Improve authenticated flow of the Credentials Manager #519

lbalmaceda · 2021-09-29T16:08:49Z

Changes

The requireAuthentication method takes an Activity instance to use as context to launch the "lock screen" intent. When this is a subclass of ComponentActivity, we can make use of the new Activity Results API to launch that intent instead. This is the recommended way now that startActivityForResult has been deprecated.

When that's the case, the launch and result handling happen internally without the developer having to invoke the checkAuthenticationResult method to "complete" the flow.

This PR does NOT include breaking changes.

References

See #513

Testing

Added unit tests and manually tested the new flow.

Existing implementations would still receive a call to their activities' onActivityResult method, but with a request code value different than the one requested by our SDK, passed by the dev in the requireAuthentication call. Developers should ignore it because the request code is not a match. Yet, we were already handling this case internally and checking for the request code in these lines anyway, so distracted developers are covered.

I did notice that if the requireAuthentication method was called after the activity is resumed/started, then the following runtime exception is raised:

Caused by: java.lang.IllegalStateException: LifecycleOwner com.auth0.androidsample.LoginActivity@494936b is attempting to register while current state is STARTED. LifecycleOwners must call register before they are STARTED.

So I added a check (and tests) to prevent using this use case with Activity Results if the activity passed as context is already started.

lbalmaceda · 2021-10-28T14:24:05Z

auth0/src/main/java/com/auth0/android/authentication/storage/SecureCredentialsManager.kt

@@ -63,12 +68,13 @@ public class SecureCredentialsManager @VisibleForTesting(otherwise = VisibleForT

    /**
     * Require the user to authenticate using the configured LockScreen before accessing the credentials.
-     * This feature is disabled by default and will only work if the device is running on Android version 21 or up and if the user
-     * has configured a secure LockScreen (PIN, Pattern, Password or Fingerprint).
+     * This method MUST be called in [Activity.onCreate]. This feature is disabled by default and will


It's OK if they don't. I'm defaulting to the old scenario anyways, but it's better to lead them to use the new way for future compatibility & easier deprecation reasons.

lbalmaceda · 2021-10-28T14:24:57Z

auth0/src/main/java/com/auth0/android/authentication/storage/SecureCredentialsManager.kt

@@ -84,25 +90,42 @@ public class SecureCredentialsManager @VisibleForTesting(otherwise = VisibleForT
    ): Boolean {
        require(!(requestCode < 1 || requestCode > 255)) { "Request code must be a value between 1 and 255." }
        val kManager = activity.getSystemService(Context.KEYGUARD_SERVICE) as KeyguardManager
-        authIntent =
-            if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.LOLLIPOP) kManager.createConfirmDeviceCredentialIntent(


the min SDK is already 21, no reason to keep these checks around

lbalmaceda · 2021-10-28T14:25:34Z

auth0/src/main/java/com/auth0/android/authentication/storage/SecureCredentialsManager.kt

+             *  prevent that exception while still falling back to the old "startActivityForResult" flow. That's in
+             *  case devs are invoking this method in places other than the Activity's "OnCreate" method.
+             */
+            if (activity is ComponentActivity && !activity.lifecycle.currentState.isAtLeast(


If the context is a subclass of ComponentActivity and not yet STARTED, the new path will be used. Otherwise, legacy scenario.

lbalmaceda · 2021-10-28T14:26:38Z