implementing finalize passkey enrollment

Author: srushtisv

FirebaseAuth/Sources/Swift/Backend/RPC/FinalizePasskeyEnrollmentRequest.swift

@@ -0,0 +1,72 @@
+// Copyright 2025 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import Foundation
+
+/// The GCIP endpoint for finalizePasskeyEnrollment rpc
+private let finalizePasskeyEnrollmentEndPoint = "accounts/passkeyEnrollment:finalize"
+
+@available(iOS 15.0, macOS 12.0, tvOS 16.0, *)
+class FinalizePasskeyEnrollmentRequest: IdentityToolkitRequest, AuthRPCRequest {
+  typealias Response = FinalizePasskeyEnrollmentResponse
+
+  /// The raw user access token.
+  let idToken: String
+  /// The passkey name.
+  let name: String
+  /// The credential ID.
+  let credentialID: String
+  /// The CollectedClientData object from the authenticator.
+  let clientDataJSON: String
+  /// The attestation object from the authenticator.
+  let attestationObject: String
+
+  init(idToken: String,
+       name: String,
+       credentialID: String,
+       clientDataJSON: String,
+       attestationObject: String,
+       requestConfiguration: AuthRequestConfiguration) {
+    self.idToken = idToken
+    self.name = name
+    self.credentialID = credentialID
+    self.clientDataJSON = clientDataJSON
+    self.attestationObject = attestationObject
+    super.init(
+      endpoint: finalizePasskeyEnrollmentEndPoint,
+      requestConfiguration: requestConfiguration,
+      useIdentityPlatform: true
+    )
+  }
+
+  var unencodedHTTPRequestBody: [String: AnyHashable]? {
+    var postBody: [String: AnyHashable] = [
+      "idToken": idToken,
+      "name": name,
+    ]
+    let authAttestationResponse: [String: AnyHashable] = [
+      "clientDataJSON": clientDataJSON,
+      "attestationObject": attestationObject,
+    ]
+    let authRegistrationResponse: [String: AnyHashable] = [
+      "id": credentialID,
+      "response": authAttestationResponse,
+    ]
+    postBody["authenticatorRegistrationResponse"] = authRegistrationResponse
+    if let tenantId = tenantID {
+      postBody["tenantId"] = tenantId
+    }
+    return postBody
+  }
+}

FirebaseAuth/Sources/Swift/Backend/RPC/FinalizePasskeyEnrollmentResponse.swift

@@ -0,0 +1,34 @@
+// Copyright 2025 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import Foundation
+
+@available(iOS 15.0, macOS 12.0, tvOS 16.0, *)
+struct FinalizePasskeyEnrollmentResponse: AuthRPCResponse {
+  /// The user raw access token.
+  let idToken: String
+  /// Refresh token for the authenticated user.
+  let refreshToken: String
+
+  init(dictionary: [String: AnyHashable]) throws {
+    guard
+      let idToken = dictionary["idToken"] as? String,
+      let refreshToken = dictionary["refreshToken"] as? String
+    else {
+      throw AuthErrorUtils.unexpectedResponse(deserializedResponse: dictionary)
+    }
+    self.idToken = idToken
+    self.refreshToken = refreshToken
+  }
+}

FirebaseAuth/Sources/Swift/User/User.swift

@@ -1102,6 +1102,33 @@ extension User: NSSecureCoding {}
       )
       return registrationRequest
     }
+
+    /// Finalize the passkey enrollment with the platfrom public key credential.
+    /// - Parameter platformCredential: The name for the passkey to be created.
+    @available(iOS 15.0, macOS 12.0, tvOS 16.0, *)
+    public func finalizePasskeyEnrollment(withPlatformCredential platformCredential: ASAuthorizationPlatformPublicKeyCredentialRegistration) async throws
+      -> AuthDataResult {
+      let credentialID = platformCredential.credentialID.base64EncodedString()
+      let clientDataJSON = platformCredential.rawClientDataJSON.base64EncodedString()
+      let attestationObject = platformCredential.rawAttestationObject!.base64EncodedString()
+
+      let request = FinalizePasskeyEnrollmentRequest(
+        idToken: rawAccessToken(),
+        name: passkeyName ?? "Unnamed account (Apple)",
+        credentialID: credentialID,
+        clientDataJSON: clientDataJSON,
+        attestationObject: attestationObject,
+        requestConfiguration: auth!.requestConfiguration
+      )
+      let response = try await backend.call(with: request)
+      let user = try await auth!.completeSignIn(
+        withAccessToken: response.idToken,
+        accessTokenExpirationDate: nil,
+        refreshToken: response.refreshToken,
+        anonymous: false
+      )
+      return AuthDataResult(withUser: user, additionalUserInfo: nil)
+    }
   #endif
 
   // MARK: Internal implementations below

FirebaseAuth/Tests/Unit/FinalizePasskeyEnrollmentRequestTests.swift

@@ -0,0 +1,97 @@
+// Copyright 2025 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+@testable import FirebaseAuth
+import Foundation
+import XCTest
+
+@available(iOS 15.0, macOS 12.0, tvOS 16.0, *)
+class FinalizePasskeyEnrollmentRequestTests: XCTestCase {
+  private var request: FinalizePasskeyEnrollmentRequest!
+  private var fakeConfig: AuthRequestConfiguration!
+
+  override func setUp() {
+    super.setUp()
+    fakeConfig = AuthRequestConfiguration(
+      apiKey: "FAKE_API_KEY",
+      appID: "FAKE_APP_ID"
+    )
+  }
+
+  override func tearDown() {
+    request = nil
+    fakeConfig = nil
+    super.tearDown()
+  }
+
+  func testInitWithValidParameters() {
+    request = FinalizePasskeyEnrollmentRequest(
+      idToken: "ID_TOKEN",
+      name: "MyPasskey",
+      credentialID: "CRED_ID",
+      clientDataJSON: "CLIENT_JSON",
+      attestationObject: "ATTEST_OBJ",
+      requestConfiguration: fakeConfig
+    )
+
+    XCTAssertEqual(request.idToken, "ID_TOKEN")
+    XCTAssertEqual(request.name, "MyPasskey")
+    XCTAssertEqual(request.credentialID, "CRED_ID")
+    XCTAssertEqual(request.clientDataJSON, "CLIENT_JSON")
+    XCTAssertEqual(request.attestationObject, "ATTEST_OBJ")
+    XCTAssertEqual(request.endpoint, "accounts/passkeyEnrollment:finalize")
+    XCTAssertTrue(request.useIdentityPlatform)
+  }
+
+  func testUnencodedHTTPRequestBodyWithoutTenantId() {
+    request = FinalizePasskeyEnrollmentRequest(
+      idToken: "ID_TOKEN",
+      name: "MyPasskey",
+      credentialID: "CRED_ID",
+      clientDataJSON: "CLIENT_JSON",
+      attestationObject: "ATTEST_OBJ",
+      requestConfiguration: fakeConfig
+    )
+
+    let body = request.unencodedHTTPRequestBody
+    XCTAssertNotNil(body)
+    XCTAssertEqual(body?["idToken"] as? String, "ID_TOKEN")
+    XCTAssertEqual(body?["name"] as? String, "MyPasskey")
+
+    let authReg = body?["authenticatorRegistrationResponse"] as? [String: AnyHashable]
+    XCTAssertNotNil(authReg)
+    XCTAssertEqual(authReg?["id"] as? String, "CRED_ID")
+
+    let authResp = authReg?["response"] as? [String: AnyHashable]
+    XCTAssertEqual(authResp?["clientDataJSON"] as? String, "CLIENT_JSON")
+    XCTAssertEqual(authResp?["attestationObject"] as? String, "ATTEST_OBJ")
+
+    XCTAssertNil(body?["tenantId"])
+  }
+
+  func testUnencodedHTTPRequestBodyWithTenantId() {
+    request = FinalizePasskeyEnrollmentRequest(
+      idToken: "ID_TOKEN",
+      name: "MyPasskey",
+      credentialID: "CRED_ID",
+      clientDataJSON: "CLIENT_JSON",
+      attestationObject: "ATTEST_OBJ",
+      requestConfiguration: fakeConfig
+    )
+    request.tenantID = "TENANT_ID"
+
+    let body = request.unencodedHTTPRequestBody
+    XCTAssertEqual(body?["tenantId"] as? String, "TENANT_ID")
+  }
+}

FirebaseAuth/Tests/Unit/FinalizePasskeyEnrollmentResponseTests.swift

@@ -0,0 +1,56 @@
+// Copyright 2025 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+@testable import FirebaseAuth
+import XCTest
+
+@available(iOS 15.0, macOS 12.0, tvOS 16.0, *)
+class FinalizePasskeyEnrollmentResponseTests: XCTestCase {
+  private func makeValidDictionary() -> [String: AnyHashable] {
+    return [
+      "idToken": "FAKE_ID_TOKEN" as AnyHashable,
+      "refreshToken": "FAKE_REFRESH_TOKEN" as AnyHashable,
+    ]
+  }
+
+  func testInitWithValidDictionary() throws {
+    let response = try FinalizePasskeyEnrollmentResponse(
+      dictionary: makeValidDictionary()
+    )
+    XCTAssertEqual(response.idToken, "FAKE_ID_TOKEN")
+    XCTAssertEqual(response.refreshToken, "FAKE_REFRESH_TOKEN")
+  }
+
+  func testInitWithMissingIdTokenThrowsError() {
+    var dict = makeValidDictionary()
+    dict.removeValue(forKey: "idToken")
+    XCTAssertThrowsError(
+      try FinalizePasskeyEnrollmentResponse(dictionary: dict)
+    )
+  }
+
+  func testInitWithMissingRefreshTokenThrowsError() {
+    var dict = makeValidDictionary()
+    dict.removeValue(forKey: "refreshToken")
+    XCTAssertThrowsError(
+      try FinalizePasskeyEnrollmentResponse(dictionary: dict)
+    )
+  }
+
+  func testInitWithEmptyDictionaryThrowsError() {
+    XCTAssertThrowsError(
+      try FinalizePasskeyEnrollmentResponse(dictionary: [:])
+    )
+  }
+}