identity/com.midnight.kuira.core.identity.auth/AuthorizationStore

AuthorizationStore

class AuthorizationStore(context: Context, keyManager: WalletKeyManager)

Encrypted local storage for authorization records.

Follows the same encryption pattern as SeedVault: AES-256-GCM with the master key from Android Keystore, atomic writes via temp-file-and-rename.

All read/write operations require pre-authenticated ciphers from BiometricGate. The Keystore master key is biometric-gated (per-use), so callers must obtain a cipher through biometric authentication before calling these methods.

Records are queryable by DID, credential ID, and revocation status. Revoked records are kept for audit trail — never deleted.

Constructors

AuthorizationStore

constructor(context: Context, keyManager: WalletKeyManager)

Types

Companion

object Companion

Functions

findActiveByDid

fun findActiveByDid(did: String, decryptCipher: Cipher? = null): List<AuthorizationRecord>

Finds all active (non-revoked) authorization records for a DID.

findById

fun findById(id: String, decryptCipher: Cipher? = null): AuthorizationRecord?

Finds a specific record by ID.

generateId

fun generateId(): String

Generates a unique ID for a new authorization record.

hasRecords

fun hasRecords(): Boolean

Whether any authorization records exist on disk.

listAll

fun listAll(decryptCipher: Cipher? = null): List<AuthorizationRecord>

Lists all records (active and revoked) for audit purposes.

prepareCipherForDecrypt

fun prepareCipherForDecrypt(): Cipher?

Creates a cipher initialized for decrypting the authorization store file.

revoke

@Synchronized

fun revoke(id: String, encryptCipher: Cipher, decryptCipher: Cipher? = null): Boolean

Revokes an authorization record.

save

@Synchronized

fun save(record: AuthorizationRecord, encryptCipher: Cipher)

Saves a new authorization record.

warmCache

fun warmCache(decryptCipher: Cipher)

Warms the cache by loading from disk. Call this during app startup while biometric auth is already available.