Adds typecast handling for passkey request handlers. instantiates gson at root level of the class to avoid multiple reinstantiation

Author: NandanPrabhu

.github/workflows/main.yml

@@ -309,7 +309,7 @@ jobs:
 
     test-windows-unit:
         name: Run native Windows unit tests
-        runs-on: windows-2022
+        runs-on: windows-latest
         environment: ${{ github.event.pull_request.head.repo.fork && 'external' || 'internal' }}
 
         steps:
@@ -349,7 +349,7 @@ jobs:
                 ${{ github.workspace }}\vcpkg\vcpkg install cpprestsdk:x64-windows openssl:x64-windows boost-system:x64-windows boost-date-time:x64-windows boost-regex:x64-windows
               shell: cmd
               env:
-                VCPKG_BINARY_SOURCES: 'clear;files,${{ github.workspace }}/vcpkg-binary-cache,readwrite'
+                VCPKG_BINARY_SOURCES: 'clear;files,${{ github.workspace }}/vcpkg-binary-cache,readwrite;x-gha,readwrite'
 
             - name: Cache Windows example app build
               uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # pin@v5.0.5

auth0_flutter/android/src/main/kotlin/com/auth0/auth0_flutter/MyAccountExtensions.kt

@@ -13,6 +13,7 @@ import com.auth0.android.result.RecoveryCodeEnrollmentChallenge
 import com.auth0.android.result.TotpAuthenticationMethod
 import com.auth0.android.result.TotpEnrollmentChallenge
 import com.google.gson.Gson
+import com.google.gson.reflect.TypeToken
 
 fun AuthenticationMethod.toMyAccountMethodMap(): Map<String, Any?> {
     return buildMap {
@@ -67,16 +68,17 @@ fun PasskeyAuthenticationMethod.toMyAccountPasskeyMethodMap(): Map<String, Any?>
 }
 
 fun PasskeyEnrollmentChallenge.toMyAccountPasskeyChallengeMap(): Map<String, Any?> {
-    // Forward the full WebAuthn creation options so the create-credential step
-    // can pass them to the platform authenticator verbatim.
-    val authParamsPublicKey: Map<*, *> = Gson().fromJson(
-        Gson().toJson(authParamsPublicKey),
-        Map::class.java
+    val gson = Gson()
+    // AuthnParamsPublicKey is a typed data class; convert via JSON tree to avoid
+    // a toJson()/fromJson(String) round-trip through an intermediate String.
+    val authParamsPublicKeyMap: Map<String, Any> = gson.fromJson(
+        gson.toJsonTree(authParamsPublicKey),
+        object : TypeToken<Map<String, Any>>() {}.type
     )
     return buildMap {
         put("authenticationMethodId", authenticationMethodId)
         put("authSession", authSession)
-        put("authParamsPublicKey", authParamsPublicKey)
+        put("authParamsPublicKey", authParamsPublicKeyMap)
     }
 }
 

auth0_flutter/android/src/main/kotlin/com/auth0/auth0_flutter/request_handlers/api/PasskeyCredentialExchangeApiRequestHandler.kt

@@ -36,9 +36,12 @@ class PasskeyCredentialExchangeApiRequestHandler : ApiRequestHandler {
 
         assertHasProperties(listOf("challenge.authSession", "credential"), args)
 
-        val challenge = args["challenge"] as Map<*, *>
-        val authSession = challenge["authSession"] as String
-        val credentialMap = args["credential"] as Map<*, *>
+        val challenge = args["challenge"] as? Map<*, *>
+            ?: throw IllegalArgumentException("Required property 'challenge' must be a map.")
+        val authSession = challenge["authSession"] as? String
+            ?: throw IllegalArgumentException("Required property 'challenge.authSession' must be a string.")
+        val credentialMap = args["credential"] as? Map<*, *>
+            ?: throw IllegalArgumentException("Required property 'credential' must be a map.")
 
         val connection = args["connection"] as? String
         val organization = args["organization"] as? String

auth0_flutter/android/src/main/kotlin/com/auth0/auth0_flutter/request_handlers/my_account/EnrollPasskeyRequestHandler.kt

@@ -44,8 +44,10 @@ class EnrollPasskeyRequestHandler : MyAccountRequestHandler {
             request.data
         )
 
-        val challengeMap = request.data["challenge"] as Map<*, *>
-        val credentialMap = request.data["credential"] as Map<*, *>
+        val challengeMap = request.data["challenge"] as? Map<*, *>
+            ?: throw IllegalArgumentException("Required property 'challenge' must be a map.")
+        val credentialMap = request.data["credential"] as? Map<*, *>
+            ?: throw IllegalArgumentException("Required property 'credential' must be a map.")
 
         val challenge = reconstructChallenge(challengeMap)
         val credentials = reconstructCredentials(credentialMap)
@@ -83,16 +85,22 @@ class EnrollPasskeyRequestHandler : MyAccountRequestHandler {
             AuthnParamsPublicKey::class.java
         )
         return PasskeyEnrollmentChallenge(
-            challengeMap["authenticationMethodId"] as String,
-            challengeMap["authSession"] as String,
+            challengeMap["authenticationMethodId"] as? String
+                ?: throw IllegalArgumentException(
+                    "Required property 'challenge.authenticationMethodId' must be a string."),
+            challengeMap["authSession"] as? String
+                ?: throw IllegalArgumentException(
+                    "Required property 'challenge.authSession' must be a string."),
             authParamsPublicKey
         )
     }
 
     private fun reconstructCredentials(
         credentialMap: Map<*, *>
     ): PublicKeyCredentials {
-        val response = credentialMap["response"] as Map<*, *>
+        val response = credentialMap["response"] as? Map<*, *>
+            ?: throw IllegalArgumentException(
+                "Required property 'credential.response' must be a map.")
         val clientExtensionResults =
             credentialMap["clientExtensionResults"] as? Map<*, *>
         val credProps = clientExtensionResults?.get("credProps") as? Map<*, *>
@@ -105,12 +113,20 @@ class EnrollPasskeyRequestHandler : MyAccountRequestHandler {
             clientExtensionResults = ClientExtensionResults(
                 credProps = CredProps(rk = residentKey)
             ),
-            id = credentialMap["id"] as String,
-            rawId = credentialMap["rawId"] as String,
+            id = credentialMap["id"] as? String
+                ?: throw IllegalArgumentException(
+                    "Required property 'credential.id' must be a string."),
+            rawId = credentialMap["rawId"] as? String
+                ?: throw IllegalArgumentException(
+                    "Required property 'credential.rawId' must be a string."),
             response = Response(
-                attestationObject = response["attestationObject"] as String,
+                attestationObject = response["attestationObject"] as? String
+                    ?: throw IllegalArgumentException(
+                        "Required property 'credential.response.attestationObject' must be a string."),
                 authenticatorData = (response["authenticatorData"] as? String) ?: "",
-                clientDataJSON = response["clientDataJSON"] as String,
+                clientDataJSON = response["clientDataJSON"] as? String
+                    ?: throw IllegalArgumentException(
+                        "Required property 'credential.response.clientDataJSON' must be a string."),
                 transports = (response["transports"] as? List<*>)
                     ?.filterIsInstance<String>() ?: emptyList(),
                 signature = (response["signature"] as? String) ?: "",

auth0_flutter/android/src/test/kotlin/com/auth0/auth0_flutter/request_handlers/api/PasskeyCredentialExchangeApiRequestHandlerTest.kt

@@ -119,6 +119,74 @@ class PasskeyCredentialExchangeApiRequestHandlerTest {
         )
     }
 
+    @Test
+    fun `should throw when challenge is not a map`() {
+        // assertHasProperties fires first because tryGetByKey returns null for a
+        // non-Map; the resulting message still clearly identifies the bad field.
+        val options = hashMapOf<String, Any>(
+            "challenge" to "not-a-map",
+            "credential" to loginCredentialMap()
+        )
+        val handler = PasskeyCredentialExchangeApiRequestHandler()
+        val mockApi = mock<AuthenticationAPIClient>()
+        val mockAccount = mock<Auth0>()
+        val mockResult = mock<Result>()
+        val request = MethodCallRequest(account = mockAccount, options)
+
+        val exception = Assert.assertThrows(IllegalArgumentException::class.java) {
+            handler.handle(mockApi, request, mockResult)
+        }
+
+        assertThat(
+            exception.message,
+            equalTo("Required property 'challenge.authSession' is not provided.")
+        )
+    }
+
+    @Test
+    fun `should throw when authSession is not a string`() {
+        val options = hashMapOf<String, Any>(
+            "challenge" to mapOf("authSession" to 42),
+            "credential" to loginCredentialMap()
+        )
+        val handler = PasskeyCredentialExchangeApiRequestHandler()
+        val mockApi = mock<AuthenticationAPIClient>()
+        val mockAccount = mock<Auth0>()
+        val mockResult = mock<Result>()
+        val request = MethodCallRequest(account = mockAccount, options)
+
+        val exception = Assert.assertThrows(IllegalArgumentException::class.java) {
+            handler.handle(mockApi, request, mockResult)
+        }
+
+        assertThat(
+            exception.message,
+            equalTo("Required property 'challenge.authSession' must be a string.")
+        )
+    }
+
+    @Test
+    fun `should throw when credential is not a map`() {
+        val options = hashMapOf<String, Any>(
+            "challenge" to challengeMap(),
+            "credential" to "not-a-map"
+        )
+        val handler = PasskeyCredentialExchangeApiRequestHandler()
+        val mockApi = mock<AuthenticationAPIClient>()
+        val mockAccount = mock<Auth0>()
+        val mockResult = mock<Result>()
+        val request = MethodCallRequest(account = mockAccount, options)
+
+        val exception = Assert.assertThrows(IllegalArgumentException::class.java) {
+            handler.handle(mockApi, request, mockResult)
+        }
+
+        assertThat(
+            exception.message,
+            equalTo("Required property 'credential' must be a map.")
+        )
+    }
+
     @Test
     fun `should call signinWithPasskey and configure scope, audience and parameters`() {
         val options = hashMapOf<String, Any>(

auth0_flutter/android/src/test/kotlin/com/auth0/auth0_flutter/request_handlers/my_account/EnrollPasskeyRequestHandlerTest.kt

@@ -139,6 +139,110 @@ class EnrollPasskeyRequestHandlerTest {
         verify(mockResult).error(eq("server_error"), eq("Server error"), any())
     }
 
+    @Test
+    fun `should throw when challenge is not a map`() {
+        // assertHasProperties fires first because tryGetByKey returns null for a
+        // non-Map value; the message still identifies the bad field.
+        val handler = EnrollPasskeyRequestHandler()
+        val mockResult = mock<Result>()
+        val mockAccount = mock<Auth0>()
+        val mockClient = mock<MyAccountAPIClient>()
+        val request = MethodCallRequest(
+            account = mockAccount,
+            hashMapOf<String, Any>(
+                "challenge" to "not-a-map",
+                "credential" to credentialMap()
+            )
+        )
+
+        val exception = Assert.assertThrows(IllegalArgumentException::class.java) {
+            handler.handle(mockClient, request, mockResult)
+        }
+
+        assertThat(
+            exception.message,
+            equalTo("Required property 'challenge.authSession' is not provided.")
+        )
+    }
+
+    @Test
+    fun `should throw when credential is not a map`() {
+        // assertHasProperties fires first because tryGetByKey returns null for a
+        // non-Map value; the message identifies the first missing nested field.
+        val handler = EnrollPasskeyRequestHandler()
+        val mockResult = mock<Result>()
+        val mockAccount = mock<Auth0>()
+        val mockClient = mock<MyAccountAPIClient>()
+        val request = MethodCallRequest(
+            account = mockAccount,
+            hashMapOf<String, Any>(
+                "challenge" to challengeMap(),
+                "credential" to "not-a-map"
+            )
+        )
+
+        val exception = Assert.assertThrows(IllegalArgumentException::class.java) {
+            handler.handle(mockClient, request, mockResult)
+        }
+
+        assertThat(
+            exception.message,
+            equalTo("Required property 'credential.id' is not provided.")
+        )
+    }
+
+    @Test
+    fun `should throw when authenticationMethodId is not a string`() {
+        val handler = EnrollPasskeyRequestHandler()
+        val mockResult = mock<Result>()
+        val mockAccount = mock<Auth0>()
+        val mockClient = mock<MyAccountAPIClient>()
+        val challenge = challengeMap()
+        challenge["authenticationMethodId"] = 42
+        val request = MethodCallRequest(
+            account = mockAccount,
+            hashMapOf<String, Any>(
+                "challenge" to challenge,
+                "credential" to credentialMap()
+            )
+        )
+
+        val exception = Assert.assertThrows(IllegalArgumentException::class.java) {
+            handler.handle(mockClient, request, mockResult)
+        }
+
+        assertThat(
+            exception.message,
+            equalTo("Required property 'challenge.authenticationMethodId' must be a string.")
+        )
+    }
+
+    @Test
+    fun `should throw when authSession is not a string`() {
+        val handler = EnrollPasskeyRequestHandler()
+        val mockResult = mock<Result>()
+        val mockAccount = mock<Auth0>()
+        val mockClient = mock<MyAccountAPIClient>()
+        val challenge = challengeMap()
+        challenge["authSession"] = 42
+        val request = MethodCallRequest(
+            account = mockAccount,
+            hashMapOf<String, Any>(
+                "challenge" to challenge,
+                "credential" to credentialMap()
+            )
+        )
+
+        val exception = Assert.assertThrows(IllegalArgumentException::class.java) {
+            handler.handle(mockClient, request, mockResult)
+        }
+
+        assertThat(
+            exception.message,
+            equalTo("Required property 'challenge.authSession' must be a string.")
+        )
+    }
+
     @Test(expected = IllegalArgumentException::class)
     fun `should throw when challenge is missing`() {
         val handler = EnrollPasskeyRequestHandler()

auth0_flutter/example/android/app/build.gradle

@@ -94,11 +94,6 @@ flutter {
 
 dependencies {
     kover(project(":auth0_flutter"))
-
-    // Credential Manager — used by the example's PasskeyAuthenticator to present
-    // the OS passkey UI. The auth0_flutter SDK does not present this UI itself.
-    implementation 'androidx.credentials:credentials:1.3.0'
-    implementation 'androidx.credentials:credentials-play-services-auth:1.3.0'
 }
 
 koverReport {