antinvestor_auth_runtime 0.4.2 copy "antinvestor_auth_runtime: ^0.4.2" to clipboard
antinvestor_auth_runtime: ^0.4.2 copied to clipboard

Auth runtime for Antinvestor Flutter apps. OAuth2 + PKCE, adaptive DPoP, rotating refresh tokens with reuse detection, Isolate-isolated tokens, hardware-backed storage, Riverpod providers, Material widgets.

Changelog #

All notable changes to antinvestor_auth_runtime are documented here. This project adheres to Semantic Versioning.

0.4.2 — 2026-06-18 #

Added #

  • NativeCredentialConfig, a high-level factory configuration for Apple and Google native credential providers. Android apps can now enable the Google Sign-In v7 Credential Manager / One Tap path with createAuthRuntime(nativeCredentialConfig: NativeCredentialConfig(...)).
  • preferSilent support for native credentials. Apps can now explicitly disable the app-start no-UI credential attempt while keeping the interactive native sheet on sign-in tap.

Changed #

  • createAuthRuntime rejects simultaneous nativeCredentialConfig and nativeProviders inputs to prevent ambiguous native credential setup.
  • Documentation now presents NativeCredentialConfig as the preferred app integration path and keeps nativeProviders for tests and custom provider stacks.

0.4.0 — 2026-05-01 #

Changed #

  • Browser leg now uses flutter_web_auth_2 instead of flutter_appauth. Adds web, Windows, and Linux to the supported platforms (previously iOS/Android/macOS only) and removes the AppAuth iOS pod, eliminating the long-standing pod conflict with google_sign_in_ios (AppAuth ~> 2.0). PKCE/state/nonce are now generated by TokenWorker.prepareAuth exclusively — the previous double-generation (worker + flutter_appauth) is gone, and the OAuth state parameter is now actually verified end-to-end.

Breaking #

  • The internal OAuthFlow.authorize now takes an AuthorizeRequest argument and OAuthResult no longer carries verifier/nonce. OAuthFlow is package:antinvestor_auth_runtime/src/... (not exported), so consumers that only depend on createAuthRuntime are unaffected. Tests that subclass OAuthFlow need to update the override signature.

Platform setup (consumers) #

  • iOS / macOS: declare your redirectScheme (e.g. com.example.app) under CFBundleURLTypes in Info.plist. Universal Links also work — set redirectUri to the https://... URL and flutter_web_auth_2 will use ASWebAuthenticationSession.
  • Android: add flutter_web_auth_2's CallbackActivity to AndroidManifest.xml with an intent filter for the redirect scheme. See flutter_web_auth_2 README.
  • Web: host auth.html at the redirect URI's path (flutter_web_auth_2 posts the callback URL via window.opener.postMessage).
  • Windows / Linux: uses an embedded desktop_webview_window by default; pass an http://localhost:{port} redirectUri if you want the loopback fallback.

FedCM #

  • The runtime is FedCM-transparent: flutter_web_auth_2 opens the IdP login page in the system browser, and FedCM (navigator.credentials.get({ identity })) is invoked by the IdP page itself when the IdP supports it. No client-side wiring is required.

Dependencies #

  • flutter_secure_storage 9 → 10. Migrates Android off the deprecated Jetpack Crypto package and unifies iOS/macOS into flutter_secure_storage_darwin. Consumer apps must raise platform mins: Android minSdkVersion >= 23 (was 19), iOS >= 12.0, macOS >= 10.14.
  • pointycastle 3.9 → 4.0. Pure additive: new ciphers (Blowfish, Camellia, Twofish), generics on generateKeyPair. No usage changes required.
  • sign_in_with_apple 6.1 → 7.0. Extended AuthorizationErrorCode cases (our switch already has a default: fall-through, so no code changes).

0.3.1 — 2026-04-20 #

Added #

  • runtime.fetch / runtime.upload accept fully-qualified https://... URLs; when the path starts with http:// or https://, the runtime uses it directly and skips apiBaseUrl prepending. Unblocks consumers that talk to multiple service domains with a single OAuth client.

0.3.0 — 2026-04-20 #

Added #

  • AuthConfig.audiences — optional resource audience hints passed to authorize + token-exchange. Addresses service-thesa's 9-element audiences array use case.
  • AuthConfig.redirectUri — explicit override of the OAuth redirect URI; takes precedence over redirectScheme. Supports desktop loopback flows (http://localhost:5173/auth).
  • UserClaims.contactId, tenantId, partitionId typed getters for Antinvestor-specific claims; plus customClaims escape hatch for bespoke per-app claims.
  • AuthRuntime.getUserClaims() — typed wrapper around getClaims().
  • AuthRuntime.isAuthenticated — synchronous getter for background-task pre-check.

Changed #

  • None. Purely additive; existing v0.2 callers are unaffected.

0.2.0 — 2026-04-20 #

Added #

  • Native sign-in providers: AppleCredentialProvider (Sign in with Apple via sign_in_with_apple) and GoogleCredentialProvider (via google_sign_in v7; Android backed by CredentialManager).
  • NativeCredentialProvider abstraction — consumers can ship custom providers for enterprise IdPs.
  • OIDC token-exchange grant support (RFC 8693) in TokenExchange and TokenWorker.completeNativeCredential.
  • Native → OAuth2 sign-in waterfall: proactive silent attempt on mount; interactive attempt on sign-in click; OAuth2 fallback when all native providers decline.
  • AuthRuntime.availableNativeProviders() helper + credentialEventStream telemetry.
  • authNativeProvidersProvider Riverpod override hook.
  • Four new AuthErrorCode values: nativeCredentialCancelled, nativeCredentialUnavailable, nativeCredentialIssuerMismatch, nativeCredentialExchangeFailed.
  • IdP operator guide: docs/auth-runtime-native-credentials.md.

Changed #

  • createAuthRuntime now accepts an optional nativeProviders parameter. Existing callers are unaffected.
  • logout() calls signOut() on each configured native provider before the server revocation/end-session path.

Security #

  • Provider-issued ID tokens are validated for issuer match before exchange (trust boundary not delegated to the provider).
  • Per-attempt nonce binding with Apple's SHA-256 hashing accommodated.

0.1.0 — 2026-04-19 #

Initial public release.

Added #

  • AuthRuntime public contract and createAuthRuntime factory.
  • OAuth2 + PKCE sign-in via flutter_appauth, wrapped in a testable OAuthFlow abstraction.
  • OIDC discovery with in-memory caching, timeout, and in-flight deduplication.
  • Adaptive DPoP: ES256 proofs, DPoP-Nonce challenge retry, clock-skew compensation via Date header.
  • Token exchange with rotating refresh tokens + reuse detection.
  • Authenticated fetch + upload with automatic 401-refresh retry.
  • TokenWorker with secure-storage-backed session persistence: root key → wrap key → DPoP private key + refresh token encryption chain over AES-GCM-256.
  • Optional Isolate-backed worker (createAuthRuntime(useIsolate: true)) — scaffolding in v0.1; data-plane methods land in a follow-up.
  • Riverpod providers: authRuntimeProvider, authStateProvider, isAuthenticatedProvider, userClaimsProvider, rolesProvider, securityEventsProvider.
  • AuthRuntimeScope for non-Riverpod consumers.
  • Material widgets: AuthGate, AuthStateBuilder, AuthEventListener, SignInButton, SignOutButton, ProfileAvatar.
  • SecurityEvent hierarchy surfaces refresh reuse, storage corruption, and related signals.
  • End-to-end integration tests against a shelf-backed mock IdP.
  • Comprehensive README and integration guide for consuming apps.
0
likes
120
points
302
downloads

Documentation

API reference

Publisher

verified publisherantinvestor.com

Weekly Downloads

Auth runtime for Antinvestor Flutter apps. OAuth2 + PKCE, adaptive DPoP, rotating refresh tokens with reuse detection, Isolate-isolated tokens, hardware-backed storage, Riverpod providers, Material widgets.

Homepage
Repository (GitHub)
View/report issues

Topics

#flutter #authentication #oauth2 #dpop #antinvestor

License

unknown (license)

Dependencies

async, collection, crypto, cryptography, equatable, flutter, flutter_riverpod, flutter_secure_storage, flutter_web_auth_2, google_sign_in, http, http_parser, meta, pointycastle, sign_in_with_apple, synchronized, uuid

More

Packages that depend on antinvestor_auth_runtime