Skip to content

Enhance SecureStore access with keychain accessibility #276

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Oct 29, 2025
Merged

Enhance SecureStore access with keychain accessibility #276

merged 2 commits into from
Oct 29, 2025

Conversation

@seer-by-sentry
Copy link
Contributor

@seer-by-sentry seer-by-sentry bot commented Oct 29, 2025

Summary of the problem

Fixes HCB-MOBILE-6. The issue was that: Background task failed to retrieve tokens from iOS Keychain because default accessibility setting WHEN_UNLOCKED prevents access when device is locked.

Describe your changes

  • Added keychainAccessible: SecureStore.AFTER_FIRST_UNLOCK option to SecureStore getItemAsync and setItemAsync calls for all token-related keys (ACCESS_TOKEN_KEY, REFRESH_TOKEN_KEY, EXPIRES_AT_KEY, TOKEN_CREATED_AT_KEY, CODE_VERIFIER_KEY).
  • This ensures that the stored tokens are accessible after the device is unlocked for the first time, improving security and user experience.

This fix was generated by Seer in Sentry, triggered by Mohamad Mortada. 👁️ Run ID: 2257604

Not quite right? Click here to continue debugging with Seer.

Checklist

  • Descriptive PR title (Does the title explain the changes in a concise manner?)
  • Tag related issues so they auto-close on merge
  • Easily digestible commits (Are the commits small and easy to understand?) video
  • CI passes (Do the GitHub checks pass?)
  • Tested by submitter before requesting review (Does it work in development iOS/android? )

@thedev132 thedev132 requested a review from Copilot October 29, 2025 05:45
Copilot AI reviewed Oct 29, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds keychain accessibility configuration to SecureStore operations for authentication tokens. The change ensures that stored authentication data (access tokens, refresh tokens, expiration times, and code verifiers) are accessible after the first device unlock, which is a standard iOS security practice for sensitive app data.

Key Changes

  • Added keychainAccessible: SecureStore.AFTER_FIRST_UNLOCK option to all getItemAsync calls in the token loading logic
  • Added keychainAccessible: SecureStore.AFTER_FIRST_UNLOCK option to all setItemAsync calls in the token storage logic
Comments suppressed due to low confidence (2)

src/auth/AuthProvider.tsx:117

  • The deleteItemAsync calls in the setTokens function should include the keychainAccessible option to match the accessibility level used when the items were stored. Without this, deletion may fail if the keychain items were stored with a specific accessibility level. Add { keychainAccessible: SecureStore.AFTER_FIRST_UNLOCK } as the second parameter to each deleteItemAsync call.
        await SecureStore.deleteItemAsync(ACCESS_TOKEN_KEY);
        await SecureStore.deleteItemAsync(REFRESH_TOKEN_KEY);
        await SecureStore.deleteItemAsync(EXPIRES_AT_KEY);
        await SecureStore.deleteItemAsync(TOKEN_CREATED_AT_KEY);
        await SecureStore.deleteItemAsync(CODE_VERIFIER_KEY);

src/auth/AuthProvider.tsx:135

  • The deleteItemAsync calls in the forceLogout function should include the keychainAccessible option to match the accessibility level used when the items were stored. Without this, deletion may fail if the keychain items were stored with a specific accessibility level. Add { keychainAccessible: SecureStore.AFTER_FIRST_UNLOCK } as the second parameter to each deleteItemAsync call.
      await SecureStore.deleteItemAsync(ACCESS_TOKEN_KEY);
      await SecureStore.deleteItemAsync(REFRESH_TOKEN_KEY);
      await SecureStore.deleteItemAsync(EXPIRES_AT_KEY);
      await SecureStore.deleteItemAsync(TOKEN_CREATED_AT_KEY);
      await SecureStore.deleteItemAsync(CODE_VERIFIER_KEY);

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@thedev132 thedev132 marked this pull request as ready for review October 29, 2025 05:52
@thedev132 thedev132 requested a review from a team as a code owner October 29, 2025 05:52
sentry[bot]
sentry bot reviewed Oct 29, 2025
View reviewed changes
@thedev132 thedev132 merged commit 2423d79 into main Oct 29, 2025
6 checks passed
@thedev132 thedev132 deleted the seer/securestore-keychain-access branch November 3, 2025 03:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

+1 more reviewer

@sentry sentry[bot] sentry[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@thedev132