antinvestor_auth_runtime 0.4.2
antinvestor_auth_runtime: ^0.4.2 copied to clipboard
Auth runtime for Antinvestor Flutter apps. OAuth2 + PKCE, adaptive DPoP, rotating refresh tokens with reuse detection, Isolate-isolated tokens, hardware-backed storage, Riverpod providers, Material widgets.
Changelog #
All notable changes to antinvestor_auth_runtime are documented here.
This project adheres to Semantic Versioning.
0.4.2 — 2026-06-18 #
Added #
NativeCredentialConfig, a high-level factory configuration for Apple and Google native credential providers. Android apps can now enable the Google Sign-In v7 Credential Manager / One Tap path withcreateAuthRuntime(nativeCredentialConfig: NativeCredentialConfig(...)).preferSilentsupport for native credentials. Apps can now explicitly disable the app-start no-UI credential attempt while keeping the interactive native sheet on sign-in tap.
Changed #
createAuthRuntimerejects simultaneousnativeCredentialConfigandnativeProvidersinputs to prevent ambiguous native credential setup.- Documentation now presents
NativeCredentialConfigas the preferred app integration path and keepsnativeProvidersfor tests and custom provider stacks.
0.4.0 — 2026-05-01 #
Changed #
- Browser leg now uses
flutter_web_auth_2instead offlutter_appauth. Adds web, Windows, and Linux to the supported platforms (previously iOS/Android/macOS only) and removes theAppAuthiOS pod, eliminating the long-standing pod conflict withgoogle_sign_in_ios(AppAuth ~> 2.0). PKCE/state/nonce are now generated byTokenWorker.prepareAuthexclusively — the previous double-generation (worker + flutter_appauth) is gone, and the OAuthstateparameter is now actually verified end-to-end.
Breaking #
- The internal
OAuthFlow.authorizenow takes anAuthorizeRequestargument andOAuthResultno longer carriesverifier/nonce.OAuthFlowispackage:antinvestor_auth_runtime/src/...(not exported), so consumers that only depend oncreateAuthRuntimeare unaffected. Tests that subclassOAuthFlowneed to update the override signature.
Platform setup (consumers) #
- iOS / macOS: declare your
redirectScheme(e.g.com.example.app) underCFBundleURLTypesinInfo.plist. Universal Links also work — setredirectUrito thehttps://...URL andflutter_web_auth_2will use ASWebAuthenticationSession. - Android: add
flutter_web_auth_2'sCallbackActivitytoAndroidManifest.xmlwith an intent filter for the redirect scheme. See flutter_web_auth_2 README. - Web: host
auth.htmlat the redirect URI's path (flutter_web_auth_2posts the callback URL viawindow.opener.postMessage). - Windows / Linux: uses an embedded
desktop_webview_windowby default; pass anhttp://localhost:{port}redirectUriif you want the loopback fallback.
FedCM #
- The runtime is FedCM-transparent:
flutter_web_auth_2opens the IdP login page in the system browser, and FedCM (navigator.credentials.get({ identity })) is invoked by the IdP page itself when the IdP supports it. No client-side wiring is required.
Dependencies #
flutter_secure_storage9 → 10. Migrates Android off the deprecated Jetpack Crypto package and unifies iOS/macOS intoflutter_secure_storage_darwin. Consumer apps must raise platform mins: AndroidminSdkVersion >= 23(was 19), iOS>= 12.0, macOS>= 10.14.pointycastle3.9 → 4.0. Pure additive: new ciphers (Blowfish, Camellia, Twofish), generics ongenerateKeyPair. No usage changes required.sign_in_with_apple6.1 → 7.0. ExtendedAuthorizationErrorCodecases (our switch already has adefault:fall-through, so no code changes).
0.3.1 — 2026-04-20 #
Added #
runtime.fetch/runtime.uploadaccept fully-qualifiedhttps://...URLs; when the path starts withhttp://orhttps://, the runtime uses it directly and skipsapiBaseUrlprepending. Unblocks consumers that talk to multiple service domains with a single OAuth client.
0.3.0 — 2026-04-20 #
Added #
AuthConfig.audiences— optional resource audience hints passed to authorize + token-exchange. Addresses service-thesa's 9-element audiences array use case.AuthConfig.redirectUri— explicit override of the OAuth redirect URI; takes precedence overredirectScheme. Supports desktop loopback flows (http://localhost:5173/auth).UserClaims.contactId,tenantId,partitionIdtyped getters for Antinvestor-specific claims; pluscustomClaimsescape hatch for bespoke per-app claims.AuthRuntime.getUserClaims()— typed wrapper aroundgetClaims().AuthRuntime.isAuthenticated— synchronous getter for background-task pre-check.
Changed #
- None. Purely additive; existing v0.2 callers are unaffected.
0.2.0 — 2026-04-20 #
Added #
- Native sign-in providers:
AppleCredentialProvider(Sign in with Apple viasign_in_with_apple) andGoogleCredentialProvider(viagoogle_sign_inv7; Android backed by CredentialManager). NativeCredentialProviderabstraction — consumers can ship custom providers for enterprise IdPs.- OIDC token-exchange grant support (RFC 8693) in
TokenExchangeandTokenWorker.completeNativeCredential. - Native → OAuth2 sign-in waterfall: proactive silent attempt on mount; interactive attempt on sign-in click; OAuth2 fallback when all native providers decline.
AuthRuntime.availableNativeProviders()helper +credentialEventStreamtelemetry.authNativeProvidersProviderRiverpod override hook.- Four new
AuthErrorCodevalues:nativeCredentialCancelled,nativeCredentialUnavailable,nativeCredentialIssuerMismatch,nativeCredentialExchangeFailed. - IdP operator guide:
docs/auth-runtime-native-credentials.md.
Changed #
createAuthRuntimenow accepts an optionalnativeProvidersparameter. Existing callers are unaffected.logout()callssignOut()on each configured native provider before the server revocation/end-session path.
Security #
- Provider-issued ID tokens are validated for issuer match before exchange (trust boundary not delegated to the provider).
- Per-attempt nonce binding with Apple's SHA-256 hashing accommodated.
0.1.0 — 2026-04-19 #
Initial public release.
Added #
AuthRuntimepublic contract andcreateAuthRuntimefactory.- OAuth2 + PKCE sign-in via
flutter_appauth, wrapped in a testableOAuthFlowabstraction. - OIDC discovery with in-memory caching, timeout, and in-flight deduplication.
- Adaptive DPoP: ES256 proofs,
DPoP-Noncechallenge retry, clock-skew compensation viaDateheader. - Token exchange with rotating refresh tokens + reuse detection.
- Authenticated
fetch+uploadwith automatic 401-refresh retry. TokenWorkerwith secure-storage-backed session persistence: root key → wrap key → DPoP private key + refresh token encryption chain over AES-GCM-256.- Optional Isolate-backed worker (
createAuthRuntime(useIsolate: true)) — scaffolding in v0.1; data-plane methods land in a follow-up. - Riverpod providers:
authRuntimeProvider,authStateProvider,isAuthenticatedProvider,userClaimsProvider,rolesProvider,securityEventsProvider. AuthRuntimeScopefor non-Riverpod consumers.- Material widgets:
AuthGate,AuthStateBuilder,AuthEventListener,SignInButton,SignOutButton,ProfileAvatar. SecurityEventhierarchy surfaces refresh reuse, storage corruption, and related signals.- End-to-end integration tests against a
shelf-backed mock IdP. - Comprehensive README and integration guide for consuming apps.