Update KeychainHelper protocol to take optional CFString

Also update use of kSecAttrAccessible on macOS to only occur if also using kSecUseDataProtectionKeychain per Apple docs: https://developer.apple.com/documentation/security/ksecattraccessible\?language\=objc

GTMAppAuth/Sources/KeychainStore/KeychainHelper.swift

@@ -26,7 +26,7 @@ public protocol KeychainHelper {
   func password(forService service: String) throws -> String
   func passwordData(forService service: String) throws -> Data
   func removePassword(forService service: String) throws
-  func setPassword(_ password: String, forService service: String, accessibility: CFTypeRef) throws
+  func setPassword(_ password: String, forService service: String, accessibility: CFTypeRef?) throws
   func setPassword(data: Data, forService service: String, accessibility: CFTypeRef?) throws
 }
 
@@ -104,7 +104,7 @@ final class KeychainWrapper: KeychainHelper {
   func setPassword(
     _ password: String,
     forService service: String,
-    accessibility: CFTypeRef
+    accessibility: CFTypeRef?
   ) throws {
     let passwordData = Data(password.utf8)
     try setPassword(data: passwordData, forService: service, accessibility: accessibility)

GTMAppAuth/Sources/KeychainStore/KeychainStore.swift

@@ -101,10 +101,20 @@ public final class KeychainStore: NSObject, AuthSessionStore {
   @objc(saveAuthSession:error:)
   public func save(authSession: AuthSession) throws {
     let authSessionData: Data = try authSessionData(fromAuthSession: authSession)
+
+    var maybeAccessibility: CFString? = kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly
+    if #available(macOS 10.15, iOS 13.0, tvOS 13.0, watchOS 6.0, *) {
+      #if os(macOS)
+      if !keychainAttributes.contains(.useDataProtectionKeychain) {
+        maybeAccessibility = nil
+      }
+      #endif
+    }
+
     try keychainHelper.setPassword(
       data: authSessionData,
       forService: itemName,
-      accessibility: kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly
+      accessibility: maybeAccessibility
     )
   }
 
@@ -118,10 +128,20 @@ public final class KeychainStore: NSObject, AuthSessionStore {
   @objc(saveAuthSession:withItemName:error:)
   public func save(authSession: AuthSession, withItemName itemName: String) throws {
     let authSessionData = try authSessionData(fromAuthSession: authSession)
+
+    var maybeAccessibility: CFString? = kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly
+    if #available(macOS 10.15, iOS 13.0, tvOS 13.0, watchOS 6.0, *) {
+      #if os(macOS)
+      if !keychainAttributes.contains(.useDataProtectionKeychain) {
+        maybeAccessibility = nil
+      }
+      #endif
+    }
+
     try keychainHelper.setPassword(
       data: authSessionData,
       forService: itemName,
-      accessibility: kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly
+      accessibility: maybeAccessibility
     )
   }
 
@@ -268,10 +288,20 @@ public final class KeychainStore: NSObject, AuthSessionStore {
         .persistenceResponseString(forAuthSession: authSession) else {
       throw KeychainStore.Error.failedToCreateResponseStringFromAuthSession(authSession)
     }
+
+    var maybeAccessibility: CFString? = kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly
+    if #available(macOS 10.15, iOS 13.0, tvOS 13.0, watchOS 6.0, *) {
+      #if os(macOS)
+      if !keychainAttributes.contains(.useDataProtectionKeychain) {
+        maybeAccessibility = nil
+      }
+      #endif
+    }
+
     try keychainHelper.setPassword(
       persistence,
       forService: itemName,
-      accessibility: kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly)
+      accessibility: maybeAccessibility)
   }
 }
 

GTMAppAuth/Tests/Helpers/KeychainHelperFake.swift

@@ -91,7 +91,7 @@ public class KeychainHelperFake: NSObject, KeychainHelper {
   @objc public func setPassword(
     _ password: String,
     forService service: String,
-    accessibility: CFTypeRef
+    accessibility: CFTypeRef?
   ) throws {
     do {
       try removePassword(forService: service)