supabase / supabase-swift / 27678645985
81%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 94
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 81.015% (-0.9%) from 81.867%
27678645985

push

github

web-flow 
feat(auth): add WebAuthn/passkey support (#1013)

* feat(auth): add WebAuthn/passkey support

Add WebAuthn as a second factor (MFA) and first-factor passkey
authentication. Includes native AuthenticationServices ceremony helpers
(signInWithPasskey, registerPasskey, enrollWebAuthnFactor,
verifyWebAuthnFactor) for iOS 16+/macOS 13+, plus lower-level
options/verify methods, passkey CRUD, new types and error codes.

WebAuthn credential payloads are encoded without the snake_case strategy
so W3C field names (clientDataJSON, attestationObject, ...) reach the
backend verbatim.

Linear: SDK-839

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* refactor(auth): gate WebAuthn/passkey API behind @_spi(Experimental)

WebAuthn/passkey support is experimental — the first-factor /passkeys/* contract
in particular is inferred and may change. Mark the whole surface (types, passkey
methods, MFA ceremony helpers, the webauthn members on MFAChallengeParams /
MFAVerifyParams / AuthMFAChallengeResponse / AuthMFAListFactorsResponse, and the
5 error codes) as @_spi(Experimental), re-exported through the Supabase umbrella.

Consumers opt in with `@_spi(Experimental) import Supabase`. The stable TOTP/phone
MFA API is unchanged. Keeping it out of the public API surface lets the inferred
contract evolve without breaking-API friction.

Linear: SDK-839

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* fix(auth): keep MFAVerifyParams.code non-optional for API stability

Reverting `code` to a non-optional `String` (it had become `String?` to support the
experimental webauthn verify init) avoids a breaking public-API change flagged by the
API-stability check. The webauthn init sets `code = ""`; that path builds its request
body manually via `encodeWebAuthnBody`, so `code` is never encoded for webauthn.

Linear: SDK-839

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* test(integration): grant table permissions to anon/authenticated

The integration-test s... (continued)

237 of 365 new or added lines in 7 files covered. (64.93%)

21 existing lines in 1 file now uncovered.

7489 of 9244 relevant lines covered (81.01%)

36.93 hits per line

Uncovered Changes

Lines Coverage File
91
28.35
 Sources/Auth/WebAuthn/WebAuthnAuthenticator.swift
16
69.81
 Sources/Auth/WebAuthn/AuthMFA+WebAuthn.swift
15
86.73
 Sources/Auth/WebAuthn/AuthClient+Passkey.swift
6
72.73
 Sources/Auth/WebAuthn/WebAuthnTypes.swift

Coverage Regressions

Lines Coverage File
21
25.74
 -11.76% Sources/Auth/Internal/Keychain.swift
Jobs
ID Job ID Ran Files Coverage
1 27678645985.1 94
81.01
 GitHub Action Run
Source Files on build 27678645985