chore: Update reauthenticate method with proper error (#24213)

<!--
Please submit this PR as a draft initially.
Do not mark it as "Ready for review" until the template has been
completely filled out, and PR status checks have passed at least once.
-->

## **Description**

<!--
Write a short description of the changes included in this pull request,
also include relevant motivation and context. Have in mind the following
questions:
1. What is the reason for the change?
2. What is the improvement/solution?
-->

Update `reauthenticate` method to throw more verbose errors. For
example, when password is not set using biometrics. This also fixes an
issue where reset password screen would show the incorrect error message
when attempting to use biometrics. The correct behavior is that it
should not show incorrect message when password is not stored using
biometrics.

## **Changelog**

<!--
If this PR is not End-User-Facing and should not show up in the
CHANGELOG, you can choose to either:
1. Write `CHANGELOG entry: null`
2. Label with `no-changelog`

If this PR is End-User-Facing, please write a short User-Facing
description in the past tense like:
`CHANGELOG entry: Added a new tab for users to see their NFTs`
`CHANGELOG entry: Fixed a bug that was causing some NFTs to flicker`

(This helps the Release Engineer do their job more quickly and
accurately)
-->

CHANGELOG entry:

## **Related issues**

Fixes: MetaMask/MetaMask-planning#6008

## **Manual testing steps**

```gherkin
Feature: my feature name

  Scenario: user [verb for user action]
    Given [describe expected initial app state]

    When user [verb for user action]
    Then [describe expected outcome]
```

## **Screenshots/Recordings**

<!-- If applicable, add screenshots and/or recordings to visualize the
before and after of your change. -->

### **Before**

<!-- [screenshots/recordings] -->


https://github.com/user-attachments/assets/2681f8f9-b8d5-4aa7-ac8c-5daf47972520

### **After**

<!-- [screenshots/recordings] -->


https://github.com/user-attachments/assets/19538c61-66ba-4642-be0e-6dbe5675c8fa


## **Pre-merge author checklist**

- [ ] I’ve followed [MetaMask Contributor
Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Mobile
Coding
Standards](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/CODING_GUIDELINES.md).
- [ ] I've completed the PR template to the best of my ability
- [ ] I’ve included tests if applicable
- [ ] I’ve documented my code using [JSDoc](https://jsdoc.app/) format
if applicable
- [ ] I’ve applied the right labels on the PR (see [labeling
guidelines](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/LABELING_GUIDELINES.md)).
Not required for external contributors.

## **Pre-merge reviewer checklist**

- [ ] I've manually tested the PR (e.g. pull and build branch, run the
app, test code being changed).
- [ ] I confirm that this PR addresses all acceptance criteria described
in the ticket it closes and includes the necessary testing evidence such
as recordings and or screenshots.

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> Reworks reauthentication to emit explicit
PASSWORD_NOT_SET_WITH_BIOMETRICS/BIOMETRIC_ERROR and updates UI/tests to
handle no-credentials flows without showing incorrect-password warnings.
> 
> - **Authentication**:
> - Refactor `Authentication.reauthenticate` to use stored keychain
credentials; throw `PASSWORD_NOT_SET_WITH_BIOMETRICS` when absent and
wrap keychain failures as `BIOMETRIC_ERROR`.
> - Update `updateAuthPreference` to convert
`PASSWORD_NOT_SET_WITH_BIOMETRICS` into
`AUTHENTICATION_APP_TRIGGERED_AUTH_NO_CREDENTIALS` and keep lock-time
handling.
> - Add `ReauthenticateErrorType` values
(`PASSWORD_NOT_SET_WITH_BIOMETRICS`, `BIOMETRIC_ERROR`).
> - **UI**:
> - `Views/ResetPassword`: suppress incorrect-password warning when
`PASSWORD_NOT_SET_WITH_BIOMETRICS`; always resolve loading state in
`finally`.
> - `Views/RevealPrivateCredential`: suppress incorrect-password warning
on `PASSWORD_NOT_SET_WITH_BIOMETRICS`.
> - **Tests**:
> - Update tests to expect `PASSWORD_NOT_SET_WITH_BIOMETRICS`; remove
legacy `BIOMETRIC_NOT_ENABLED` expectations and related storage checks;
add mapping test to `AUTHENTICATION_APP_TRIGGERED_AUTH_NO_CREDENTIALS`.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
8a8b246. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

Author: Cal-L

app/components/Views/ResetPassword/index.js

@@ -79,6 +79,7 @@ import {
   AuthConnection,
   SeedlessOnboardingControllerErrorMessage,
 } from '@metamask/seedless-onboarding-controller';
+import { ReauthenticateErrorType } from '../../../core/Authentication/types';
 
 // Constants
 const PASSCODE_NOT_SET_ERROR = 'Error: Passcode not set.';
@@ -656,9 +657,23 @@ class ResetPassword extends PureComponent {
         view: RESET_PASSWORD,
       });
     } catch (e) {
+      // Don't show warning if password is not set with biometrics
+      if (
+        e.message.includes(
+          ReauthenticateErrorType.PASSWORD_NOT_SET_WITH_BIOMETRICS,
+        )
+      ) {
+        return;
+      }
+
+      // Show warning if password is incorrect
       const msg = strings('reveal_credential.warning_incorrect_password');
       this.setState({
         warningIncorrectPassword: msg,
+      });
+    } finally {
+      // Resolve UI loading state
+      this.setState({
         ready: true,
       });
     }

app/components/Views/RevealPrivateCredential/RevealPrivateCredential.tsx

@@ -206,8 +206,12 @@ const RevealPrivateCredential = ({
         // TODO: Replace "any" with type
         // eslint-disable-next-line @typescript-eslint/no-explicit-any
       } catch (e: any) {
-        // we should not show the error message if the error is because biometric is not enabled
-        if (e.message.includes(ReauthenticateErrorType.BIOMETRIC_NOT_ENABLED)) {
+        // we should not show the error message if the error is because password is not set with biometrics
+        if (
+          e.message.includes(
+            ReauthenticateErrorType.PASSWORD_NOT_SET_WITH_BIOMETRICS,
+          )
+        ) {
           return;
         }
         let msg = strings('reveal_credential.warning_incorrect_password');

app/core/Authentication/Authentication.test.ts

@@ -3984,10 +3984,10 @@ describe('Authentication', () => {
       alertSpy.mockRestore();
     });
 
-    it('converts BIOMETRIC_NOT_ENABLED error to AUTHENTICATION_APP_TRIGGERED_AUTH_NO_CREDENTIALS', async () => {
-      // Mock reauthenticate to throw BIOMETRIC_NOT_ENABLED error
+    it('converts PASSWORD_NOT_SET_WITH_BIOMETRICS error to AUTHENTICATION_APP_TRIGGERED_AUTH_NO_CREDENTIALS', async () => {
+      // Mock reauthenticate to throw PASSWORD_NOT_SET_WITH_BIOMETRICS error
       const biometricNotEnabledError = new Error(
-        `${ReauthenticateErrorType.BIOMETRIC_NOT_ENABLED}: Biometric is not enabled`,
+        `${ReauthenticateErrorType.PASSWORD_NOT_SET_WITH_BIOMETRICS}: No password stored with biometrics in keychain.`,
       );
       jest
         .spyOn(Authentication, 'reauthenticate')
@@ -4230,39 +4230,18 @@ describe('Authentication', () => {
       expect(result.password).toBe('test-password');
     });
 
-    it('throws PASSWORD_REQUIRED error when no biometric credentials are available', async () => {
+    it('throws PASSWORD_NOT_SET_WITH_BIOMETRICS error when password is not set using biometric credentials', async () => {
       const verifyPasswordSpy = Engine.context.KeyringController.verifyPassword;
-      const getItemSpy = jest
-        .spyOn(StorageWrapper, 'getItem')
-        .mockResolvedValueOnce(null as never);
       const getPasswordSpy = jest
         .spyOn(Authentication, 'getPassword')
         .mockResolvedValueOnce(null);
 
       await expect(Authentication.reauthenticate()).rejects.toThrow(
-        ReauthenticateErrorType.BIOMETRIC_NOT_ENABLED,
+        ReauthenticateErrorType.PASSWORD_NOT_SET_WITH_BIOMETRICS,
       );
 
-      expect(getItemSpy).toHaveBeenCalledWith(BIOMETRY_CHOICE);
-      expect(getPasswordSpy).not.toHaveBeenCalled();
-      expect(verifyPasswordSpy).not.toHaveBeenCalled();
-    });
-
-    it('uses stored biometric password when no password is provided', async () => {
-      const verifyPasswordSpy = Engine.context.KeyringController.verifyPassword;
-      await StorageWrapper.setItem(BIOMETRY_CHOICE, TRUE);
-      const getPasswordSpy = jest
-        .spyOn(Authentication, 'getPassword')
-        .mockResolvedValue({
-          password: 'stored-password',
-        } as unknown as Keychain.UserCredentials);
-
-      const result = await Authentication.reauthenticate();
-
-      expect(StorageWrapper.getItem).toHaveBeenCalledWith(BIOMETRY_CHOICE);
       expect(getPasswordSpy).toHaveBeenCalled();
-      expect(verifyPasswordSpy).toHaveBeenCalledWith('stored-password');
-      expect(result.password).toBe('stored-password');
+      expect(verifyPasswordSpy).not.toHaveBeenCalled();
     });
 
     it('propagates error when password verification fails', async () => {

app/core/Authentication/Authentication.ts

@@ -8,7 +8,6 @@ import {
   SEED_PHRASE_HINTS,
   OPTIN_META_METRICS_UI_SEEN,
   PREVIOUS_AUTH_TYPE_BEFORE_REMEMBER_ME,
-  BIOMETRY_CHOICE,
 } from '../../constants/storage';
 import {
   authSuccess,
@@ -1521,11 +1520,11 @@ class AuthenticationService {
     } catch (e) {
       const errorWithMessage = e as { message: string };
 
-      // Check if the error is because biometrics are not enabled
+      // Check if the error is because password is not set with biometrics
       // Convert it to AUTHENTICATION_APP_TRIGGERED_AUTH_NO_CREDENTIALS so UI can handle it
       if (
         errorWithMessage.message.includes(
-          ReauthenticateErrorType.BIOMETRIC_NOT_ENABLED,
+          ReauthenticateErrorType.PASSWORD_NOT_SET_WITH_BIOMETRICS,
         )
       ) {
         throw new AuthenticationError(
@@ -1571,20 +1570,28 @@ class AuthenticationService {
 
     // if no password is provided, try to use the stored biometric/remember-me password
     if (!passwordToVerify) {
-      const biometryChoice = await StorageWrapper.getItem(BIOMETRY_CHOICE);
-      if (biometryChoice) {
+      try {
         const credentials = await this.getPassword();
         if (credentials) {
           passwordToVerify = credentials.password;
         }
+      } catch (e) {
+        const error = e as Error;
+        // TODO: May want to triage errors here and throw different errors based on the error type
+        // For example, getPassword throws with `User canceled the operation` when biometrics is canceled or fails
+        // Disallowing biometrics on system level will not throw an error and just return empty credentials
+        throw new Error(
+          `${ReauthenticateErrorType.BIOMETRIC_ERROR}: ${error.message}`,
+        );
       }
 
       // If there is no biometric choice configured or no stored credentials,
       // throw a specific error instead of attempting to verify an empty password.
       if (!passwordToVerify) {
-        const biometricNotEnabledErrorMessage = 'Biometric is not enabled';
+        const passwordNotSetWithBiometricsErrorMessage =
+          'No password stored with biometrics in keychain.';
         throw new Error(
-          `${ReauthenticateErrorType.BIOMETRIC_NOT_ENABLED}: ${biometricNotEnabledErrorMessage}`,
+          `${ReauthenticateErrorType.PASSWORD_NOT_SET_WITH_BIOMETRICS}: ${passwordNotSetWithBiometricsErrorMessage}`,
         );
       }
     }

app/core/Authentication/types.ts

@@ -1,3 +1,4 @@
 export enum ReauthenticateErrorType {
-  BIOMETRIC_NOT_ENABLED = 'BIOMETRIC_NOT_ENABLED',
+  PASSWORD_NOT_SET_WITH_BIOMETRICS = 'PASSWORD_NOT_SET_WITH_BIOMETRICS',
+  BIOMETRIC_ERROR = 'BIOMETRIC_ERROR',
 }