fix: handle passkey like captcha

Author: avallete

pkg/config/auth.go

@@ -441,17 +441,7 @@ func (a *auth) FromRemoteAuthConfig(remoteConfig v1API.AuthConfigResponse) {
 	a.MinimumPasswordLength = cast.IntToUint(ValOrDefault(remoteConfig.PasswordMinLength, 0))
 	prc := ValOrDefault(remoteConfig.PasswordRequiredCharacters, "")
 	a.PasswordRequirements = NewPasswordRequirement(v1API.UpdateAuthConfigBodyPasswordRequiredCharacters(prc))
-	passkeyDisplayName := ValOrDefault(remoteConfig.WebauthnRpDisplayName, "")
-	passkeyId := ValOrDefault(remoteConfig.WebauthnRpId, "")
-	passkeyOrigins := ValOrDefault(remoteConfig.WebauthnRpOrigins, "")
-	if remoteConfig.PasskeyEnabled || passkeyDisplayName != "" || passkeyId != "" || passkeyOrigins != "" {
-		if a.Passkey == nil {
-			a.Passkey = &passkey{}
-		}
-		a.Passkey.fromAuthConfig(remoteConfig)
-	} else {
-		a.Passkey = nil
-	}
+	a.Passkey.fromAuthConfig(remoteConfig)
 	a.RateLimit.fromAuthConfig(remoteConfig)
 	if s := a.Email.Smtp; s != nil && s.Enabled {
 		a.RateLimit.EmailSent = cast.IntToUint(ValOrDefault(remoteConfig.RateLimitEmailSent, 0))
@@ -512,17 +502,25 @@ func (c *captcha) fromAuthConfig(remoteConfig v1API.AuthConfigResponse) {
 }
 
 func (p passkey) toAuthConfigBody(body *v1API.UpdateAuthConfigBody) {
-	body.PasskeyEnabled = cast.Ptr(p.Enabled)
-	body.WebauthnRpDisplayName = nullable.NewNullableWithValue(p.RpDisplayName)
-	body.WebauthnRpId = nullable.NewNullableWithValue(p.RpId)
-	body.WebauthnRpOrigins = nullable.NewNullableWithValue(strings.Join(p.RpOrigins, ","))
+	if body.PasskeyEnabled = cast.Ptr(p.Enabled); p.Enabled {
+		body.WebauthnRpDisplayName = nullable.NewNullableWithValue(p.RpDisplayName)
+		body.WebauthnRpId = nullable.NewNullableWithValue(p.RpId)
+		body.WebauthnRpOrigins = nullable.NewNullableWithValue(strings.Join(p.RpOrigins, ","))
+	}
 }
 
 func (p *passkey) fromAuthConfig(remoteConfig v1API.AuthConfigResponse) {
+	// When local config is not set, we assume platform defaults should not change
+	if p == nil {
+		return
+	}
+	// Ignore disabled passkey fields to minimise config diff
+	if p.Enabled {
+		p.RpDisplayName = ValOrDefault(remoteConfig.WebauthnRpDisplayName, "")
+		p.RpId = ValOrDefault(remoteConfig.WebauthnRpId, "")
+		p.RpOrigins = strToArr(ValOrDefault(remoteConfig.WebauthnRpOrigins, ""))
+	}
 	p.Enabled = remoteConfig.PasskeyEnabled
-	p.RpDisplayName = ValOrDefault(remoteConfig.WebauthnRpDisplayName, "")
-	p.RpId = ValOrDefault(remoteConfig.WebauthnRpId, "")
-	p.RpOrigins = strToArr(ValOrDefault(remoteConfig.WebauthnRpOrigins, ""))
 }
 
 func (h hook) toAuthConfigBody(body *v1API.UpdateAuthConfigBody) {

pkg/config/auth_test.go

@@ -235,8 +235,33 @@ func TestPasskeyConfigMapping(t *testing.T) {
 		assert.Equal(t, "http://127.0.0.1:3000,https://localhost:3000", ValOrDefault(body.WebauthnRpOrigins, ""))
 	})
 
+	t.Run("does not serialize rp fields when passkey is disabled", func(t *testing.T) {
+		c := newWithDefaults()
+		c.Passkey = &passkey{
+			Enabled:       false,
+			RpDisplayName: "Supabase CLI",
+			RpId:          "localhost",
+			RpOrigins:     []string{"http://127.0.0.1:3000"},
+		}
+		// Run test
+		body := c.ToUpdateAuthConfigBody()
+		// Check result
+		if assert.NotNil(t, body.PasskeyEnabled) {
+			assert.False(t, *body.PasskeyEnabled)
+		}
+		_, err := body.WebauthnRpDisplayName.Get()
+		assert.Error(t, err)
+		_, err = body.WebauthnRpId.Get()
+		assert.Error(t, err)
+		_, err = body.WebauthnRpOrigins.Get()
+		assert.Error(t, err)
+	})
+
 	t.Run("hydrates passkey config from remote", func(t *testing.T) {
 		c := newWithDefaults()
+		c.Passkey = &passkey{
+			Enabled: true,
+		}
 		// Run test
 		c.FromRemoteAuthConfig(v1API.AuthConfigResponse{
 			PasskeyEnabled:        true,
@@ -255,6 +280,35 @@ func TestPasskeyConfigMapping(t *testing.T) {
 			}, c.Passkey.RpOrigins)
 		}
 	})
+
+	t.Run("ignores remote settings when local passkey config is undefined", func(t *testing.T) {
+		c := newWithDefaults()
+		// Run test
+		c.FromRemoteAuthConfig(v1API.AuthConfigResponse{
+			PasskeyEnabled:        true,
+			WebauthnRpDisplayName: nullable.NewNullableWithValue("Supabase CLI"),
+			WebauthnRpId:          nullable.NewNullableWithValue("localhost"),
+			WebauthnRpOrigins:     nullable.NewNullableWithValue("http://127.0.0.1:3000"),
+		})
+		// Check result
+		assert.Nil(t, c.Passkey)
+	})
+}
+
+func TestPasskeyDiff(t *testing.T) {
+	t.Run("ignores undefined config", func(t *testing.T) {
+		c := newWithDefaults()
+		// Run test
+		diff, err := c.DiffWithRemote(v1API.AuthConfigResponse{
+			PasskeyEnabled:        true,
+			WebauthnRpDisplayName: nullable.NewNullableWithValue("Supabase CLI"),
+			WebauthnRpId:          nullable.NewNullableWithValue("localhost"),
+			WebauthnRpOrigins:     nullable.NewNullableWithValue("http://127.0.0.1:3000"),
+		})
+		// Check error
+		assert.NoError(t, err)
+		assert.Empty(t, string(diff))
+	})
 }
 
 func TestHookDiff(t *testing.T) {

pkg/config/config.go

@@ -922,9 +922,20 @@ func (c *config) Validate(fsys fs.FS) error {
 			}
 		}
 		if c.Auth.Passkey != nil {
-			for i, origin := range c.Auth.Passkey.RpOrigins {
-				if err := assertEnvLoaded(origin); err != nil {
-					return errors.Errorf("Invalid config for auth.passkey.rp_origins[%d]: %v", i, err)
+			if c.Auth.Passkey.Enabled {
+				if len(c.Auth.Passkey.RpId) == 0 {
+					return errors.New("Missing required field in config: auth.passkey.rp_id")
+				}
+				if len(c.Auth.Passkey.RpOrigins) == 0 {
+					return errors.New("Missing required field in config: auth.passkey.rp_origins")
+				}
+				if err := assertEnvLoaded(c.Auth.Passkey.RpId); err != nil {
+					return errors.Errorf("Invalid config for auth.passkey.rp_id: %v", err)
+				}
+				for i, origin := range c.Auth.Passkey.RpOrigins {
+					if err := assertEnvLoaded(origin); err != nil {
+						return errors.Errorf("Invalid config for auth.passkey.rp_origins[%d]: %v", i, err)
+					}
 				}
 			}
 		}

pkg/config/config_test.go

@@ -104,6 +104,44 @@ rp_origins = ["http://127.0.0.1:3000", "https://localhost:3000"]
 		}
 	})
 
+	t.Run("passkey enabled requires rp_id", func(t *testing.T) {
+		config := NewConfig()
+		fsys := fs.MapFS{
+			"supabase/config.toml": &fs.MapFile{Data: []byte(`
+[auth]
+enabled = true
+site_url = "http://127.0.0.1:3000"
+
+[auth.passkey]
+enabled = true
+rp_origins = ["http://127.0.0.1:3000"]
+`)},
+		}
+		// Run test
+		err := config.Load("", fsys)
+		// Check result
+		assert.ErrorContains(t, err, "Missing required field in config: auth.passkey.rp_id")
+	})
+
+	t.Run("passkey enabled requires rp_origins", func(t *testing.T) {
+		config := NewConfig()
+		fsys := fs.MapFS{
+			"supabase/config.toml": &fs.MapFile{Data: []byte(`
+[auth]
+enabled = true
+site_url = "http://127.0.0.1:3000"
+
+[auth.passkey]
+enabled = true
+rp_id = "localhost"
+`)},
+		}
+		// Run test
+		err := config.Load("", fsys)
+		// Check result
+		assert.ErrorContains(t, err, "Missing required field in config: auth.passkey.rp_origins")
+	})
+
 	t.Run("parses experimental pgdelta config", func(t *testing.T) {
 		config := NewConfig()
 		fsys := fs.MapFS{