Skip to content

Fix biometric wallet auth and DC API Chrome compatibility#521

Open
Wicpar wants to merge 3 commits intoanimo:mainfrom
APTITUDE-Consortium:fix/biometric-single-source-of-truth
Open

Fix biometric wallet auth and DC API Chrome compatibility#521
Wicpar wants to merge 3 commits intoanimo:mainfrom
APTITUDE-Consortium:fix/biometric-single-source-of-truth

Conversation

@Wicpar
Copy link
Copy Markdown
Contributor

@Wicpar Wicpar commented Apr 17, 2026
edited
Loading

What changed

This PR centralizes wallet flow authorization around shared PIN/biometric components and helpers:

  • Adds reusable WalletPinPrompt, WalletFlowAuthPrompt, and flow authorization helpers.
  • Replaces duplicated PIN/auth slides and dead biometric/PIN utilities across unlock, issuance, presentation, offline, and DC API flows.
  • Keeps Cloud HSM authorization PIN-only and clears the flow-scoped WSP PIN after use.
  • Uses biometric unlock where available for normal wallet flow authorization instead of asking for PIN by default.
  • Shows DC-API flow errors in the wallet sheet instead of immediately closing the UI, with debug details in development mode.

It also updates the SDK Digital Credentials API handling for current Chrome compatibility:

  • Reads the newer Chrome request payload locations and selected credential metadata.
  • Sends the response as the expected { protocol, data } envelope.
  • Handles dc_api.jwt by returning the nested response string shape Chrome expects.

Why

The biometric/PIN behavior had drifted across flows. Centralizing the auth prompt and authorization policy makes one-auth-per-flow behavior easier to maintain and avoids separate implementations for OpenID, offline, and DC API presentations.

The DC API update is required because newer Chrome versions reject the older response/request structure. Without the compatibility update, Chrome will refuse wallet responses even when credential selection and signing succeed. When a DC-API request fails before a valid response can be built, the user now gets the same style of error surface as other VP flows instead of a silent close.

Validation

  • pnpm exec biome check --unsafe apps/easypid/src/features/share/DcApiSharingScreen.tsx apps/easypid/src/features/receive/slides/InteractionErrorSlide.tsx
  • pnpm types:check
  • git diff --check upstream/main..HEAD

@Wicpar Wicpar changed the title [codex] Fix biometric unlock state handling Fix biometric unlock state handling Apr 17, 2026
@Wicpar Wicpar force-pushed the fix/biometric-single-source-of-truth branch from a946504 to 110a794 Compare April 17, 2026 21:10
@Wicpar Wicpar marked this pull request as ready for review April 17, 2026 21:12
@Wicpar
Copy link
Copy Markdown
Contributor Author

Wicpar commented Apr 17, 2026
edited
Loading

@TimoGlastra I have manually reviewed the changes as well as tested the changed flows. You can drop the second commit that just handles some errors more cleanly, as it is a bit iffy in error detection.

@Wicpar Wicpar force-pushed the fix/biometric-single-source-of-truth branch from 8a3e320 to cbbbf5e Compare April 24, 2026 15:36
@Wicpar Wicpar changed the title Fix biometric unlock state handling Fix biometric wallet auth and DC API Chrome compatibility Apr 24, 2026
This was referenced Apr 28, 2026
Open
Open
@Wicpar Wicpar force-pushed the fix/biometric-single-source-of-truth branch from d5f3614 to 5d7ef41 Compare April 29, 2026 16:09
This was referenced Apr 30, 2026
Open
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Wicpar