Skip to content

feat: add WebAuthn Signal API (signalUnknownCredential, signalAllAcceptedCredentials)#105

Open
plgrazon wants to merge 1 commit into
f-23:stablefrom
plgrazon:plgrazon/signal-api
Open

feat: add WebAuthn Signal API (signalUnknownCredential, signalAllAcceptedCredentials)#105
plgrazon wants to merge 1 commit into
f-23:stablefrom
plgrazon:plgrazon/signal-api

Conversation

@plgrazon

Copy link
Copy Markdown
Contributor

Summary

Adds the WebAuthn Signal API to the package so apps can keep OS credential managers (iCloud Keychain, Google Password Manager, …) in sync with their server — removing/hiding passkeys the server has revoked or deleted.

Two methods are added to Passkey:

  • Passkey.signalUnknownCredential({ rpId, credentialId }) — reports a single credential the relying party no longer recognizes. Safe to call unauthenticated (e.g. after a failed sign-in): it takes only a credential id and no user handle.
  • Passkey.signalAllAcceptedCredentials({ rpId, userId, allAcceptedCredentialIds }) — reports the complete set of credential ids still accepted for a user; the OS removes/hides any stored credential not in the list (reversible; an empty list hides all). Use when authenticated to authoritatively prune.

Both are best-effort: they resolve once the request is accepted and no-op on OS versions without Signal API support. Credential ids and the user handle are Base64URL strings.

Implementation

  • JS/TS — two static methods on Passkey plus exported request types PasskeySignalUnknownCredentialRequest / PasskeySignalAllAcceptedCredentialsRequest.
  • iOSASCredentialUpdater.reportUnknownPublicKeyCredential / reportAllAcceptedPublicKeyCredentials, guarded by #available(iOS 26.0, *) (no-ops below). Reuses the existing Data(base64URLEncoded:) helper.
  • AndroidCredentialManager.signalCredentialState with SignalUnknownCredentialRequest / SignalAllAcceptedCredentialIdsRequest. This requires bumping androidx.credentials 1.5.0 → 1.6.0 (the release that ships these classes).
  • Docs — new "Signal API" section in the README.
  • Tests — unit tests on both the iOS and Android specs verifying the native bridge is called with the right arguments (including that allAcceptedCredentialIds is JSON-stringified).

Notes for reviewers

  • iOS build requirement: ASCredentialUpdater needs the iOS 26 SDK at compile time. The podspec deployment target stays at 15.0 and the #available guard handles runtime, but CI must build with an Xcode that has the iOS 26 SDK.
  • signalCurrentUserDetails is intentionally not included in this PR; it can be added in a follow-up.

Test plan

  • yarn lint
  • yarn typescript
  • yarn test (13 passed)
  • yarn prepare (bob build)

@plgrazon
plgrazon marked this pull request as draft June 18, 2026 15:56
@plgrazon
plgrazon marked this pull request as ready for review July 6, 2026 13:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant