fix(auth): prevent from requesting login keychain password os macOS (#455)

ekurutepe · grdsdev · web-flow · commit 3e45b5a79f7a · 2024-07-11T08:07:18.000-03:00
* fix macOS behavior

* fix failing auth tests

---------

Co-authored-by: Guilherme Souza &lt;grsouza@pm.me&gt;
diff --git a/Sources/Auth/Internal/Keychain.swift b/Sources/Auth/Internal/Keychain.swift
@@ -67,6 +67,11 @@
         query[kSecAttrAccessGroup as String] = accessGroup
       }
 
+      // this is highly recommended for all keychain operations and makes the
+      // macOS keychain item behave like an iOS keychain item
+      // https://developer.apple.com/documentation/security/ksecusedataprotectionkeychain
+      query[kSecUseDataProtectionKeychain as String] = kCFBooleanTrue
+
       return query
     }
 
diff --git a/Tests/AuthTests/SessionManagerTests.swift b/Tests/AuthTests/SessionManagerTests.swift
@@ -41,12 +41,6 @@ final class SessionManagerTests: XCTestCase {
     )
   }
 
-  override func invokeTest() {
-    withMainSerialExecutor {
-      super.invokeTest()
-    }
-  }
-
   func testSession_shouldFailWithSessionNotFound() async {
     do {
       _ = try await sut.session()
@@ -58,53 +52,57 @@ final class SessionManagerTests: XCTestCase {
   }
 
   func testSession_shouldReturnValidSession() async throws {
-    let session = Session.validSession
-    try Dependencies[clientID].sessionStorage.store(session)
+    try await withMainSerialExecutor {
+      let session = Session.validSession
+      try Dependencies[clientID].sessionStorage.store(session)
 
-    let returnedSession = try await sut.session()
-    XCTAssertNoDifference(returnedSession, session)
+      let returnedSession = try await sut.session()
+      XCTAssertNoDifference(returnedSession, session)
+    }
   }
 
   func testSession_shouldRefreshSession_whenCurrentSessionExpired() async throws {
-    let currentSession = Session.expiredSession
-    try Dependencies[clientID].sessionStorage.store(currentSession)
-
-    let validSession = Session.validSession
-
-    let refreshSessionCallCount = LockIsolated(0)
-
-    let (refreshSessionStream, refreshSessionContinuation) = AsyncStream<Session>.makeStream()
-
-    http.when(
-      { $0.url.path.contains("/token") },
-      return: { _ in
-        refreshSessionCallCount.withValue { $0 += 1 }
-        let session = await refreshSessionStream.first(where: { _ in true })!
-        return .stub(session)
+    try await withMainSerialExecutor {
+      let currentSession = Session.expiredSession
+      try Dependencies[clientID].sessionStorage.store(currentSession)
+
+      let validSession = Session.validSession
+
+      let refreshSessionCallCount = LockIsolated(0)
+
+      let (refreshSessionStream, refreshSessionContinuation) = AsyncStream<Session>.makeStream()
+
+      http.when(
+        { $0.url.path.contains("/token") },
+        return: { _ in
+          refreshSessionCallCount.withValue { $0 += 1 }
+          let session = await refreshSessionStream.first(where: { _ in true })!
+          return .stub(session)
+        }
+      )
+
+      // Fire N tasks and call sut.session()
+      let tasks = (0 ..< 10).map { _ in
+        Task.detached { [weak self] in
+          try await self?.sut.session()
+        }
       }
-    )
 
-    // Fire N tasks and call sut.session()
-    let tasks = (0 ..< 10).map { _ in
-      Task.detached { [weak self] in
-        try await self?.sut.session()
-      }
-    }
+      await Task.yield()
 
-    await Task.megaYield()
+      refreshSessionContinuation.yield(validSession)
+      refreshSessionContinuation.finish()
 
-    refreshSessionContinuation.yield(validSession)
-    refreshSessionContinuation.finish()
+      // Await for all tasks to complete.
+      var result: [Result<Session?, Error>] = []
+      for task in tasks {
+        let value = await task.result
+        result.append(value)
+      }
 
-    // Await for all tasks to complete.
-    var result: [Result<Session?, Error>] = []
-    for task in tasks {
-      let value = await task.result
-      result.append(value)
+      // Verify that refresher and storage was called only once.
+      XCTAssertEqual(refreshSessionCallCount.value, 1)
+      XCTAssertEqual(try result.map { try $0.get() }, (0 ..< 10).map { _ in validSession })
     }
-
-    // Verify that refresher and storage was called only once.
-    XCTAssertEqual(refreshSessionCallCount.value, 1)
-    XCTAssertEqual(try result.map { try $0.get() }, (0 ..< 10).map { _ in validSession })
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -67,6 +67,11 @@`
`67`	`67`	`query[kSecAttrAccessGroup as String] = accessGroup`
`68`	`68`	`}`
`69`	`69`
	`70`	`+ // this is highly recommended for all keychain operations and makes the`
	`71`	`+ // macOS keychain item behave like an iOS keychain item`
	`72`	`+ // https://developer.apple.com/documentation/security/ksecusedataprotectionkeychain`
	`73`	`+ query[kSecUseDataProtectionKeychain as String] = kCFBooleanTrue`
	`74`	`+`
`70`	`75`	`return query`
`71`	`76`	`}`
`72`	`77`