Vault Configuration
When your application creates a Vault on a device, the Vault sets an initial configuration. A Vault’s configuration can change during the lifetime of its use; for example, you may programmatically change a Vault’s type based on the biometric capabilities of a user’s device.
Changes made to a Vault’s configuration persist between sessions, and an existing Vault will not revert to the configuration set in the constructor.
How does the Vault constructor work?
The construction of a Vault object looks something like this:
_10const vault = new Vault();_10await vault.initialize({_10 key: 'com.company.app.vault',_10 type: VaultType.DeviceSecurity,_10 /* Remaining configuration omitted for brevity */_10});
However, this does not mean that a new Vault is created on a device each time this statement runs. Nor does this mean that the Vault configuration is updated every time this statement runs.
Internally, the Vault method - await initialize(config: IdentityVaultConfig) - returns a reference to an existing Vault on the device where the key equals the key value defined. Otherwise, it creates a new Vault on the device with the configuration passed into the intialize method.
How do Vault configurations persist?
Vaults exist on a device between app sessions, except in the case of Vaults configured to use VaultType.InMemory. Likewise, the configuration for a Vault persists between app sessions. An existing Vault will retain its current configuration for type and deviceSecurityType ignoring these values if passed into initialize method.
After your application creates a Vault, you can update its configuration by calling the updateConfig() method on the Vault reference object:
_10await vault.updateConfig({_10 ...vault.config,_10 key: 'com.company.vault.app',_10 type: VaultType.DeviceSecurity_10});
Any configuration updates made to a Vault persist until one of the following conditions are met:
- The application is uninstalled from the device, removing the Vault.
- The Vault is removed by invoking the
clear()method on the Vault. - A Vault’s configuration is updated by calling the
updateConfig()method on the Vault.
How to configure based on device hardware
As you develop your application, you’ll likely have to develop a strategy to dynamically configure one or more Vaults depending on the end user’s device’s hardware capabilities.
One strategy would be to create a Vault reference object with the least restrictive hardware measure allowed for your application:
_10const vault = new Vault();_10await vault.initialize({_10 key: 'com.company.app.vault',_10 type: VaultType.SecureStorage,_10 /* Remaining configuration omitted for brevity */_10});
Then use the Device API to determine the best Vault configuration for the end user:
_16const vault = new Vault();_16await vault.initialize({_16 key: 'com.company.app.vault',_16 type: VaultType.SecureStorage,_16 /* Remaining configuration omitted for brevity */_16});_16_16const isBiometricsEnabled = await Device.isBiometricsEnabled();_16_16if(isBiometricsEnabled) {_16 vault.updateConfig({ _16 ...vault.config, _16 type: VaultType.DeviceSecurity, _16 deviceSecurityType: DeviceSecurityType.Both _16 });_16}
Understanding that the Vault will no longer use its initial configuration once created on the device, you can synchronously initialize a Vault then configure it after asynchronous events, such as your application’s sign-in process or an “opt-in to biometrics” button.