supabase-js icon indicating copy to clipboard operation
supabase-js copied to clipboard
verified publisher icon supabase

chore(auth): add webauthn tests

Open mandarini opened this issue 4 months ago β€’ 2 comments

Moved from: https://github.com/supabase/auth-js/pull/1127 Author: @Bewinxed

What kind of change does this PR introduce?

Enhancement + Small bug fix Add tests for the webauthn factorType and its (de)serialization/merging helpers. Fix fallback naming for the credential when no friendlyname is provided and the username is null

What is the current behavior?

The factorId parameter was being sent in both the URL path and the request body when calling the MFA challenge endpoint, which could cause issues with the API.

No tests for factorType webauthn

What is the new behavior?

  • Destructured factorId from params in the _challenge method to only include it in the URL path, not the request body
  • Added tests for serialization/deserialization.
  • Added WebAuthn helper tests to validate merge operations
  • Configured docker-compose.yml with WebAuthn environment variables for local testing

Additional context

We still need to bump the /auth version in the dockor-compose.yml once the build that supports webauthn is out.

mandarini avatar Oct 10 '25 14:10 mandarini

Nice work @Bewinxed πŸ‘ Thanks for getting those tests added!

Do we need to bump the auth version here for docker-compose?

Thank you! Yes we'll need to have a version of auth that has the webauthn changes merged

Bewinxed avatar Nov 10 '25 13:11 Bewinxed

Thank you! Yes we'll need to have a version of auth that has the webauthn changes merged

I believe v2.181.0 should have all the changes we're after right? cc: @hf

fadymak avatar Nov 10 '25 14:11 fadymak

@fadymak i think this should be good to go now, right?

mandarini avatar Jan 22 '26 10:01 mandarini

Coverage Status

coverage: 82.915% (+1.1%) from 81.864% when pulling b22229a49688247308e93647e552ab4a70ee9ce5 on bewinxed/webauthn-add-tests into a575212693896a3ad84dc39d6a2422d9ff15b569 on master.

coveralls avatar Jan 22 '26 10:01 coveralls

πŸ“ Walkthrough

Walkthrough

Enables WebAuthn MFA via Docker Compose and server config, changes MFA challenge routing to include factorId in the request URL, adds async fallback name resolution in WebAuthn challenge creation, and introduces WebAuthn fixtures and extensive tests for enrollment, challenge, verification, helpers, and serialization.

Changes

Cohort / File(s) Summary
Configuration
packages/core/auth-js/infra/docker-compose.yml		 Adds GOTRUE_MFA_WEB_AUTHN_ENROLL_ENABLED=true and GOTRUE_MFA_WEB_AUTHN_VERIFY_ENABLED=true to multiple gotrue-related service environments.
Server config
packages/core/auth-js/test/supabase/config.toml		 Un-comments [auth.mfa.web_authn] and sets enroll_enabled = true and verify_enabled = true.
Client β€” MFA challenge routing
packages/core/auth-js/src/GoTrueClient.ts		 Destructures factorId from params, uses it in the request path /factors/{factorId}/challenge, and sends remaining params as the request body.
Client β€” WebAuthn naming fallback
packages/core/auth-js/src/lib/webauthn.ts		 When user.name or user.displayName are missing, asynchronously fetches current user and derives a fallback from user_metadata.name, email, id, or 'User', then populates missing fields.
Test fixtures
packages/core/auth-js/test/webauthn.fixtures.ts		 New exports with deterministic creation/assertion fixtures and mock credential objects: webauthnAssertionCredentialResponse, webauthnAssertionMockCredential, webauthnCreationCredentialResponse, webauthnCreationMockCredential.
Tests β€” GoTrueClient WebAuthn MFA
packages/core/auth-js/test/GoTrueClient.test.ts		 Adds WebAuthn MFA test suite covering enrollment, challenge, verify, unenroll, session/no-session cases, and WebAuthn API mocks/serialization helpers.
Tests β€” WebAuthn helpers
packages/core/auth-js/test/webauthn.helpers.test.ts		 New comprehensive tests for deserialize/serialize and merge utilities (creation/request options, responses, defaults, ArrayBuffer handling, native vs polyfill paths).

Sequence Diagram(s)

(omitted)

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

  • supabase/supabase-js#2063 β€” Modifies the same docker-compose service blocks (gotrue, autoconfirm, autoconfirm_with_asymmetric_keys, disabled); related to environment/config updates.
πŸš₯ Pre-merge checks | βœ… 3
βœ… Passed checks (3 passed)
Check name Status Explanation
Docstring Coverage βœ… Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check βœ… Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check βœ… Passed The title accurately reflects the main changes: adding WebAuthn tests and fixing fallback naming for credentials.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing touches
  • [ ] πŸ“ Generate docstrings

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❀️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot] avatar Jan 28 '26 11:01 coderabbitai[bot]