LARightStore

Declaration

class LARightStore

Overview

Use an LARightStore along with an LARight to make secrets accessible only after certain conditions, including authentication, are met. Storing secrets this way lets you tie the availability of sensitive resources to the authorization status of the user.

The following stores a named access token behind the default authorization requirements:

func storeBackendAccessToken(_ token: Data) async throws {
    let loginRight = LARight()
    _ = try await LARightStore.shared.saveRight(loginRight, identifier: "access-token", secret: token)
}

The system stores your secret in the keychain and protects it with a unique key in the Secure Enclave. The system associates the key with your right and with an access control list that ensures that the data is only accessible after your access requirements are met.

You can retrieve stored secrets later using the right’s identifier:

func fetchBackendAccessToken() async throws -> Data {
    let loginRight = try await LARightStore.shared.right(forIdentifier: "access-token")

    // Authorize the right or else the secret is unavailable.
    try await loginRight.authorize(localizedReason: "Access sandcastle competition server")
    return try await loginRight.secret.rawData
}

Topics

Accessing rights

• shared
• right(forIdentifier:completion:)

Storing rights

• saveRight(_:identifier:completion:)
• saveRight(_:identifier:secret:completion:)

Removing stored rights

• removeRight(_:completion:)
• removeRight(forIdentifier:completion:)
• removeAllRights(completion:)

Relationships

Inherits From

• NSObject

Conforms To

• CVarArg
• CustomDebugStringConvertible
• CustomStringConvertible
• Equatable
• Hashable
• NSObjectProtocol

See Also

Persistence

• LAPersistedRight
• LASecret