This method was deprecated in favor of setAllowedAuthenticators (documentation, so all authentication methods need to be known here versus just a boolean indicating whether or not to allow device credentials. See changes below.

For API 30+, an authentication request can be made by specifying device credentials alone as an allowed authenticator. See documentation.

The docs for https://developer.android.com/reference/androidx/biometric/BiometricPrompt.PromptInfo.Builder#setDeviceCredentialAllowed(boolean) make it sound like all the fallback code we have here is already part of androidx.biometrics already. Can we eliminate all of this code and always just make a single sendAuthenticationRequest call?

I think you may be right. I definitely misunderstood the API and overcomplicated this :/ I'll make the changes and request your review again!

I added more error handling below based on the error messages of the new API. I changed some of the error messages, so let me know if those are magic strings and need to be changed back or added elsewhere.

I don't think we should consider the message itself to be API-stable, just the code. (Theoretically someone could be relying on it of course, but they shouldn't be.)

The functionality this added is covered by BiometricPrompt now. See documentation.

We should avoid using string-based APIs internally; we have to use them for platform channels, but in other scenarios we should stick to things that would provide compile-time correctness checks.

Stepping back a bit though, do we need this change at all? It looks like this is passing in the enrolled authentication, but I wouldn't expect that we would need to restrict by that, vs. just letting the system pick what's available. Why not keep the bool, and then use it to decide whether to add DEVICE_CREDENTIAL to the default of BIOMETRIC_WEAK | BIOMETRIC_STRONG?

Oh, yes, you're definitely right. Since it's just specifying the allowed authenticators, I can keep the boolean and just add DEVICE_CREDENTIAL depending like you're saying.

The docs for https://developer.android.com/reference/androidx/biometric/BiometricPrompt.PromptInfo.Builder#setDeviceCredentialAllowed(boolean) make it sound like all the fallback code we have here is already part of androidx.biometrics already. Can we eliminate all of this code and always just make a single sendAuthenticationRequest call?

I haven't tried this out, so maybe I'm just misunderstanding the docs, but do we even need to do this check and the errorCode computation below? If we just call authenticate, wouldn't we get an immediate error callback for these cases (e.g., we tried to auth with biometrics only, but there were no biometrics) with the right code, which we could then translate into our own error result? It seems like we still may be duplicating some BiometricPrompt logic here.

Ah, I see. I guess the idea before was that we could catch any issues before trying to authenticate (I assume the old APIs required this), but you're right. Now, we can just send the request and the AuthenticationHelper should catch it since it provides the callbacks for authentication requests.

On this note, in a follow-up PR I will add tests for AuthenticationHelper since that will do all of the error handling and is currently not tested.

I don't think we should consider the message itself to be API-stable, just the code. (Theoretically someone could be relying on it of course, but they shouldn't be.)

I see that this is pre-existing, but do you know why only error cases set this back to false? Is there another call elsewhere for success/failure?

Yeah, the other callbacks call helper methods that set it back to false, as well!