search

authpass / biometric_storage

Flutter plugin to store data behind biometric authentication (ie. fingerprint)
https://pub.dev/packages/biometric_storage
MIT License
171 stars 100 forks source link

A way to overwrite data without prompt #108

Open gasaichandesu opened 5 months ago

gasaichandesu commented 5 months ago

I have implemented biometric authentication in my app by storing refresh token in biometric storage and met following case. As soon as my app starts, user is prompted to use fingerprint/faceID. Upon success, refresh token is retrieved and exchanged for access token via network request. The problem is that when access token is issued, new refresh token is issued as well and old token is not valid anymore so I have to rewrite it. But if I call write method another biometric prompt shows up which is unacceptable.

So is there a way to overwrite data without prompt or is my flow incorrect?

abdallah-odeh commented 3 months ago

Your flow is indeed correct, I am facing similar issue my access token age is 15 minutes, so also the user might be using the app & suddenly a biometric auth is requested to read the refresh token!

the duration between reading, refreshing & writing the new refresh token might be passed to authenticationValidityDurationSeconds: 60 this is supposed to keep the file open for a minute (a minute to handle slow internet)

but the scenario I mentioned above, I could not find a workaround for it!

gasaichandesu commented 1 month ago

Thank you for your response. I have somehow missed authenticationValidityDurationSeconds parameter, otherwise I would not face my issue.

Right now, as a workaround, we are storing token in secure storage and using biometric authentication only for authentication. It works, but the issue here is that biometric entrance does not add additional security layer, it serves simply as a quick login method

hpoul commented 3 weeks ago

i don't think this is possible.. because to write data you have to retrieve the encryption key which can only be done by authenticating the user.. The only way I could think of is doing your own encryption.. ie. storing an encryption key in biometric storage and keep it in memory for the whole duration of your app's lifecycle.. but I don't think that a "normal" refresh tokens require an additional biometric security layer..

if you only need to overwrite it on app start (because i'd assume the refresh token is long-living anyway?) authenticationValidityDurationSeconds would be the right approach imho..

although it would probably be worth improving "unauthenticated" storage options.. for storage without biometric protection the plugin currently uses the defaults.. which on iOS means the device has to be unlocked in order to access the data, while on Android the default seems to allow access at all times..