feat(auth): Add WebAuthn/passkey support across all platforms#6851
Draft
feat(auth): Add WebAuthn/passkey support across all platforms#6851
Conversation
- Add WebAuthn credential types and passkey exception handling to amplify_core - Implement WebAuthn bridge for Android with Pigeon code generation - Implement WebAuthn bridge for iOS/macOS with Swift bindings - Add Linux WebAuthn platform support with libfido2 bindings - Add Windows WebAuthn platform support with native bindings - Implement Dart-only WebAuthn credential platform with HTML and stub variants - Add CognitoWebAuthnClient for WebAuthn credential operations - Add passkey sign-in flow to sign-in state machine - Add base64url encoding utility for credential serialization - Extend authenticator with passwordless settings and passkey UI flows - Add comprehensive test coverage for WebAuthn operations across all platforms - Update localizations to support passkey-related UI strings - Add WebAuthn Gen 2 backend scaffolding - Add PasswordlessOutputs config and example app passkey screen
…onfig - Create pre-sign-up Lambda handler for WebAuthn authentication flow - Define pre-sign-up trigger function in auth resource configuration - Integrate pre-sign-up trigger into Cognito auth resource - Add WebAuthn backend to deployment configuration in deploy_gen2.dart - Remove dependency overrides from amplify_auth_cognito example pubspec.yaml
- Remove unnecessary variable assignment in isPasskeySupported check - Add dead_code ignore annotation for null check in credentials validation - Add invalid_runtime_check_with_js_interop_types ignore for JSObject cast - Convert mutable list literals to const in credential tests - Add explicit Map type casts for response field access in assertions - Convert string literals to const where appropriate in test data - Add close_sinks ignore annotation to test file header - Remove unused imports (mock_clients, aws_common) from associate test - Remove unused hubEvents variable declaration - Improve type safety in JSON response assertions across passkey tests
- Reformat long lines in passwordless_outputs.dart for readability - Reorganize auth_types.dart exports to group credentials after auto sign-in - Simplify test assertions in auth_factor_type_webauthn_test.dart - Format multi-line widget constructors in passkey_management.dart example - Apply consistent formatting across WebAuthn platform implementations - Improve code readability in WebAuthn credential models and tests - Standardize formatting in authenticator widgets and services
- Import json_annotation package for JSON serialization control - Add @jsonkey annotation to exclude passwordless outputs from JSON serialization - Add WebAuthn factor type mapping to AuthFactorType enum - Enable WebAuthn as a supported authentication factor in sign-in flow
…orm code - Reorganize imports to follow Dart conventions (package imports before relative imports) - Add ignore_for_file directives to suppress linting warnings for generated code and platform-specific files - Update documentation comments to use backticks for code references instead of square brackets - Fix type annotations in tests for better type safety (Map to Map<String, dynamic>) - Improve code consistency across Linux and Windows WebAuthn platform implementations
… collector macOS uses FFI (ASFDeviceInfoMacOS) for device info collection, not the Pigeon method channel bridge. The Flutter wrapper was incorrectly overriding the FFI implementation for macOS, causing a fatalError() in AmplifyAuthCognitoPlugin.swift:112. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The Linux passkey platform tried to load `libfido2.so` (unversioned), which only exists when the -dev package is installed. Runtime environments only have `libfido2.so.1` (the SONAME). Now tries the versioned name first, fixing PasskeyNotSupportedException on systems with libfido2 runtime installed. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Add missing UI elements needed for Linux - Fix bindings - Fix flow
- Fix window handling - Fix bindings - Fix data encoding/decoding - Fix detection
cadivus
changed the title
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## main #6851 +/- ##
==========================================
+ Coverage 43.23% 45.71% +2.47%
==========================================
Files 99 106 +7
Lines 7769 9604 +1835
Branches 3400 3944 +544
==========================================
+ Hits 3359 4390 +1031
- Misses 4410 5214 +804 🚀 New features to boost your workflow:
|
…form files - Add missing public API docs to LinuxWebAuthnPlatform stub methods - Add missing public API docs to WindowsWebAuthnPlatform stub methods - Fix comment_references in webauthn_bindings.dart: escape Win32 API names with backticks instead of doc-link brackets
- Add mock overrides for fidoCborInfoNew, fidoCborInfoFree, fidoDevGetCborInfo, fidoCborInfoOptionsLen, fidoCborInfoOptionsNamePtr, fidoCborInfoOptionsValuePtr, fidoDevGetRetryCnt, and fidoDevCancel to MockLibFido2Bindings in linux_webauthn_platform_test.dart - Apply dart format to webauthn_bindings.dart, windows_webauthn_platform.dart, and windows_webauthn_platform_test.dart
- Add TestWidgetsFlutterBinding.ensureInitialized() to linux test main()
to fix WidgetsBinding.instance access in showFidoTouchDialog
- Pass kernel32Lib: DynamicLibrary.process() in MockWebAuthnBindings
to prevent DynamicLibrary.open('kernel32.dll') failure on Linux CI
- Override all user32.dll and kernel32.dll function bindings in MockWebAuthnBindings to prevent symbol lookup failures on Linux CI - Pass kernel32Lib to _ThrowingMockBindings constructor - Use Dart wildcard _ parameters to satisfy unnecessary_underscores lint
- Add useIsolate flag to LinuxWebAuthnPlatform; defaults to false when test bindings are provided so blocking FFI calls run on the main thread using mock bindings instead of spawning an isolate that re-opens libfido2.so (which is unavailable on CI) - Add _makeCred and _getAssert instance methods for synchronous execution path in test mode - Fix Windows test JSON fixtures: use base64url-encoded user ID 'dXNlcjEyMw' (base64url of 'user123') instead of plain 'user123' to match _base64UrlDecode expectations
- Use full AuthenticationResponseJSON with 'id', 'response', and nested fields so the JSON pass-through detection finds it (requires >50 bytes and 'id'+'response' keys) - Fix base64url user ID in windows test fixtures
When clicking 'with password' or 'with passkey', only the clicked button shows a loading spinner while the other is disabled. Previously both buttons showed spinners which was confusing. Changes: - Add busyButtonKey and isBusyFor() to AuthenticatorState to track which button initiated the busy state - Update _AmplifyElevatedButtonState to show spinner only for the active button (others just disable) - Pass buttonKey from each sign-in button's onPressed handler - Fix ContinueSignInWithFirstFactorSelectionForm to track which action (password or factor) is submitting, showing spinner only on that button - Update MockAuthenticatorState in tests to implement new members
cadivus
force-pushed
the
feat/auth/webauthn
branch
from
23a059a to
e1ed5bd
Compare
cadivus
force-pushed
the
feat/auth/webauthn
branch
from
9b25a1c to
95232c3
Compare
On Linux, check if the connected FIDO2 key supports resident/discoverable credentials before attempting to create one. Keys like ZUKEY 2 FIDO that don't support resident credentials would silently create non-resident credentials, causing registration to appear successful but login to fail. On Windows, stop hardcoding bRequireResidentKey=TRUE and instead read the authenticatorSelection.residentKey option from the server response.
cadivus
force-pushed
the
feat/auth/webauthn
branch
from
fc9eb14 to
9e7c7d2
Compare
Detect unsupported USB key
Handle multiple keys
Improve code
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Successor of #6812