feat: Authentication bypass via biometric enrollment change

.maestro/scripts/data-setup.js

@@ -263,5 +263,6 @@ output.utils = {
     post,
     login,
     getDeepLink,
-    createDM
+    createDM,
+    sleep
 };

.maestro/tests/assorted/screen-lock.yaml

@@ -0,0 +1,240 @@
+appId: ${APP_ID}
+name: Screen Lock
+onFlowStart:
+  - runFlow: '../../helpers/setup.yaml'
+onFlowComplete:
+  - evalScript: ${output.utils.deleteCreatedUsers()}
+tags:
+  - test-8
+
+---
+- evalScript: ${output.user = output.utils.createUser()}
+- runFlow:
+    file: '../../helpers/login-with-deeplink.yaml'
+    env:
+      USERNAME: ${output.user.username}
+      PASSWORD: ${output.user.password}
+
+# Navigate to Screen Lock config
+- extendedWaitUntil:
+    visible:
+      id: 'rooms-list-view'
+    timeout: 60000
+- tapOn:
+    id: 'rooms-list-view-sidebar'
+- extendedWaitUntil:
+    visible:
+      id: 'sidebar-settings'
+    timeout: 60000
+- tapOn:
+    id: 'sidebar-settings'
+- extendedWaitUntil:
+    visible:
+      id: 'settings-view-security-privacy'
+    timeout: 60000
+- tapOn:
+    id: 'settings-view-security-privacy'
+- extendedWaitUntil:
+    visible:
+      id: 'security-privacy-view-screen-lock'
+    timeout: 60000
+- tapOn:
+    id: 'security-privacy-view-screen-lock'
+- extendedWaitUntil:
+    visible:
+      id: 'screen-lock-config-view'
+    timeout: 60000
+
+# Enable "Unlock with passcode" -> opens PasscodeChoose
+- tapOn:
+    id: 'screen-lock-config-view-auto-lock'
+- extendedWaitUntil:
+    visible:
+      id: 'passcode-button-1'
+    timeout: 60000
+
+# Choose passcode 123456
+- tapOn:
+    id: 'passcode-button-1'
+- tapOn:
+    id: 'passcode-button-2'
+- tapOn:
+    id: 'passcode-button-3'
+- tapOn:
+    id: 'passcode-button-4'
+- tapOn:
+    id: 'passcode-button-5'
+- tapOn:
+    id: 'passcode-button-6'
+
+# Confirm passcode 123456
+- extendedWaitUntil:
+    visible:
+      text: 'Confirm your new passcode'
+    timeout: 60000
+- tapOn:
+    id: 'passcode-button-1'
+- tapOn:
+    id: 'passcode-button-2'
+- tapOn:
+    id: 'passcode-button-3'
+- tapOn:
+    id: 'passcode-button-4'
+- tapOn:
+    id: 'passcode-button-5'
+- tapOn:
+    id: 'passcode-button-6'
+
+# Back on Screen Lock config; choose "After 1 minute"
+- extendedWaitUntil:
+    visible:
+      id: 'screen-lock-config-view-auto-lock-time-60'
+    timeout: 60000
+- tapOn:
+    id: 'screen-lock-config-view-auto-lock-time-60'
+
+# Background the app, wait past the auto-lock interval, relaunch
+- pressKey: Home
+- evalScript: ${output.utils.sleep(60000)}
+- launchApp:
+    appId: ${APP_ID}
+
+# Screen Lock modal must appear; unlock with current passcode
+- extendedWaitUntil:
+    visible:
+      id: 'passcode-button-1'
+    timeout: 60000
+- tapOn:
+    id: 'passcode-button-1'
+- tapOn:
+    id: 'passcode-button-2'
+- tapOn:
+    id: 'passcode-button-3'
+- tapOn:
+    id: 'passcode-button-4'
+- tapOn:
+    id: 'passcode-button-5'
+- tapOn:
+    id: 'passcode-button-6'
+
+# After unlock, we land back on Screen Lock config. Tap "Change passcode"
+- extendedWaitUntil:
+    visible:
+      id: 'rooms-list-view'
+    timeout: 60000
+- tapOn:
+    id: 'rooms-list-view-sidebar'
+- extendedWaitUntil:
+    visible:
+      id: 'sidebar-settings'
+    timeout: 60000
+- tapOn:
+    id: 'sidebar-settings'
+- extendedWaitUntil:
+    visible:
+      id: 'settings-view-security-privacy'
+    timeout: 60000
+- tapOn:
+    id: 'settings-view-security-privacy'
+- extendedWaitUntil:
+    visible:
+      id: 'security-privacy-view-screen-lock'
+    timeout: 60000
+- tapOn:
+    id: 'security-privacy-view-screen-lock'
+- extendedWaitUntil:
+    visible:
+      id: 'screen-lock-config-view'
+    timeout: 60000
+- extendedWaitUntil:
+    visible:
+      id: 'screen-lock-config-view-change-passcode'
+    timeout: 60000
+- tapOn:
+    id: 'screen-lock-config-view-change-passcode'
+
+# Re-authenticate with current passcode (autoLock is on -> handleLocalAuthentication)
+- extendedWaitUntil:
+    visible:
+      id: 'passcode-button-1'
+    timeout: 60000
+- tapOn:
+    id: 'passcode-button-1'
+- tapOn:
+    id: 'passcode-button-2'
+- tapOn:
+    id: 'passcode-button-3'
+- tapOn:
+    id: 'passcode-button-4'
+- tapOn:
+    id: 'passcode-button-5'
+- tapOn:
+    id: 'passcode-button-6'
+
+# Now the ChangePasscodeView (PasscodeChoose) opens; choose new passcode 3455678
+- extendedWaitUntil:
+    visible:
+      text: 'Choose your new passcode'
+    timeout: 60000
+- tapOn:
+    id: 'passcode-button-3'
+- tapOn:
+    id: 'passcode-button-4'
+- tapOn:
+    id: 'passcode-button-5'
+- tapOn:
+    id: 'passcode-button-6'
+- tapOn:
+    id: 'passcode-button-7'
+- tapOn:
+    id: 'passcode-button-8'
+
+# Confirm new passcode 3455678
+- extendedWaitUntil:
+    visible:
+      text: 'Confirm your new passcode'
+    timeout: 60000
+- tapOn:
+    id: 'passcode-button-3'
+- tapOn:
+    id: 'passcode-button-4'
+- tapOn:
+    id: 'passcode-button-5'
+- tapOn:
+    id: 'passcode-button-6'
+- tapOn:
+    id: 'passcode-button-7'
+- tapOn:
+    id: 'passcode-button-8'
+
+# Modal closes; we are back on the Screen Lock config screen
+- extendedWaitUntil:
+    visible:
+      id: 'screen-lock-config-view'
+    timeout: 60000
+- assertVisible:
+    id: 'screen-lock-config-view-change-passcode'
+
+# Background the app, wait past the auto-lock interval, relaunch
+- pressKey: Home
+- evalScript: ${output.utils.sleep(60000)}
+- launchApp:
+    appId: ${APP_ID}
+
+# Screen Lock modal must appear; unlock with current passcode
+- extendedWaitUntil:
+    visible:
+      id: 'passcode-button-3'
+    timeout: 60000
+- tapOn:
+    id: 'passcode-button-3'
+- tapOn:
+    id: 'passcode-button-4'
+- tapOn:
+    id: 'passcode-button-5'
+- tapOn:
+    id: 'passcode-button-6'
+- tapOn:
+    id: 'passcode-button-7'
+- tapOn:
+    id: 'passcode-button-8'

app/containers/Passcode/PasscodeEnter.test.tsx

@@ -0,0 +1,114 @@
+import React from 'react';
+import { fireEvent, render, waitFor } from '@testing-library/react-native';
+
+import PasscodeEnter from './PasscodeEnter';
+import { biometryAuth } from '../../lib/methods/helpers/localAuthentication';
+import { biometricTrustStore } from '../../lib/biometricTrustStore';
+import UserPreferences from '../../lib/methods/userPreferences';
+import { BIOMETRY_ENABLED_KEY } from '../../lib/constants/localAuthentication';
+
+jest.mock('../../lib/methods/helpers/localAuthentication', () => ({
+	biometryAuth: jest.fn(),
+	resetAttempts: jest.fn(() => Promise.resolve())
+}));
+
+jest.mock('../../lib/biometricTrustStore', () => ({
+	biometricTrustStore: {
+		enrol: jest.fn(),
+		disenrol: jest.fn(() => Promise.resolve()),
+		verify: jest.fn(),
+		probeExists: jest.fn()
+	}
+}));
+
+jest.mock('../../lib/methods/userPreferences', () => ({
+	__esModule: true,
+	default: {
+		getBool: jest.fn(),
+		setBool: jest.fn(),
+		getString: jest.fn(),
+		setString: jest.fn()
+	},
+	useUserPreferences: () => [null, jest.fn()]
+}));
+
+jest.mock('../../i18n', () => ({ t: (key: string) => key }));
+
+const mockedBiometryAuth = biometryAuth as jest.Mock;
+const mockedDisenrol = biometricTrustStore.disenrol as jest.Mock;
+const mockedSetBool = UserPreferences.setBool as jest.Mock;
+
+describe('PasscodeEnter biometry button', () => {
+	beforeEach(() => {
+		jest.clearAllMocks();
+		mockedDisenrol.mockResolvedValue(undefined);
+	});
+
+	it('enrollmentChanged from button press → disenrols, clears flag, hides biometry button', async () => {
+		mockedBiometryAuth.mockResolvedValueOnce({ kind: 'enrollmentChanged' });
+		const finishProcess = jest.fn();
+
+		const { getByTestId, queryByTestId } = render(<PasscodeEnter hasBiometry skipAutoBiometry finishProcess={finishProcess} />);
+
+		await waitFor(() => expect(getByTestId('biometry-button')).toBeTruthy());
+
+		fireEvent.press(getByTestId('biometry-button'));
+
+		await waitFor(() => expect(mockedDisenrol).toHaveBeenCalledTimes(1));
+		expect(mockedSetBool).toHaveBeenCalledWith(BIOMETRY_ENABLED_KEY, false);
+		expect(finishProcess).not.toHaveBeenCalled();
+		await waitFor(() => expect(queryByTestId('biometry-button')).toBeNull());
+	});
+
+	it('success from button press → finishes process, no invalidation', async () => {
+		mockedBiometryAuth.mockResolvedValueOnce({ kind: 'success' });
+		const finishProcess = jest.fn();
+
+		const { getByTestId } = render(<PasscodeEnter hasBiometry skipAutoBiometry finishProcess={finishProcess} />);
+
+		await waitFor(() => expect(getByTestId('biometry-button')).toBeTruthy());
+
+		fireEvent.press(getByTestId('biometry-button'));
+
+		await waitFor(() => expect(finishProcess).toHaveBeenCalledTimes(1));
+		expect(mockedDisenrol).not.toHaveBeenCalled();
+		expect(mockedSetBool).not.toHaveBeenCalled();
+	});
+
+	it('canceled from button press → flag untouched, biometry button stays', async () => {
+		mockedBiometryAuth.mockResolvedValueOnce({ kind: 'canceled' });
+		const finishProcess = jest.fn();
+
+		const { getByTestId } = render(<PasscodeEnter hasBiometry skipAutoBiometry finishProcess={finishProcess} />);
+
+		await waitFor(() => expect(getByTestId('biometry-button')).toBeTruthy());
+
+		fireEvent.press(getByTestId('biometry-button'));
+
+		await waitFor(() => expect(mockedBiometryAuth).toHaveBeenCalled());
+		expect(mockedDisenrol).not.toHaveBeenCalled();
+		expect(mockedSetBool).not.toHaveBeenCalled();
+		expect(finishProcess).not.toHaveBeenCalled();
+		expect(getByTestId('biometry-button')).toBeTruthy();
+	});
+});
+
+describe('PasscodeEnter enrollmentChanged subtitle', () => {
+	beforeEach(() => {
+		jest.clearAllMocks();
+	});
+
+	it('renders explanatory subtitle when reason === "enrollmentChanged"', () => {
+		const { getByText } = render(
+			<PasscodeEnter hasBiometry={false} skipAutoBiometry reason='enrollmentChanged' finishProcess={jest.fn()} />
+		);
+
+		expect(getByText('Local_authentication_biometric_enrollment_changed')).toBeTruthy();
+	});
+
+	it('does not render subtitle when reason is undefined', () => {
+		const { queryByText } = render(<PasscodeEnter hasBiometry={false} skipAutoBiometry finishProcess={jest.fn()} />);
+
+		expect(queryByText('Local_authentication_biometric_enrollment_changed')).toBeNull();
+	});
+});