IS-11252 WebAuthn client operations in the LWA#154
Draft
aleixsuau wants to merge 6 commits intointegration/IS-5161/login-web-appfrom
Draft
IS-11252 WebAuthn client operations in the LWA#154aleixsuau wants to merge 6 commits intointegration/IS-5161/login-web-appfrom
aleixsuau wants to merge 6 commits intointegration/IS-5161/login-web-appfrom
Conversation
Implements the webauthn-registration and webauthn-authentication HAAPI client operations, including any-device-mode that may offer the user a choice between platform and cross-platform credentials. The feature comes with a folder restructure: per-operation modules live under a new operations/ subfolder, with the previous client-operations.ts god-file slimmed to a thin dispatcher. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Any-device-mode `webauthn-registration` actions split into two siblings now read e.g. "Register new device (This device)" / "Register new device (Another device)" instead of just the device label, preserving the server-supplied original title. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Adds full HAAPI WebAuthn client-operation support (registration + authentication), including any-device mode that renders separate “platform” vs “cross-platform” choices, and refactors the client-operation implementation into per-operation modules.
Changes:
- Add WebAuthn registration/authentication runners, plus action-splitting for any-device registration so the UI can render one button per option.
- Introduce runtime capability gating in the default client-operation UI (disable WebAuthn actions when unsupported / when platform authenticator is unavailable for platform-only any-device registration).
- Refactor client-operation code into
feature/actions/client-operation/operations/*and update imports/exports/tests accordingly.
Reviewed changes
Copilot reviewed 21 out of 21 changed files in this pull request and generated 8 comments.
Show a summary per file
| File | Description |
|---|---|
| src/login-web-app/src/haapi-stepper/feature/stepper/HaapiStepper.tsx | Updates client-operation import to the refactored operations entrypoint. |
| src/login-web-app/src/haapi-stepper/feature/stepper/HaapiStepper.spec.tsx | Updates BankID app opener mocking path after refactor. |
| src/login-web-app/src/haapi-stepper/feature/stepper/data-formatters/polling-step.ts | Uses new BankID operation exports for polling autostart behavior. |
| src/login-web-app/src/haapi-stepper/feature/stepper/data-formatters/format-next-step-data.ts | Adds WebAuthn registration action splitting to emit one action per credential option. |
| src/login-web-app/src/haapi-stepper/feature/index.ts | Re-exports refactored client-operations entrypoint. |
| src/login-web-app/src/haapi-stepper/feature/actions/client-operation/HaapiStepperClientOperationUI.tsx | Disables client-operation button based on runtime availability; removes render prop. |
| src/login-web-app/src/haapi-stepper/feature/actions/client-operation/HaapiStepperClientOperationUI.spec.tsx | Adds tests for default rendering and WebAuthn any-device split integration. |
| src/login-web-app/src/haapi-stepper/feature/actions/client-operation/useIsClientOperationAvailable.ts | New availability hook for capability-gating client-operation actions. |
| src/login-web-app/src/haapi-stepper/feature/actions/client-operation/operations/client-operations.ts | New dispatcher for client operations (BankID, external browser flow, WebAuthn). |
| src/login-web-app/src/haapi-stepper/feature/actions/client-operation/operations/external-browser-flow.ts | Extracted external-browser-flow runner and type guard. |
| src/login-web-app/src/haapi-stepper/feature/actions/client-operation/operations/bankid/* | Extracted BankID operation (runner, opener, type guard). |
| src/login-web-app/src/haapi-stepper/feature/actions/client-operation/operations/webauthn/* | Implements WebAuthn runners, action splitting helpers, and platform authenticator availability hook. |
| src/login-web-app/src/haapi-stepper/feature/actions/client-operation/openBankIdApp.ts | Removed old BankID opener (moved into operations/bankid). |
| src/login-web-app/src/haapi-stepper/feature/actions/client-operation/client-operations.ts | Removed monolithic client-operations implementation (replaced by per-operation modules). |
| src/login-web-app/src/haapi-stepper/data-access/types/haapi-action.types.ts | Refines WebAuthn registration typing and introduces selected-option enum. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+41
to
+45
| const launchUrl = new URL(action.model.arguments.href); | ||
| launchUrl.searchParams.set('for_origin', window.location.origin); | ||
|
|
||
| const externalWindow = window.open(launchUrl); | ||
| if (!externalWindow) { |
Comment on lines
+44
to
+46
| const externalWindow = window.open(launchUrl); | ||
| if (!externalWindow) { | ||
| reject(new Error('Failed to open external browser window')); |
Agent-Logs-Url: https://github.com/curityio/ui-kit/sessions/d01d151a-f43f-4115-bfa2-9a929963ff8a Co-authored-by: aleixsuau <25689432+aleixsuau@users.noreply.github.com>
|
Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details. Warning Firewall rules blocked me from connecting to one or more addresses (expand for details)I tried to connect to the following addresses, but was blocked by firewall rules:
If you need me to access, download, or install something from one of these locations, you can either:
|
Extract `createMockExternalBrowserFlowAction`, `createMockBankIdAction`, `createMockWebAuthnRegistrationAction`, `createMockWebAuthnAnyDeviceBothOptionsAction`, and `createMockWebAuthnPlatformOnlyAnyDeviceAction` (plus their default-title constants) from the spec into the shared `util/tests/mocks.ts`, so future specs can reuse them. The spec drops 114 lines of local helpers and relies on imports. `stubPublicKeyCredential` stays in the spec — it's a global-API stub builder, not a HAAPI-data factory. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Consolidate the four WebAuthn tests (enables, disables on API absent,
disables on missing platform authenticator, splits into two buttons)
into one flat `describe('WebAuthn')` block. Each test sets up only what
it needs; a single `afterEach` cleans up `vi.stubGlobal` and the mocked
`useIsWebAuthnPlatformAuthenticatorAvailable` hook.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The JSDoc examples in `HaapiStepper.tsx` and `HaapiStepperSelectorUI.tsx`
referenced fields that don't exist on `dataHelpers` (`formActions`,
`selectorActions`, `clientOperationActions`). Updated to the real
`actions.{form,selector,clientOperation}` shape so consumers can
copy/paste them.
Also swapped the example `key` props from `action.kind` / `link.rel`
(neither unique) to `action.id` / `link.id`, matching the production
factory in `defaultHaapiStepperActionElementFactory.tsx`.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Jira: https://curity.atlassian.net/browse/IS-11252
Adds full support for
webauthn-registrationandwebauthn-authenticationHAAPI client operations, including the any-device-mode where the user picks between platform and cross-platform credentials.Part 1 — WebAuthn pipeline
1. Format — split the action.
formatNextStepDataruns eachwebauthn-registrationaction throughsplitWebAuthnRegistrationAction. Any-device-mode with both options becomes two sibling actions, each titled "This device" / "Another device". Single-option and passkeys-mode pass through.2. Render — one button per option, capability-gated. The default rendering pipeline produces one button per emitted action.
useIsClientOperationAvailabledisables it when the WebAuthn API is missing, or — for platform-only any-device registration — when no user-verifying platform authenticator is available.3. Click — run the ceremony.
performClientOperationdispatches torunWebAuthnRegistration(callsnavigator.credentials.create(), serialises under the matchingcredential/platformCredential/crossPlatformCredentialpayload key) orrunWebAuthnAuthentication(callsnavigator.credentials.get(), serialises undercredential). Both honour theAbortSignaland resume the flow viacontinueActions[0].Part 2 — Folder refactor (no behaviour change)
feature/actions/client-operation/reorganized so each operation owns its own folder/file as webauthn.Test plan
webauthn-authentication— ceremony completesFollow-ups (separate PRs)
errorActionsor in-flow user feedback yet.bankIdAutostart: a config flag to start the ceremony immediately on step entry.