search

martinkasa / capacitor-secure-storage-plugin

Capacitor plugin for storing string values securly on iOS and Android.
MIT License
152 stars 53 forks source link

Storage is 'empty' after updating from 0.5.1 to 0.6.0 #62

Closed eric-boot closed 1 year ago

eric-boot commented 1 year ago

Hi!

Currently we use this plugin so that app user can log in via a digit code. This digit code is set up by the app user during the onboarding in our app.

We have migrated from Capacitor 2 to Capacitor 4 which made us update the version we use of this plugin. When we were running on Capacitor 2 we used version 0.4.0 of this package and after updating to Capacitor 4 we use the most recent (0.8.0) version.

After that version bump all of our app user (iOS & Android, except Web) suddenly lost there digit code which needed them to onboard again.

Investigation showed us that te problem disappeared when we downgraden the version from 0.8.0 to 0.4.0: the digit code was present again! Especially, the problem is caused in the changes made between 0.5.1 and 0.6.0 (see diff)

Reproduction steps:

  1. Run an app with at least the following dependencies 
    "dependencies": {
"@capacitor/android": "4.1.0",
"@capacitor/core": "4.1.0",
"@capacitor/ios": "4.1.0",
"capacitor-secure-storage-plugin": "0.5.1"
}
  2. Save some value to the secure storage and get it 
    await SecureStoragePlugin.set({ key: 'digitCode', value: '1234' });
SecureStoragePlugin.get({ key: 'digitCode' })
.then(console.log) // '1234'
.catch(console.error) // not called
  3. Upgrade capacitor-secure-storage-plugin to 0.6.0
  4. Executing the getter results in no value 
    SecureStoragePlugin.get({ key: 'digitCode' })
.then(console.log) // not called
.catch(console.error) // results in 'Item with given key does not exist'

Expected behaviour Step 4 must result in logging the digit code which was set before updating to version 0.6.0

martinkasa commented 1 year ago

Hi @eric-boot, version 0.5.1 is compatible with Capacitor v2. Up to 0.7.1 it is compatible with Capacitor v3 and more recent version are for Capacitor v4. I can see that you tried to use version 0.5.1 of the plugin with Capacitor v4. Honestly I did not try how it behaves, but since it is not compatible with each other, (now I am just guessing) probably your digitCode was stored in web localstorage, not encrypted properly and then by upgrading the plugin to the version compatible with Capacitor v4, it tries to read it from native secure storage, but it is not there.

Try to check localstorage of webview, or call getPlatform() method to be sure if native implementation is used, or just unsecure web fallback.

eric-boot commented 1 year ago

Hi @martinkasa,

You made me check the whole flow again and I found the issue. Thanks for rubber ducking 😄