fix: replace go-touchid to support fallback when biometrics are not available#69
Conversation
|
Thanks, are you maintaining that library @noamcohen97? Looks like it's not a fork, but improved implementation. |
|
Yes! I wrote it because I couldn't find any library that is context-aware, supports multiple policies, and parses error codes. |
|
Thanks for reviewing @mbevc1 ! |
|
Hey, @noamcohen97 have you tried compiling for Darwin Arm? Seems Homebrew is hitting this one: https://github.com/Homebrew/homebrew-core/actions/runs/22149824417/job/64038209199?pr=268190#step:3:127 |
|
Thanks, merging now! |
|
I will bump Homebrew formula as son as fixed version of aws-vault will be released. |
|
No worries @noamcohen97 and thanks for a quick response. homebrew should be picking it up shortly |
|
I figured that the patch must be removed |
|
Yes, we should remove that now |
|
Awesome, great stuff! ⭐ |
2 participants
Summary
Replace
github.com/lox/go-touchidwithgithub.com/noamcohen97/touchid-goto fix authentication failureswhen Touch ID is unavailable (e.g. MacBook lid closed, biometrics not enrolled).
Issues in current library
The old library (
lox/go-touchid) has several issues:LAPolicyDeviceOwnerAuthenticationWithBiometrics,which requires biometric hardware to be available and enrolled. When Touch ID is unavailable (e.g. screenclosed, no biometric sensor),
canEvaluatePolicyreturnsfalseand the library provides no fallback.canEvaluatePolicyreturnsfalse, the code skips theevaluatePolicycall but still callsdispatch_semaphore_wait, which blocks forever since no one signals the semaphore.The new library (
noamcohen97/touchid-go) avoids all of the above - it properly managesLAContextlifecycle, returns early oncanEvaluatePolicyfailure, and lets the caller configure theLAPolicy.This PR uses
DeviceOwnerAuthenticationto allow the system to fall back to the device passcode/password when biometrics are unavailable. Just like advised in the Apple documentation: