Merge pull request #528 from stytchauth/change-encryption-key-logic

Remove logic around isProtectedDataAvailable

Author: nidal-stytch

Sources/StytchCore/KeychainClient/KeychainClient.swift

@@ -8,7 +8,6 @@ protocol KeychainClient: AnyObject {
     func valueExistsForItem(item: KeychainItem) -> Bool
     func setValueForItem(value: KeychainItem.Value, item: KeychainItem) throws
     func removeItem(item: KeychainItem) throws
-    func onProtectedDataDidBecomeAvailable()
 }
 
 extension KeychainClient {

Sources/StytchCore/KeychainClient/KeychainClientImplementation.swift

@@ -19,9 +19,10 @@ final class KeychainClientImplementation: KeychainClient {
     private init() {
         queue = DispatchQueue(label: "StytchKeychainClientQueue")
         queue.setSpecific(key: queueKey, value: ())
+        loadEncryptionKey()
     }
 
-    func onProtectedDataDidBecomeAvailable() {
+    func loadEncryptionKey() {
         try? safelyEnqueue {
             encryptionKey = try? getEncryptionKey()
         }

Sources/StytchCore/KeychainClient/KeychainItem.swift

@@ -13,13 +13,17 @@ struct KeychainItem {
     }
 
     var getQuery: [CFString: Any] {
-        baseQuery
-            .merging([
-                kSecReturnData: true,
-                kSecReturnAttributes: true,
-                kSecMatchLimit: kSecMatchLimitAll,
-                kSecAttrSynchronizable: kSecAttrSynchronizableAny,
-            ]) { $1 }
+        var query = baseQuery.merging([
+            kSecReturnData: true,
+            kSecReturnAttributes: true,
+            kSecMatchLimit: kSecMatchLimitAll,
+            kSecAttrSynchronizable: kSecAttrSynchronizableAny,
+        ]) { $1 }
+
+        if kind == .encryptionKey {
+            query[kSecUseAuthenticationUI] = kSecUseAuthenticationUISkip
+        }
+        return query
     }
 
     func insertQuery(value: Value) -> CFDictionary {
@@ -42,6 +46,13 @@ struct KeychainItem {
         if let accessControl = try? value.accessPolicy?.accessControl {
             querySegment[kSecAttrAccessControl] = accessControl
         }
+
+        // Make the encryption key available after first unlock
+        if kind == .encryptionKey {
+            querySegment[kSecAttrAccessible] = kSecAttrAccessibleAfterFirstUnlock
+            // or use kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly if you do not want sync
+        }
+
         return querySegment
     }
 }

Sources/StytchCore/StytchClientType.swift

@@ -82,18 +82,16 @@ extension StytchClientType {
                 }
             }
         }
-        if UIApplication.shared.isProtectedDataAvailable {
-            keychainClient.onProtectedDataDidBecomeAvailable()
-            defaultStartupFlow()
-        } else {
-            NotificationCenter.default.addObserver(forName: UIApplication.protectedDataDidBecomeAvailableNotification, object: nil, queue: nil) { _ in
-                keychainClient.onProtectedDataDidBecomeAvailable()
-                defaultStartupFlow()
+        #endif
+
+        Task {
+            do {
+                try await StartupClient.start(clientType: Self.clientType)
+                try? await EventsClient.logEvent(parameters: .init(eventName: "client_initialization_success"))
+            } catch {
+                try? await EventsClient.logEvent(parameters: .init(eventName: "client_initialization_failure"))
             }
         }
-        #else
-        defaultStartupFlow()
-        #endif
     }
 
     // swiftlint:disable:next identifier_name large_tuple
@@ -141,15 +139,4 @@ extension StytchClientType {
             }
         }
     }
-
-    private func defaultStartupFlow() {
-        Task {
-            do {
-                try await StartupClient.start(clientType: Self.clientType)
-                try? await EventsClient.logEvent(parameters: .init(eventName: "client_initialization_success"))
-            } catch {
-                try? await EventsClient.logEvent(parameters: .init(eventName: "client_initialization_failure"))
-            }
-        }
-    }
 }

Stytch/DemoApps/StytchBiometrics/ViewController.swift

@@ -15,7 +15,7 @@ class ViewController: UIViewController {
 
     override func viewDidLoad() {
         super.viewDidLoad()
-        StytchClient.configure(configuration: .init(publicToken: ""))
+        StytchClient.configure(configuration: .init(publicToken: "public-token-test-81b5f118-b6d3-49ff-9f56-a037a6e65176"))
 
         StytchClient.sessions.onSessionChange
             .receive(on: DispatchQueue.main)

Stytch/DemoApps/StytchUIDemo/ContentView.swift

@@ -109,7 +109,7 @@ class ContentViewModel: ObservableObject {
     }
 
     let configuration: StytchUIClient.Configuration = .init(
-        stytchClientConfiguration: .init(publicToken: "public-token-test-..."),
+        stytchClientConfiguration: .init(publicToken: "public-token-test-81b5f118-b6d3-49ff-9f56-a037a6e65176"),
         products: [.otp, .oauth, .passwords, .emailMagicLinks, .biometrics],
         navigation: Navigation(closeButtonStyle: .close(.right)),
         oauthProviders: [.apple, .thirdParty(.google)],

Tests/StytchCoreTests/KeychainClient+Mock.swift

@@ -6,8 +6,6 @@ import Foundation
 public var keychainDateCreatedOffsetInMinutes = 0
 
 class KeychainClientMock: KeychainClient {
-    func onProtectedDataDidBecomeAvailable() {}
-
     var encryptionKey: SymmetricKey? {
         do {
             return SymmetricKey(data: try Current.cryptoClient.dataWithRandomBytesOfCount(256))

Tests/StytchCoreTests/KeychainClientTestCase.swift

@@ -56,20 +56,71 @@ final class KeychainClientTestCase: BaseTestCase {
     func testKeychainEncryptionKeyItem() {
         let item: KeychainItem = .init(kind: .encryptionKey, name: "encryptionKey")
 
+        // Helper to create a KeychainItem.Value for a given string
         let itemValueForKey: (String) -> KeychainItem.Value = { value in
-            .init(data: .init(value.utf8), account: ENCRYPTEDUSERDEFAULTSKEYNAME, label: nil, generic: nil, accessPolicy: nil)
+            .init(
+                data: .init(value.utf8),
+                account: ENCRYPTEDUSERDEFAULTSKEYNAME,
+                label: nil,
+                generic: nil,
+                accessPolicy: nil
+            )
         }
+
+        // Verify the base query used to fetch the encryption key.
+        // Expected fields:
+        // - service ("svce") set to "encryptionKey"
+        // - class ("genp") for generic password
+        // - return data and attributes
+        // - match limit all
+        // - synchronizable any
+        // - no authentication UI (skip prompts)
         XCTAssertEqual(
             item.getQuery as CFDictionary,
-            ["svce": "encryptionKey", "class": "genp", "m_Limit": "m_LimitAll", "r_Data": 1, "r_Attributes": 1, "nleg": 1, "sync": "syna"] as CFDictionary
+            [
+                "svce": "encryptionKey",
+                "class": "genp",
+                "m_Limit": "m_LimitAll",
+                "r_Data": 1,
+                "r_Attributes": 1,
+                "nleg": 1,
+                "sync": "syna",
+                "u_AuthUI": "u_AuthUIS",
+            ] as CFDictionary
         )
+
+        // Verify the update segment for an existing encryption key value.
+        // Expected fields:
+        // - account set to ENCRYPTEDUSERDEFAULTSKEYNAME
+        // - value data stored as bytes
+        // - pdmn = "ck", meaning kSecAttrAccessibleAfterFirstUnlock
         XCTAssertEqual(
             item.updateQuerySegment(for: itemValueForKey("value")) as CFDictionary,
-            ["acct": ENCRYPTEDUSERDEFAULTSKEYNAME, "v_Data": Data("value".utf8)] as CFDictionary
+            [
+                "acct": ENCRYPTEDUSERDEFAULTSKEYNAME,
+                "v_Data": Data("value".utf8),
+                "pdmn": "ck",
+            ] as CFDictionary
         )
+
+        // Verify the insert query for a new encryption key value.
+        // Expected fields:
+        // - account set to ENCRYPTEDUSERDEFAULTSKEYNAME
+        // - service set to "encryptionKey"
+        // - class = generic password
+        // - value data stored as bytes
+        // - nleg = 1 (data protection keychain)
+        // - pdmn = "ck" (AfterFirstUnlock accessibility)
         XCTAssertEqual(
             item.insertQuery(value: itemValueForKey("new_value")) as CFDictionary,
-            ["acct": ENCRYPTEDUSERDEFAULTSKEYNAME, "svce": "encryptionKey", "class": "genp", "v_Data": Data("new_value".utf8), "nleg": 1] as CFDictionary
+            [
+                "acct": ENCRYPTEDUSERDEFAULTSKEYNAME,
+                "svce": "encryptionKey",
+                "class": "genp",
+                "v_Data": Data("new_value".utf8),
+                "nleg": 1,
+                "pdmn": "ck", // AfterFirstUnlock
+            ] as CFDictionary
         )
     }