Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
@onfido/react-native-sdk
Advanced tools
This SDK provides a drop-in set of screens and tools for react native applications to allow capturing of identity documents and face photos/live videos for the purpose of identity verification with Onfido. The SDK offers a number of benefits to help you create the best on-boarding/identity verification experience for your customers:
ℹ️
If you are integrating using Onfido Studio please see our Studio integration guide
* Note: the SDK is only responsible for capturing and uploading photos/videos. You still need to access the Onfido API to create and manage checks.
In order to start integration, you will need the API token. You can use our sandbox environment to test your integration, and you will find the API tokens inside your Onfido Dashboard. You can create API tokens inside your Onfido Dashboard as well.
You must create an Onfido applicant before you start the flow.
For a document or face check the minimum applicant details required are firstName
and lastName
.
You must create applicants from your server:
$ curl https://api.onfido.com/v3/applicants \
-H 'Authorization: Token token=YOUR_API_TOKEN' \
-d 'first_name=Theresa' \
-d 'last_name=May'
The JSON response has an id
field containing a UUID that identifies the applicant. All documents or live photos/videos uploaded by that instance of the SDK will be associated with that applicant.
You will need to generate and include a short-lived JSON Web Token (JWT) every time you initialise the SDK.
To generate an SDK Token you should perform a request to the SDK Token endpoint in the Onfido API:
$ curl https://api.onfido.com/v3/sdk_token \
-H 'Authorization: Token token=YOUR_API_TOKEN' \
-F 'applicant_id=YOUR_APPLICANT_ID' \
-F 'application_id=YOUR_APPLICATION_BUNDLE_IDENTIFIER'
Make a note of the token value in the response, as you will need it later on when initialising the SDK.
Warning: SDK tokens expire 90 minutes after creation.
The application_id
is the "Application ID" or "Bundle ID" that was already set up during development.
com.your-company.app-name
.
ios/YourProjectName
, click on the project root, click the General tab, under Targets click your project name, and check the Bundle Identifier field.build.config
. For example, in android/app/build.gradle
, it is the value of applicationId
.If you are starting from scratch, you can follow the React Native CLI Quickstart https://reactnative.dev/docs/getting-started. For examples, once you have installed the React Native tools, you can run:
$ npx react-native init YourProjectName
You cannot use this SDK with Expo: If your project already uses Expo, you will need to follow the eject process https://docs.expo.io/versions/latest/workflow/customizing/.
Navigate to the root directory of your React Native project. The rest of this section (section 4) will assume you are in the root directory. Run the following command:
$ npm install @onfido/react-native-sdk --save
Update your build.grade files to reference the Android SDK, and enable multi-dex. If you build your project using the react-native init
, with a build.gradle
in the android/
and android/app/
directories, you can run this script to do it:
$ npm --prefix node_modules/@onfido/react-native-sdk/ run updateBuildGradle
If you want to manually update your build files, you can follow the steps the script takes:
Add the maven link android/build.gradle
:
allprojects {
repositories {
mavenCentral()
}
}
Enable multidex in android/app/build.gradle
:
android {
defaultConfig {
multiDexEnabled true
}
}
NFC dependencies are not included in the SDK to avoid increasing the SDK size when the NFC feature is disabled. To use the NFC feature, you need to include the following dependencies (with the specified versions) in your build script:
implementation "net.sf.scuba:scuba-sc-android:0.0.23"
implementation "org.jmrtd:jmrtd:0.7.34"
implementation "com.madgag.spongycastle:prov:1.58.0.0"
You also need to add the following Proguard rules to your proguard-rules.pro
file:
-keep class org.jmrtd.** { *; }
-keep class net.sf.scuba.** {*;}
-keep class org.bouncycastle.** {*;}
-keep class org.spongycastle.** {*;}
-keep class org.ejbca.** {*;}
-dontwarn kotlin.time.jdk8.DurationConversionsJDK8Kt
-dontwarn org.ejbca.**
-dontwarn org.bouncycastle.**
-dontwarn org.spongycastle.**
-dontwarn module-info
-dontwarn org.jmrtd.**
-dontwarn net.sf.scuba.**
Change ios/Podfile
to use version 11:
platform :ios, '11.0'
Add descriptions for camera and microphone permissions to ios/YourProjectName/Info.plist
:
<plist version="1.0">
<dict>
<!-- Add these four elements: -->
<key>NSCameraUsageDescription</key>
<string>Required for document and facial capture</string>
<key>NSMicrophoneUsageDescription</key>
<string>Required for video capture</string>
<!-- ... -->
</dict>
</plist>
Open Xcode and create an empty swift file in your project root. For example, if your project is called YourProjectName, you can open it from the command line:
open ios/YourProjectName.xcodeproj
Once Xcode is open, add an empty Swift file: File > New File > Swift > Next > "SwiftVersion" > Create > Don't create Header. This will update your iOS configuration with a Swift version. All changes are automatically saved, so you can close Xcode.
Install the pods:
cd ios
pod install
cd ..
You can launch the app with a call to Onfido.start
. For example, once you have the sdkTokenFromOnfidoServer
, your react component might look like this:
import React, {Component} from 'react';
import {Button, View} from 'react-native';
import {
Onfido,
OnfidoCaptureType,
OnfidoCountryCode,
OnfidoDocumentType,
} from '@onfido/react-native-sdk';
export default class App extends Component {
startSDK() {
Onfido.start({
sdkToken: 'sdkTokenFromOnfidoServer',
flowSteps: {
welcome: true,
captureFace: {
type: OnfidoCaptureType.VIDEO,
},
captureDocument: {
docType: OnfidoDocumentType.DRIVING_LICENCE,
countryCode: OnfidoCountryCode.GBR,
},
},
})
.then(res => console.warn('OnfidoSDK: Success:', JSON.stringify(res)))
.catch(err => console.warn('OnfidoSDK: Error:', err.code, err.message));
}
render() {
return (
<View style={{marginTop: 100}}>
<Button title="Start Onfido SDK" onPress={() => this.startSDK()} />
</View>
);
}
}
Once you have an added the SDK as a dependency and you have a SDK token, you can configure the SDK:
Example configuration:
config = {
sdkToken: “EXAMPLE-TOKEN-123”,
flowSteps: {
welcome: true,
captureDocument: {
docType: OnfidoDocumentType.DRIVING_LICENSE,
countryCode: OnfidoCountryCode.USA
},
captureFace: {
type: OnfidoCaptureType.VIDEO
},
},
enableNFC: true
}
sdkToken
: Required. This is the JWT sdk token obtained by making a call to the SDK token API. See section Configuring SDK with Tokens.
flowSteps
: Required. This object is used to toggle individual screens on and off and set configurations inside the screens.
welcome
: Optional. This toggles the welcome screen on or off. If omitted, this screen does not appear in the flow.
true
, false
captureDocument
: Optional. This object contains configuration for the capture document screen. If docType and countryCode are not specified, a screen will appear allowing the user to choose these values. If omitted, this screen does not appear in the flow.
docType
: Required if countryCode is specified.
OnfidoDocumentType
: PASSPORT
, DRIVING_LICENCE
, NATIONAL_IDENTITY_CARD
, RESIDENCE_PERMIT
, RESIDENCE_PERMIT
, VISA
, WORK_PERMIT
, GENERIC
.
Note: GENERIC
document type doesn't offer an optimised capture experience for a desired document type.countryCode
: Required if docType is specified.
OnfidoCountryCode
: Any ISO 3166-1 alpha-3 code. For example: OnfidoCountryCode.USA
.enableNFC
: Optional. This toggles the ePassport NFC extraction feature. If omitted, this feature is not enabled in the flow. There is also application configuration changes needed to use this feature. To do that please follow Onfido Developer Hub
true
, false
.captureFace
: Optional. This object object containing options for capture face screen. If omitted, this screen does not appear in the flow.
type
: Required if captureFace is specified.
OnfidoCaptureType
: PHOTO
, VIDEO
, MOTION
.localisation
: Optional. This object contains localisation configuration. See section Localization for the details.
config = {
sdkToken: “EXAMPLE-TOKEN-123”,
localisation: {
ios_strings_file_name: 'Localizable',
},
flowSteps: {
...
},
}
The response will include a face
section if captureFace
was specified, document
section if captureDocument
was specified, or both sections if thery were both requested in the config.
Example:
{
document: {
front: { id: "123-abc" },
back: { id: "345-def" }
},
face: {
id: "456-567",
variant: "VIDEO" // PHOTO or VIDEO
},
}
The SDK will reject the promise any time the Onfido SDK exits without a success. This includes cases where:
Example
{
code: "config_error",
message: "sdkToken is missing"
}
The SDK supports and maintains the following 44 languages:
However, you can add your own translations.
By default, custom localisation is enabled on Android. There is no configuration needed on React Native SDK to enable it. You could also provide custom translation for a locale that we don’t currently support, by having an additional XML strings file inside your resources folder for the desired locale. See Localisation section of Android SDK repo for the details.
You can also provide a custom translation for a locale that Onfido doesn't currently support. There is a simple configuration needed on the React Native SDK to enable custom localisation.
localisation: {
ios_strings_file_name: '<Your .strings file name in iOS app bundle>',
},
cd ios
, and open your XCode workspace.As the SDK is only responsible for capturing and uploading photos/videos, you would need to start a check on your backend server using the Onfido API.
All API requests must be made with an API token included in the request headers. You can find your API token (not to be mistaken with the mobile SDK token) inside your Onfido Dashboard.
Refer to the Authentication section in the API documentation for details. For testing, you should be using the sandbox, and not the live, token.
You will need to create a check by making a request to the create check endpoint, using the applicant id. If you are just verifying a document, you only have to include a document report as part of the check. On the other hand, if you are verifying a document and a face photo/live video, you will also have to include a facial similarity report with the corresponding values: facial_similarity_photo
for the photo option and facial_similarity_video
for the video option.
$ curl https://api.onfido.com/v3/checks \
-H 'Authorization: Token token=YOUR_API_TOKEN' \
-d 'applicant_id=YOUR_APPLICANT_ID' \
-d 'report_names=[document,facial_similarity_photo]'
Note: You can also submit the POST request in JSON format.
You will receive a response containing the check id instantly. As document and facial similarity reports do not always return actual results straightaway, you need to set up a webhook to get notified when the results are ready.
Finally, as you are testing with the sandbox token, please be aware that the results are pre-determined. You can learn more about sandbox responses here.
Note: If you're using API v2, please check out API v2 to v3 migration guide to understand which changes need to be applied before starting to use API v3.
You can customize the SDK by adding a colors.json
file to your project at the same level as your node_modules
directory. The file should contain a single json object with the desired keys and values. For example:
{
"onfidoPrimaryColor": "#FF0000",
"onfidoPrimaryButtonTextColor": "#008000",
"onfidoPrimaryButtonColorPressed": "#FFA500",
"onfidoAndroidStatusBarColor": "#A52A2A",
"onfidoAndroidToolBarColor": "#800080",
"onfidoIosSupportDarkMode": true
}
Below is a description of all available keys:
onfidoPrimaryColor
: Defines the background color of views such as the document type icon, capture confirmation buttons, and back navigation button.onfidoPrimaryButtonTextColor
: Defines the text color of labels included in views such as capture confirmation buttons.onfidoPrimaryButtonColorPressed
: Defines the background color of capture confirmation buttons when pressed.onfidoAndroidStatusBarColor
: Android only. Defines the background color of the Toolbar
that guides the user through the flow.onfidoAndroidToolBarColor
: Android only. Defines the color of the status bar above the Toolbar
.onfidoIosSupportDarkMode
: iOS Only. Defines if Dark Mode will be supported on SDK screens. The value is true by default.Once you've added the colors.json to your project, you should add colors.json file to your xcode project as bundle resource. You can create symbolic link (rather than copy paste) to prevent redundancy. You can check out SampleApp project to see example usage.
Then when running on an iOS device the values will be picked up dynamically at runtime. For Android devices to pick up the values you will need to run the following command at the same level of your node_modules
directory. This will also be run when running the npm --prefix node_modules/@onfido/react-native-sdk/ run updateOnfido
command.
$ npm --prefix node_modules/@onfido/react-native-sdk/ run updateColors
Once you are happy with your integration and are ready to go live, please contact client-support@onfido.com to obtain live versions of the API token and the mobile SDK token. You will have to replace the sandbox tokens in your code with the live tokens.
A few things to check before you go live:
Resolving dependency conflicts
Here are some helpful resources if you are experiencing dependency conflicts between this React Native SDK and other packages your app uses:
General advice
If you see issues, you can try removing node_modules
, build directories, and cache files. A good tool to help with this is react-native-clean-project
Below is a list of known differences in expected behavior between the Onfido Android and iOS SDKs this React Native SDK wraps:
passport
uploaded through the iOS SDK will have the side
attribute set to null
, while those uploaded via Android will have side
as front
.Please open an issue through GitHub. Please be as detailed as you can. Remember not to submit your token in the issue. Also check the closed issues to check whether it has been previously raised and answered.
If you have any issues that contain sensitive information please send us an email with the ISSUE:
at the start of the subject to react-native-sdk@onfido.com
Previous version of the SDK will be supported for a month after a new major version release. Note that when the support period has expired for an SDK version, no bug fixes will be provided, but the SDK will keep functioning (until further notice).
Copyright 2021 Onfido, Ltd. All rights reserved.
The Onfido React Native SDK is available under the MIT license.
[8.2.0] - 2023-04-12
FAQs
Onfido React Native SDK
The npm package @onfido/react-native-sdk receives a total of 12,018 weekly downloads. As such, @onfido/react-native-sdk popularity was classified as popular.
We found that @onfido/react-native-sdk demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.