sossoldi icon indicating copy to clipboard operation
sossoldi copied to clipboard
verified publisher icon RIP-Comm

feat: allow user to enable local device authentication

Open gabrielecabrini opened this issue 9 months ago • 11 comments

Added support for local device authentication, by default this option defaults to false.

This closes #248

Screenshot 2025-03-15 012726 Screenshot 2025-03-15 012814 Screenshot 2025-03-15 012827

gabrielecabrini avatar Mar 15 '25 00:03 gabrielecabrini

Hello @gabrielecabrini

This looks good to me, only a couple of things that might be improved imo (please consider that I've never used the local_auth package and my assumptions might be wrong!)

  • I've noticed that if (!didAuthenticate) return; it just stops the execution by exiting from main() and the app remains on the splash screen. Wouldn't it be better if the app was closed altogether when the user fails to authenticate? In my test I've just tried to tap outside of the authentication bottom sheet. See attached recording. I did some googling and it seems like the preferred method for terminating the app from the code is SystemChannels.platform.invokeMethod('SystemNavigator.pop');, docs here.
    Also, apparently, Apple does not allow for the developer to terminate the app programmatically from the code (you could do it by calling exit(0) but Apple might take the app down from the AppStore for this reason, so I think it's better if we don't try that 😅 ). Another option that it might be used on iOS is to move the app in background if the authentication fails. But I don't know how is the app behaving when the authentication fails on iOS, I have only tested on Android.

  • The second thing is: I've noticed the pubspec.lock contains lots of new additions. Besides the obvious local_auth dependencies which have to be there, are the others all transitive dependencies from local_auth? I've had a look at the dependencies of local_auth from its pub.dev page (you can find this section at the end of the right info panel) and I can't match them with the ones that are being added here. Could you please double check that all of the other dependencies added to the pubspec.lock are required?

https://github.com/user-attachments/assets/9a39500d-b77d-41a2-801e-cef9218b8856

bongio94 avatar Mar 24 '25 22:03 bongio94

Hi, I don't think that's a valid thing to close / background the app if the authentication goes wrong, we could add a route saying "Authentication required" with a button that will retry authentication, like WhatsApp does for example.

For the pubspeck.lock file, i think that's just its dependencies

gabrielecabrini avatar Mar 25 '25 08:03 gabrielecabrini

I think that a page that let the user retry the authentication would definitely be better 👍

@federicopozzato is it worth to discuss this as well in today's UI/UX meeting?

bongio94 avatar Mar 25 '25 08:03 bongio94

For instance, this is how the page I want to implement looks on WhatsApp

gabrielecabrini avatar Mar 25 '25 09:03 gabrielecabrini

Thanks for providing this example. I think it would be best to wait for inputs from the design team on this 👍

bongio94 avatar Mar 25 '25 09:03 bongio94

@bongio94 Just added to the design backlog draft ;) Yes, we are going to talk about it for sure, and if you will be in the meeting will be awesome. So we can map all the cases, screens and behaviour needed for this feature.

federicopozzato avatar Mar 25 '25 11:03 federicopozzato

I don't know if I'll make it for this evening meeting 🙁

bongio94 avatar Mar 25 '25 13:03 bongio94

Sorry I couldn't make it to the meeting, I'm waiting for info's about that page :)

gabrielecabrini avatar Mar 26 '25 10:03 gabrielecabrini

hi, this feature is very interesting. is there any update? do you need some help to implement this feature @gabrielecabrini ? thanks :)

kommpn avatar Apr 08 '25 12:04 kommpn

I think we're waiting the design team for this

gabrielecabrini avatar Apr 08 '25 13:04 gabrielecabrini

Yes, sorry guys, we are a bit late with this, and I don't think will be ready soon

federicopozzato avatar Apr 08 '25 15:04 federicopozzato

Hi @gabrielecabrini👋 We recently merged a PR that changed the folder structure, which caused some conflicts here. When you get a chance, could you take a look and resolve them?

If there’s no response in the next 15 days, we’ll consider this PR inactive and plan to close it to keep things tidy.

Thanks!

theperu avatar Aug 02 '25 10:08 theperu

sure no problem

gabrielecabrini avatar Aug 02 '25 10:08 gabrielecabrini

I've fixed the issue. the isDeviceSupported() method returns false if the device hasn't any sort of authentication in place, be it biometrics or PIN. I can't test it right now on iOS, but this will also allow iOS to bypass auth if not present

gabrielecabrini avatar Aug 21 '25 18:08 gabrielecabrini

Understood, I'll look for someone with an iOS device that could review this as well 😉

theperu avatar Aug 21 '25 19:08 theperu

Tested on phisical iPhone, iOS 18.6.2 When auth is enabled, i have no feedback from the app. I must manually kill the app, also from background, and reopen. Then Sossoldi asked for permissions to use faceID, and correctly opens the app when biometric authentication matched, while remains in the splash screen when failed.

If this is the intended behavior, then i think that it works!

mikev-cw avatar Sep 04 '25 21:09 mikev-cw