Skip to content

fix(android): report weak-only biometrics as unavailable for strong auth#91

Merged
riderx merged 3 commits into
Cap-go:mainfrom
Lukhaas25:fix-android-weak-biometric-availability
Jun 16, 2026
Merged

fix(android): report weak-only biometrics as unavailable for strong auth#91
riderx merged 3 commits into
Cap-go:mainfrom
Lukhaas25:fix-android-weak-biometric-availability

Conversation

@Lukhaas25

@Lukhaas25 Lukhaas25 commented May 20, 2026

Copy link
Copy Markdown

What

  • Align Android isAvailable() with verifyIdentity() by requiring BIOMETRIC_STRONG unless fallback is requested and available.
  • Keep weak biometric methods visible through biometryType/authenticationStrength docs, but avoid returning isAvailable=true for weak-only face unlock paths that cannot satisfy the strong CryptoObject prompt.
  • Regenerate README API docs from src/definitions.ts.

Why

How

  • Removed the weak-biometric branch that set isAvailable=true in the Android availability check.
  • Documented the Android strong-biometric behavior on AvailableResult.isAvailable.

Testing

  • bun install --frozen-lockfile
  • bun run verify:web
  • git diff --check

Not Tested

  • Android Gradle tests locally: blocked by missing Android SDK/ANDROID_HOME in this Windows environment.

AI-assisted with Codex; I reviewed the patch and kept it scoped.

Summary by CodeRabbit

  • Bug Fixes

    • Corrected biometric availability detection on Android to properly require strong biometrics for cryptographic operations.
  • Documentation

    • Updated API documentation to clarify platform-specific behavior of availability checks and fallback authentication options, particularly for Android devices.

@coderabbitai

coderabbitai Bot commented May 20, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 346b275c-25ff-4010-a72b-e9fe2cd1f01b

📥 Commits

Reviewing files that changed from the base of the PR and between c5ff15b and bd75d8d.

📒 Files selected for processing (1)
  • README.md
🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

  • Cap-go/capacitor-updater (manual)

📝 Walkthrough

Walkthrough

Removes the Android code path that treated weak-only biometrics as sufficient to set isAvailable = true. Updates TypeScript JSDoc and README to document that verifyIdentity() uses a CryptoObject backed by BIOMETRIC_STRONG, that weak-only devices will not satisfy isAvailable, and that useFallback behavior differs between isAvailable() and verifyIdentity() on Android.

Changes

Android Strong-Biometric Availability Enforcement

Layer / File(s) Summary
Android availability logic and TypeScript JSDoc
android/src/main/java/ee/forgr/biometric/NativeBiometric.java, src/definitions.ts
Removed the 3-line branch in checkBiometryAvailability() that set AUTH_STRENGTH_WEAK and isAvailable = true when only weak biometrics were present. JSDoc for IsAvailableOptions.useFallback and AvailableResult.isAvailable expanded with Android BIOMETRIC_STRONG CryptoObject semantics and per-method fallback behavior.
README API documentation
README.md
Property table rows for isAvailable and useFallback rewritten to match the new behavior: weak-only biometrics excluded from isAvailable, useFallback honored by isAvailable() but ignored by verifyIdentity() on Android due to BiometricPrompt constraints.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately describes the main fix: aligning Android's biometric availability reporting to require strong authentication unless fallback is used, directly addressing the core issue.
Linked Issues check ✅ Passed The PR changes align with issue #56 requirements: weak-only biometrics no longer report as available for strong auth, and isAvailable() now matches verifyIdentity() behavior, preventing false positives.
Out of Scope Changes check ✅ Passed All changes (native logic, TypeScript definitions, and documentation) directly support the core objective of fixing weak-biometric availability reporting and aligning platform behavior as specified in issue #56.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.


Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@github-actions

Copy link
Copy Markdown

Beta npm build

This PR comes from a fork, so beta publish is disabled for security.

If you need a beta package, move the branch into this repository first.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/definitions.ts`:
- Around line 79-86: Update the IsAvailableOptions.useFallback doc to state that
useFallback affects isAvailable() on Android but is ignored for
verifyIdentity(): change the lines describing IsAvailableOptions.useFallback
(referencing IsAvailableOptions.useFallback) to note that on Android useFallback
will be considered by isAvailable() (see isAvailable()) because the native code
computes fallbackAvailable = useFallback && deviceIsSecure in
NativeBiometric.java, but the BiometricPrompt-based verifyIdentity() flow does
not support fallback (so useFallback is ignored for verifyIdentity()). Ensure
the wording clearly distinguishes the two behaviors (availability vs
authentication) and removes the current claim that the option is entirely
ignored on Android.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 21d8fc7f-c25a-49a7-9696-e3f718fed0c4

📥 Commits

Reviewing files that changed from the base of the PR and between f94b2a3 and 212bdeb.

📒 Files selected for processing (3)
  • README.md
  • android/src/main/java/ee/forgr/biometric/NativeBiometric.java
  • src/definitions.ts
💤 Files with no reviewable changes (1)
  • android/src/main/java/ee/forgr/biometric/NativeBiometric.java

Comment thread src/definitions.ts
@Lukhaas25 Lukhaas25 force-pushed the fix-android-weak-biometric-availability branch from 212bdeb to f661c48 Compare May 20, 2026 16:59
@Lukhaas25 Lukhaas25 force-pushed the fix-android-weak-biometric-availability branch from f661c48 to 2db47cf Compare May 20, 2026 17:09
…antics

Distinguish availability vs authentication: on Android, useFallback is
honored by isAvailable() (fallbackAvailable = useFallback && deviceIsSecure)
but ignored by verifyIdentity() due to BiometricPrompt API constraints.

Addresses CodeRabbit review comment on PR Cap-go#91.
@Lukhaas25

Copy link
Copy Markdown
Author

Pushed a follow-up commit (c5ff15b) refining the IsAvailableOptions.useFallback JSDoc to address the CodeRabbit review note — now explicitly distinguishes the iOS vs Android behavior for isAvailable() vs verifyIdentity() and references the native fallbackAvailable = useFallback && deviceIsSecure check.

@riderx

riderx commented Jun 16, 2026

Copy link
Copy Markdown
Member

sorry i missed it ! can you check the conflicts?

# Conflicts:
#	.github/scripts/verify-packed-example.sh
#	example-app/package.json
@riderx riderx merged commit 3455777 into Cap-go:main Jun 16, 2026
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

bug: Biometric Plugin not returning right value when Fingerprint not enabled on Android

2 participants