feat(auth-client): add passkey registration and management methods#20304
feat(auth-client): add passkey registration and management methods#20304MagentaManifold merged 1 commit intomainfrom
Conversation
There was a problem hiding this comment.
Pull request overview
Adds client-side support for passkey (WebAuthn) registration and passkey management by exposing the relevant auth-server endpoints through fxa-auth-client, alongside a small server response-schema tweak and a shared Settings-side Passkey type.
Changes:
- Added passkey registration start/finish and passkey list/delete/rename methods to
fxa-auth-client. - Updated auth-server validation for passkey registration finish responses (
lastUsedAtcan benull, and response is a metadata subset). - Introduced and re-exported a
PasskeyTypeScript interface infxa-settingspasskeys lib.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| packages/fxa-settings/src/lib/passkeys/types.ts | Adds a Passkey interface representing passkey metadata returned by APIs. |
| packages/fxa-settings/src/lib/passkeys/index.ts | Re-exports the new types module from the passkeys lib entrypoint. |
| packages/fxa-auth-server/lib/routes/passkeys.ts | Aligns /passkey/registration/finish response validation with nullable lastUsedAt and a reduced response shape. |
| packages/fxa-auth-client/lib/client.ts | Adds new passkey-related client methods and introduces jwtPatch helper. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| import type { | ||
| PublicKeyCredentialCreationOptionsJSON, | ||
| Passkey, | ||
| } from './../../fxa-settings/src/lib/passkeys'; |
There was a problem hiding this comment.
The auth-client package is importing types via a relative path into fxa-settings (./../../fxa-settings/src/lib/passkeys). Even as a type-only import, this will typically appear in the generated .d.ts and/or pull those source files into the auth-client TS program, which can break consumers that install fxa-auth-client without the fxa-settings sources and can unintentionally publish fxa-settings code as part of auth-client’s build output. Consider moving these shared Passkey/WebAuthn JSON types into a dedicated shared package (e.g. @fxa/shared or @fxa/accounts/passkey) or duplicating the minimal interfaces inside fxa-auth-client and exporting them from there, instead of importing from another package’s src/ directory.
| aaguid: isA.string().required(), | ||
| backupEligible: isA.boolean().required(), | ||
| backupState: isA.boolean().required(), | ||
| prfEnabled: isA.boolean().required(), |
There was a problem hiding this comment.
Accidentally included these in the last PR 😓 Also lastUsedAt should be nullable (not directly related to this PR, but I want to sneak in the fixes)
There was a problem hiding this comment.
We should probably at least keep prfEnabled?
| * License, v. 2.0. If a copy of the MPL was not distributed with this | ||
| * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | ||
|
|
||
| export interface Passkey { |
There was a problem hiding this comment.
Not sure if this is the best place to put the type; open to suggestions
| import type { | ||
| PublicKeyCredentialCreationOptionsJSON, | ||
| Passkey, | ||
| } from './../../fxa-settings/src/lib/passkeys'; |
There was a problem hiding this comment.
Surprise to see that we have so few imports here! A lot of methods in AuthClient implicitly returns any
MagentaManifold
force-pushed
the
FXA-13071
branch
from
8417840 to
9727435
Compare
vpomerleau
left a comment
vpomerleau
left a comment
There was a problem hiding this comment.
Considering the number of duplicated types, it might be good to move these to a shared location now to prevent drift, but not a blocker since we already have other duplicated types.
| // NOTE: These passkey/webauthn related types are duplicated from fxa-settings. | ||
| // We cannot import them because it will cause circular dependencies, which nx | ||
| // does not allow. | ||
| // TODO: We should consider moving these types to a shared package |
There was a problem hiding this comment.
/libs/shared/types might be a good shared location?
| aaguid: isA.string().required(), | ||
| backupEligible: isA.boolean().required(), | ||
| backupState: isA.boolean().required(), | ||
| prfEnabled: isA.boolean().required(), |
There was a problem hiding this comment.
We should probably at least keep prfEnabled?
MagentaManifold
force-pushed
the
FXA-13071
branch
from
9727435 to
ef98281
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| expect(result).toEqual({ | ||
| credentialId: mockPasskeyRecord.credentialId.toString('base64url'), | ||
| name: mockPasskeyRecord.name, | ||
| createdAt: mockPasskeyRecord.createdAt, | ||
| lastUsedAt: mockPasskeyRecord.lastUsedAt, | ||
| transports: mockPasskeyRecord.transports, |
There was a problem hiding this comment.
The route tests only cover the lastUsedAt value being a number, but the route schema was updated to allow lastUsedAt: null (which is the value returned for newly registered passkeys). Consider adding a test case (or adjusting the mock) where mockPasskeyRecord.lastUsedAt is null to ensure the handler mapping and response schema validation work for that case.
Because: * we need to use these endpoints in settings This commit: * add these methods to auth-client * adds more fields in the response of /passkey/registration/finish Closes FXA-13071
MagentaManifold
force-pushed
the
FXA-13071
branch
from
ef98281 to
cee220d
Compare
Because
This pull request
Issue that this pull request solves
Closes: FXA-13071
Checklist
Put an
xin the boxes that applyHow to review (Optional)
Screenshots (Optional)
Please attach the screenshots of the changes made in case of change in user interface.
Other information (Optional)
Any other information that is important to this pull request.