Frameworks */ = {isa = PBXBuildFile; productRef = 286E157C2CA46392001D1009 /* SimpleKeychain */; };
 		28FA46BE2C8A135700A2E959 /* Task-extension.swift in Sources */ = {isa = PBXBuildFile; fileRef = 28FA46BD2C8A135700A2E959 /* Task-extension.swift */; };
 		28FA46C02C8A139900A2E959 /* LocalizedAlertError.swift in Sources */ = {isa = PBXBuildFile; fileRef = 28FA46BF2C8A139900A2E959 /* LocalizedAlertError.swift */; };
 		28FA46C22C8A145500A2E959 /* View-extension.swift in Sources */ = {isa = PBXBuildFile; fileRef = 28FA46C12C8A145500A2E959 /* View-extension.swift */; };
@@ -41,6 +42,7 @@
 			isa = PBXFrameworksBuildPhase;
 			buildActionMask = 2147483647;
 			files = (
+				286E157D2CA46392001D1009 /* SimpleKeychain in Frameworks */,
 				283FA3A52C5D3628003CF6D9 /* AWSS3 in Frameworks */,
 				283FA3A72C5D3628003CF6D9 /* AWSSTS in Frameworks */,
 			);
@@ -53,6 +55,7 @@
 			isa = PBXGroup;
 			children = (
 				283FA3912C5D34FF003CF6D9 /* Buckets */,
+				286E157B2CA46392001D1009 /* Frameworks */,
 				283FA3902C5D34FF003CF6D9 /* Products */,
 			);
 			sourceTree = "<group>";
@@ -72,10 +75,10 @@
 				283FA3942C5D34FF003CF6D9 /* ContentView.swift */,
 				283FA3A12C5D3590003CF6D9 /* ContentView-ViewModel.swift */,
 				283FA3AA2C5D36BC003CF6D9 /* BucketsAppError.swift */,
+				28FA46BC2C8A131D00A2E959 /* Support */,
 				283FA3962C5D3500003CF6D9 /* Assets.xcassets */,
 				283FA3982C5D3500003CF6D9 /* Buckets.entitlements */,
 				283FA3992C5D3500003CF6D9 /* Preview Content */,
-				28FA46BC2C8A131D00A2E959 /* Support */,
 			);
 			path = Buckets;
 			sourceTree = "<group>";
@@ -88,6 +91,13 @@
 			path = "Preview Content";
 			sourceTree = "<group>";
 		};
+		286E157B2CA46392001D1009 /* Frameworks */ = {
+			isa = PBXGroup;
+			children = (
+			);
+			name = Frameworks;
+			sourceTree = "<group>";
+		};
 		28FA46BC2C8A131D00A2E959 /* Support */ = {
 			isa = PBXGroup;
 			children = (
@@ -118,6 +128,7 @@
 			packageProductDependencies = (
 				283FA3A42C5D3628003CF6D9 /* AWSS3 */,
 				283FA3A62C5D3628003CF6D9 /* AWSSTS */,
+				286E157C2CA46392001D1009 /* SimpleKeychain */,
 			);
 			productName = Buckets;
 			productReference = 283FA38F2C5D34FF003CF6D9 /* Buckets.app */;
@@ -149,6 +160,7 @@
 			mainGroup = 283FA3862C5D34FF003CF6D9;
 			packageReferences = (
 				283FA3A32C5D3628003CF6D9 /* XCRemoteSwiftPackageReference "aws-sdk-swift" */,
+				2816F5ED2CA460E800E07574 /* XCRemoteSwiftPackageReference "SimpleKeychain" */,
 			);
 			productRefGroup = 283FA3902C5D34FF003CF6D9 /* Products */;
 			projectDirPath = "";
@@ -414,6 +426,14 @@
 /* End XCConfigurationList section */
 
 /* Begin XCRemoteSwiftPackageReference section */
+		2816F5ED2CA460E800E07574 /* XCRemoteSwiftPackageReference "SimpleKeychain" */ = {
+			isa = XCRemoteSwiftPackageReference;
+			repositoryURL = "https://github.com/auth0/SimpleKeychain.git";
+			requirement = {
+				kind = upToNextMajorVersion;
+				minimumVersion = 1.2.0;
+			};
+		};
 		283FA3A32C5D3628003CF6D9 /* XCRemoteSwiftPackageReference "aws-sdk-swift" */ = {
 			isa = XCRemoteSwiftPackageReference;
 			repositoryURL = "https://github.com/awslabs/aws-sdk-swift.git";
@@ -435,6 +455,11 @@
 			package = 283FA3A32C5D3628003CF6D9 /* XCRemoteSwiftPackageReference "aws-sdk-swift" */;
 			productName = AWSSTS;
 		};
+		286E157C2CA46392001D1009 /* SimpleKeychain */ = {
+			isa = XCSwiftPackageProductDependency;
+			package = 2816F5ED2CA460E800E07574 /* XCRemoteSwiftPackageReference "SimpleKeychain" */;
+			productName = SimpleKeychain;
+		};
 /* End XCSwiftPackageProductDependency section */
 	};
 	rootObject = 283FA3872C5D34FF003CF6D9 /* Project object */;

swift/example_code/apple/Buckets/Buckets/BucketsApp.swift

@@ -6,21 +6,9 @@
 //
 
 import SwiftUI
-import ClientRuntime
 
 @main
 struct BucketsApp: App {
-
-    /// Initialize the application.
-    init() {
-        // Create a synchronous task that configures logging then
-        // immediately exits.
-        Task.synchronous {
-            SDKDefaultIO.setLogLevel(level: .error)
-            await SDKLoggingSystem().initialize(logLevel: .error)
-        }
-    }
-
     var body: some Scene {
         WindowGroup {
             ContentView().environmentObject(ViewModel())

swift/example_code/apple/Buckets/Buckets/ContentView-ViewModel.swift

@@ -1,12 +1,12 @@
 // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
+// snippet-start:[siwa-viewmodel.swift.imports]
 import SwiftUI
 import AuthenticationServices
+import SimpleKeychain
 
 // Import the AWS SDK for Swift modules the app requires.
-//
-// snippet-start:[siwa-viewmodel.swift.imports]
 import AWSS3
 import AWSSDKIdentity
 // snippet-end:[siwa-viewmodel.swift.imports]
@@ -34,49 +34,53 @@ class ViewModel: ObservableObject {
     /// This is only returned by SIWA if the user has just created
     /// the app's SIWA account link. Otherwise, it's returned as `nil`
     /// by SIWA and must be retrieved from local storage if needed.
-    @AppStorage("email") var email = ""
+    var email = ""
 
     /// The user's family (last) name.
     ///
     /// This is only returned by SIWA if the user has just created
     /// the app's SIWA account link. Otherwise, it's returned as `nil`
     /// by SIWA and must be retrieved from local storage if needed.
-    @AppStorage("family-name") var familyName = ""
-
+    var familyName = ""
+    
     /// The user's given (first) name.
     ///
     /// This is only returned by SIWA if the user has just created
     /// the app's SIWA account link. Otherwise, it's returned as `nil` by SIWA
     /// and must be retrieved from local storage if needed.
-    @AppStorage("given-name") var givenName = ""
-
+    var givenName = ""
+    
     /// The AWS account number provided by the user.
-    @AppStorage("account-number") var awsAccountNumber = ""
+    var awsAccountNumber = ""
 
     /// The AWS IAM role name given by the user.
-    @AppStorage("iam-role") var awsIAMRoleName = ""
-
+    var awsIAMRoleName = ""
+    
     /// The credential identity resolver created by the AWS SDK for
     /// Swift. This resolves temporary credentials using
     /// `AssumeRoleWithWebIdentity`.
     var identityResolver: STSWebIdentityAWSCredentialIdentityResolver? = nil
     // snippet-end:[siwa-auth-properties.swift]
-
+    
     //****** The variables below this point aren't involved in Sign in With
     //****** Apple or AWS authentication.
-
+    
     /// An array of the user's bucket names.
     ///
     /// This is filled out once the user is signed into AWS.
     @Published var bucketList: [IDString] = []
-
+    
     /// An error string to present in an alert panel if needed. If this is
     /// `nil`, no error alert is presented.
     @Published var error: Swift.Error?
 
     /// The title of the error alert's close button.
     @Published var errorButtonTitle: String = "Continue"
-
+    
+    init() {
+        readUserData()
+    }
+    
     // MARK: - Authentication
 
     // snippet-start:[siwa-handle.swift]
@@ -102,13 +106,13 @@ class ViewModel: ObservableObject {
             else {
                 throw BucketsAppError.credentialsIncomplete
             }
-
+            
             userID = credential.user
-
+            
             // If the email field has a value, set the user's recorded email
             // address. Otherwise, keep the existing one.
             email = credential.email ?? self.email
-
+            
             // Similarly, if the name is present in the credentials, use it.
             // Otherwise, the last known name is retained.
             if let name = credential.fullName {
@@ -140,7 +144,7 @@ class ViewModel: ObservableObject {
         }
     }
     // snippet-end:[siwa-handle.swift]
-
+    
     // snippet-start:[siwa-authenticate.swift]
     /// Convert the given JWT identity token string into the temporary
     /// AWS credentials needed to allow this application to operate, as
@@ -170,13 +174,12 @@ class ViewModel: ObservableObject {
         do {
             try tokenString.write(to: tokenFileURL, atomically: true, encoding: .utf8)
         } catch {
-            //print("Error writing token to disk: \(error)")
             throw BucketsAppError.tokenFileError()
         }
 
         // Create an identity resolver that uses the JWT token received
         // from Apple to create AWS credentials.
-                    
+        
         do {
             identityResolver = try STSWebIdentityAWSCredentialIdentityResolver(
                 region: region,
@@ -187,9 +190,14 @@ class ViewModel: ObservableObject {
         } catch {
             throw BucketsAppError.assumeRoleFailed
         }
+        
+        // Save the user's data securely to local storage so it's available
+        // in the future.
+        
+        saveUserData()
     }
     // snippet-end:[siwa-authenticate.swift]
-
+    
     // snippet-start:[siwa-sign-out.swift]
     /// "Sign out" of the user's account.
     ///
@@ -218,7 +226,7 @@ class ViewModel: ObservableObject {
         return userID != ""
     }
     // snippet-end:[siwa-check-signed-in.swift]
-
+    
     // MARK: - AWS access
     // snippet-start:[siwa-use-credentials.swift]
     /// Fetches a list of the user's Amazon S3 buckets.
@@ -230,11 +238,11 @@ class ViewModel: ObservableObject {
         // credential identity resolver created from the JWT token
         // returned by Sign In With Apple.
         let config = try await S3Client.S3ClientConfiguration(
-                awsCredentialIdentityResolver: identityResolver,
-                region: "us-east-1"
+            awsCredentialIdentityResolver: identityResolver,
+            region: "us-east-1"
         )
         let s3 = S3Client(config: config)
-                    
+        
         let output = try await s3.listBuckets(
             input: ListBucketsInput()
         )
@@ -251,7 +259,7 @@ class ViewModel: ObservableObject {
         }
     }
     // snippet-end:[siwa-use-credentials.swift]
-
+    
     // MARK: - Token file management
 
     // snippet-start:[siwa-create-token-file.swift]
@@ -264,7 +272,7 @@ class ViewModel: ObservableObject {
         return tempDirURL.appendingPathComponent("example-siwa-token.jwt")
     }
     // snippet-end:[siwa-create-token-file.swift]
-
+    
     // snippet-start:[siwa-delete-token-file.swift]
     /// Delete the local JWT token file.
     func deleteTokenFile() throws {
@@ -275,4 +283,81 @@ class ViewModel: ObservableObject {
         }
     }
     // snippet-end:[siwa-delete-token-file.swift]
+    
+
+    // MARK: - Secure storage
+    
+    let KEY_USER_ID = "buckets-user-id"
+    let KEY_USER_EMAIL = "buckets-user-email"
+    let KEY_USER_NAME_GIVEN = "buckets-user-given-name"
+    let KEY_USER_NAME_FAMILY = "buckets-user-family-name"
+    let KEY_AWS_ACCOUNT = "buckets-aws-account"
+    let KEY_IAM_ROLE = "buckets-iam-role"
+
+    /// Securely save user and account information to the Keychain.
+    func saveUserData() {
+        // Create a `SimpleKeychain` object to use for Keychain access. The
+        // default service name (the bundle ID) is used.
+        let simpleKeychain = SimpleKeychain()
+        
+        do {
+            //try simpleKeychain.set(userID, forKey: KEY_USER_ID)
+            try simpleKeychain.set(email, forKey: KEY_USER_EMAIL)
+            try simpleKeychain.set(givenName, forKey: KEY_USER_NAME_GIVEN)
+            try simpleKeychain.set(familyName, forKey: KEY_USER_NAME_FAMILY)
+            try simpleKeychain.set(awsAccountNumber, forKey: KEY_AWS_ACCOUNT)
+            try simpleKeychain.set(awsIAMRoleName, forKey: KEY_IAM_ROLE)
+        } catch {
+            // The way this example is written, if the data doesn't get saved,
+            // it just means it won't be available later. So silently log
+            // the problem and continue.
+            print("Unable to save user data to keychain.")
+        }
+    }
+    
+    /// Read user data from the keychain.
+    func readUserData() {
+        // Create a `SimpleKeychain` object to use for Keychain access. The
+        // default service name (the bundle ID) is used. Any item that isn't
+        // found is set to an empty string.
+        let simpleKeychain = SimpleKeychain()
+        
+        /*
+         do {
+            userID = try simpleKeychain.string(forKey: KEY_USER_ID)
+        } catch {
+            userID = ""
+        }
+         */
+        
+        do {
+            email = try simpleKeychain.string(forKey: KEY_USER_EMAIL)
+        } catch {
+            email = ""
+        }
+        
+        do {
+            givenName = try simpleKeychain.string(forKey: KEY_USER_NAME_GIVEN)
+        } catch {
+            givenName = ""
+        }
+        
+        do {
+            familyName = try simpleKeychain.string(forKey: KEY_USER_NAME_FAMILY)
+        } catch {
+            familyName = ""
+        }
+        
+        do {
+            awsAccountNumber = try simpleKeychain.string(forKey: KEY_AWS_ACCOUNT)
+        } catch {
+            awsAccountNumber = ""
+        }
+        
+        do {
+            awsIAMRoleName = try simpleKeychain.string(forKey: KEY_IAM_ROLE)
+        } catch {
+            awsIAMRoleName = ""
+        }
+    }
 }