fix passkey config mapping for synced auth types

Agent-Logs-Url: https://github.com/supabase/cli/sessions/504b9e67-3e5a-48a3-ab42-dbee4864f2eb

Co-authored-by: avallete <8771783+avallete@users.noreply.github.com>

Author: Copilot

pkg/config/auth.go

@@ -162,6 +162,7 @@ type (
 		PasswordRequirements       PasswordRequirements `toml:"password_requirements" json:"password_requirements"`
 		SigningKeysPath            string               `toml:"signing_keys_path" json:"signing_keys_path"`
 		SigningKeys                []JWK                `toml:"-" json:"-"`
+		Passkey                    *passkey             `toml:"passkey" json:"passkey"`
 
 		RateLimit   rateLimit   `toml:"rate_limit" json:"rate_limit"`
 		Captcha     *captcha    `toml:"captcha" json:"captcha"`
@@ -378,6 +379,13 @@ type (
 		Ethereum ethereum `toml:"ethereum" json:"ethereum"`
 	}
 
+	passkey struct {
+		Enabled       bool     `toml:"enabled" json:"enabled"`
+		RpDisplayName string   `toml:"rp_display_name" json:"rp_display_name"`
+		RpId          string   `toml:"rp_id" json:"rp_id"`
+		RpOrigins     []string `toml:"rp_origins" json:"rp_origins"`
+	}
+
 	OAuthServer struct {
 		Enabled                  bool   `toml:"enabled" json:"enabled"`
 		AllowDynamicRegistration bool   `toml:"allow_dynamic_registration" json:"allow_dynamic_registration"`
@@ -407,6 +415,9 @@ func (a *auth) ToUpdateAuthConfigBody() v1API.UpdateAuthConfigBody {
 	if a.Captcha != nil {
 		a.Captcha.toAuthConfigBody(&body)
 	}
+	if a.Passkey != nil {
+		a.Passkey.toAuthConfigBody(&body)
+	}
 	a.Hook.toAuthConfigBody(&body)
 	a.MFA.toAuthConfigBody(&body)
 	a.Sessions.toAuthConfigBody(&body)
@@ -430,6 +441,17 @@ func (a *auth) FromRemoteAuthConfig(remoteConfig v1API.AuthConfigResponse) {
 	a.MinimumPasswordLength = cast.IntToUint(ValOrDefault(remoteConfig.PasswordMinLength, 0))
 	prc := ValOrDefault(remoteConfig.PasswordRequiredCharacters, "")
 	a.PasswordRequirements = NewPasswordRequirement(v1API.UpdateAuthConfigBodyPasswordRequiredCharacters(prc))
+	passkeyDisplayName := ValOrDefault(remoteConfig.WebauthnRpDisplayName, "")
+	passkeyId := ValOrDefault(remoteConfig.WebauthnRpId, "")
+	passkeyOrigins := ValOrDefault(remoteConfig.WebauthnRpOrigins, "")
+	if remoteConfig.PasskeyEnabled || passkeyDisplayName != "" || passkeyId != "" || passkeyOrigins != "" {
+		if a.Passkey == nil {
+			a.Passkey = &passkey{}
+		}
+		a.Passkey.fromAuthConfig(remoteConfig)
+	} else {
+		a.Passkey = nil
+	}
 	a.RateLimit.fromAuthConfig(remoteConfig)
 	if s := a.Email.Smtp; s != nil && s.Enabled {
 		a.RateLimit.EmailSent = cast.IntToUint(ValOrDefault(remoteConfig.RateLimitEmailSent, 0))
@@ -489,6 +511,20 @@ func (c *captcha) fromAuthConfig(remoteConfig v1API.AuthConfigResponse) {
 	c.Enabled = ValOrDefault(remoteConfig.SecurityCaptchaEnabled, false)
 }
 
+func (p passkey) toAuthConfigBody(body *v1API.UpdateAuthConfigBody) {
+	body.PasskeyEnabled = cast.Ptr(p.Enabled)
+	body.WebauthnRpDisplayName = nullable.NewNullableWithValue(p.RpDisplayName)
+	body.WebauthnRpId = nullable.NewNullableWithValue(p.RpId)
+	body.WebauthnRpOrigins = nullable.NewNullableWithValue(strings.Join(p.RpOrigins, ","))
+}
+
+func (p *passkey) fromAuthConfig(remoteConfig v1API.AuthConfigResponse) {
+	p.Enabled = remoteConfig.PasskeyEnabled
+	p.RpDisplayName = ValOrDefault(remoteConfig.WebauthnRpDisplayName, "")
+	p.RpId = ValOrDefault(remoteConfig.WebauthnRpId, "")
+	p.RpOrigins = strToArr(ValOrDefault(remoteConfig.WebauthnRpOrigins, ""))
+}
+
 func (h hook) toAuthConfigBody(body *v1API.UpdateAuthConfigBody) {
 	// When local config is not set, we assume platform defaults should not change
 	if hook := h.BeforeUserCreated; hook != nil {

pkg/config/auth_test.go

@@ -212,6 +212,51 @@ func TestCaptchaDiff(t *testing.T) {
 	})
 }
 
+func TestPasskeyConfigMapping(t *testing.T) {
+	t.Run("serializes passkey config to update body", func(t *testing.T) {
+		c := newWithDefaults()
+		c.Passkey = &passkey{
+			Enabled:       true,
+			RpDisplayName: "Supabase CLI",
+			RpId:          "localhost",
+			RpOrigins: []string{
+				"http://127.0.0.1:3000",
+				"https://localhost:3000",
+			},
+		}
+		// Run test
+		body := c.ToUpdateAuthConfigBody()
+		// Check result
+		if assert.NotNil(t, body.PasskeyEnabled) {
+			assert.True(t, *body.PasskeyEnabled)
+		}
+		assert.Equal(t, "Supabase CLI", ValOrDefault(body.WebauthnRpDisplayName, ""))
+		assert.Equal(t, "localhost", ValOrDefault(body.WebauthnRpId, ""))
+		assert.Equal(t, "http://127.0.0.1:3000,https://localhost:3000", ValOrDefault(body.WebauthnRpOrigins, ""))
+	})
+
+	t.Run("hydrates passkey config from remote", func(t *testing.T) {
+		c := newWithDefaults()
+		// Run test
+		c.FromRemoteAuthConfig(v1API.AuthConfigResponse{
+			PasskeyEnabled:        true,
+			WebauthnRpDisplayName: nullable.NewNullableWithValue("Supabase CLI"),
+			WebauthnRpId:          nullable.NewNullableWithValue("localhost"),
+			WebauthnRpOrigins:     nullable.NewNullableWithValue("http://127.0.0.1:3000,https://localhost:3000"),
+		})
+		// Check result
+		if assert.NotNil(t, c.Passkey) {
+			assert.True(t, c.Passkey.Enabled)
+			assert.Equal(t, "Supabase CLI", c.Passkey.RpDisplayName)
+			assert.Equal(t, "localhost", c.Passkey.RpId)
+			assert.Equal(t, []string{
+				"http://127.0.0.1:3000",
+				"https://localhost:3000",
+			}, c.Passkey.RpOrigins)
+		}
+	})
+}
+
 func TestHookDiff(t *testing.T) {
 	t.Run("local and remote enabled", func(t *testing.T) {
 		c := newWithDefaults()

pkg/config/config.go

@@ -260,6 +260,11 @@ func (a *auth) Clone() auth {
 		capt := *a.Captcha
 		copy.Captcha = &capt
 	}
+	if copy.Passkey != nil {
+		passkey := *a.Passkey
+		passkey.RpOrigins = slices.Clone(a.Passkey.RpOrigins)
+		copy.Passkey = &passkey
+	}
 	copy.External = maps.Clone(a.External)
 	if a.Email.Smtp != nil {
 		mailer := *a.Email.Smtp
@@ -916,6 +921,13 @@ func (c *config) Validate(fsys fs.FS) error {
 				return errors.Errorf("failed to decode signing keys: %w", err)
 			}
 		}
+		if c.Auth.Passkey != nil {
+			for i, origin := range c.Auth.Passkey.RpOrigins {
+				if err := assertEnvLoaded(origin); err != nil {
+					return errors.Errorf("Invalid config for auth.passkey.rp_origins[%d]: %v", i, err)
+				}
+			}
+		}
 		if err := c.Auth.Hook.validate(); err != nil {
 			return err
 		}

pkg/config/config_test.go

@@ -75,6 +75,35 @@ func TestConfigParsing(t *testing.T) {
 		assert.Error(t, config.Load("", fsys))
 	})
 
+	t.Run("config file with passkey settings", func(t *testing.T) {
+		config := NewConfig()
+		fsys := fs.MapFS{
+			"supabase/config.toml": &fs.MapFile{Data: []byte(`
+[auth]
+enabled = true
+site_url = "http://127.0.0.1:3000"
+
+[auth.passkey]
+enabled = true
+rp_display_name = "Supabase CLI"
+rp_id = "localhost"
+rp_origins = ["http://127.0.0.1:3000", "https://localhost:3000"]
+`)},
+		}
+		// Run test
+		assert.NoError(t, config.Load("", fsys))
+		// Check result
+		if assert.NotNil(t, config.Auth.Passkey) {
+			assert.True(t, config.Auth.Passkey.Enabled)
+			assert.Equal(t, "Supabase CLI", config.Auth.Passkey.RpDisplayName)
+			assert.Equal(t, "localhost", config.Auth.Passkey.RpId)
+			assert.Equal(t, []string{
+				"http://127.0.0.1:3000",
+				"https://localhost:3000",
+			}, config.Auth.Passkey.RpOrigins)
+		}
+	})
+
 	t.Run("parses experimental pgdelta config", func(t *testing.T) {
 		config := NewConfig()
 		fsys := fs.MapFS{

pkg/config/templates/config.toml

@@ -177,6 +177,13 @@ minimum_password_length = 6
 # are: `letters_digits`, `lower_upper_letters_digits`, `lower_upper_letters_digits_symbols`
 password_requirements = ""
 
+# Configure passkey sign-ins.
+# [auth.passkey]
+# enabled = false
+# rp_display_name = "Supabase"
+# rp_id = "localhost"
+# rp_origins = ["http://127.0.0.1:3000"]
+
 [auth.rate_limit]
 # Number of emails that can be sent per hour. Requires auth.email.smtp to be enabled.
 email_sent = 2