Auth Token Store
Component Detail
Description
Secure local storage adapter for OAuth tokens (Vipps, BankID) and Supabase session data. Uses Flutter Secure Storage to encrypt tokens at rest on device. Shared by all authentication flows.
auth-token-store
Summaries
The Auth Token Store is the security foundation that ensures user credentials for Vipps, BankID, and Supabase sessions are never exposed to unauthorized parties on the device. By encrypting all tokens at rest using the device's native secure enclave, the platform meets the security expectations of users who trust it with sensitive government-grade identity data. This component is shared across all authentication flows, meaning the security investment is made once and applied uniformly — reducing the risk of inconsistent credential handling that could create exploitable vulnerabilities. A single, well-audited credential storage layer also simplifies compliance reporting and security reviews, lowering the cost of demonstrating data protection to regulatory bodies and enterprise customers.
Auth Token Store is a low-complexity, shared infrastructure component, but its shared nature means it is on the critical path for every authentication-related feature team. Any breaking change to its interfaces — such as adding a new provider or changing the storage key schema — requires coordinated updates across all consuming flows. The dependency on `secure-storage-adapter` should be validated early; if that adapter requires platform-specific configuration (iOS Keychain entitlements, Android Keystore setup), these must be completed before any authentication flows can be tested on device. Because this component is mobile-only, backend QA pipelines cannot exercise it directly — device or emulator test runs are required.
Prioritize delivery early in the sprint cycle so authentication feature teams are unblocked.
Auth Token Store wraps Flutter Secure Storage with a typed, provider-scoped interface. Tokens are keyed by provider string (e.g., 'vipps', 'bankid', 'supabase'), enabling isolated clear operations via `clearProvider()` without affecting other sessions. The PKCE `storeCodeVerifier`/`getCodeVerifier` pair supports the OAuth 2.0 PKCE flow — the verifier must be written before launching the browser redirect and read after the callback; ensure the calling flow does not call `clearAll()` between these steps. Flutter Secure Storage delegates to iOS Keychain and Android EncryptedSharedPreferences — verify `iCloudSync: false` is set on iOS to prevent token sync to iCloud backup.
The `clearAll()` method should be called on explicit sign-out and on session expiry detection. Consider adding a `hasToken(provider)` helper to avoid null-check patterns at call sites.
Responsibilities
- Write and read OAuth access/refresh tokens to Flutter Secure Storage
- Store PKCE code verifier during OAuth flow
- Clear all stored credentials on sign-out
- Provide typed accessors for each token type
Interfaces
storeAccessToken(provider: String, token: String): Future<void>
getAccessToken(provider: String): Future<String?>
storeRefreshToken(provider: String, token: String): Future<void>
getRefreshToken(provider: String): Future<String?>
storeCodeVerifier(verifier: String): Future<void>
getCodeVerifier(): Future<String?>
clearAll(): Future<void>
clearProvider(provider: String): Future<void>