biometric_vault 1.1.0
biometric_vault: ^1.1.0 copied to clipboard
Secure storage with optional biometric protection for Android, iOS, and macOS. Linux, Windows, and web fall back to unauthenticated storage.
Changelog #
1.1.0 #
StorageFileInitOptions.silentWrites: writes never show an authentication prompt while reads stay gated. Android uses envelope encryption (payload under a fresh AES-256-GCM key, wrapped by a Keystore RSA public key whose private half is authentication-gated); iOS and macOS replace the keychain item on write, which never evaluates its access control.BiometricVault.biometryType(): reports the device biometry modality (Face ID, Touch ID, Optic ID, fingerprint, face, iris) so UI copy can name the actual authenticator.BiometricVault.authenticate(): standalone user authentication without any storage, for app-lock style privacy gates. Supports biometric-only mode or device-credential fallback.
1.0.0 #
Initial stable release of biometric_vault: encrypted storage for small
secrets (tokens, passwords, key material) with optional biometric protection.
Features #
- Named encrypted stores with a four-call lifecycle:
canAuthenticate(),getStorage(), thenread()/write()/delete(). - Android 7.0+ (API 24): AES-GCM key in the Android Keystore (StrongBox when
available, TEE fallback), gated by
BiometricPromptwith Class 3 biometrics and optional device-credential fallback. All keystore and file work runs off the main thread, and writes are atomic. - iOS 13+ / macOS 10.15+: Keychain items protected by
SecAccessControl(Face ID / Touch ID / Apple Watch, optional passcode fallback), shipped as a Swift Package Manager package with a CocoaPods fallback. Keychain operations run off the main thread. - Linux (libsecret), Windows (Credential Manager), and web (
localStorage, not secure) backends so cross-platform code keeps working without authentication support. - Typed, sealed error model: every failure is a subtype of the sealed
BiometricVaultException(AuthExceptionwith 14 dedicatedAuthExceptionCodevalues,StorageInvalidatedExceptionwith aStorageInvalidatedReason, orBiometricVaultPluginException), so a singleswitchhandles all outcomes exhaustively and rawPlatformExceptions never escape. - Precise capability reporting:
canAuthenticate()distinguishes biometry lockout (errorLockedOut) and pending security updates (errorSecurityUpdateRequired) from generic hardware unavailability. StorageFileInitOptionswith explicit per-platform durations (androidAuthenticationValidityDuration,darwinTouchIDAuthenticationAllowableReuseDuration,darwinTouchIDAuthenticationForceReuseContextDuration) and per-platformbiometricOnlyflags. Invalid store names or option combinations throwArgumentErroratgetStorageinstead of failing natively at first use.- Localizable prompt strings via
PromptInfo(AndroidPromptInfoandDarwinPromptInfo).
