Passkey new finalize enrollment

FirebaseAuth/Sources/Swift/Backend/RPC/FinalizePasskeyEnrollmentRequest.swift

@@ -0,0 +1,72 @@
+// Copyright 2025 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import Foundation
+
+/// The GCIP endpoint for finalizePasskeyEnrollment rpc
+private let finalizePasskeyEnrollmentEndPoint = "accounts/passkeyEnrollment:finalize"
+
+@available(iOS 15.0, macOS 12.0, tvOS 16.0, *)
+class FinalizePasskeyEnrollmentRequest: IdentityToolkitRequest, AuthRPCRequest {
+  typealias Response = FinalizePasskeyEnrollmentResponse
+
+  /// The raw user access token.
+  let idToken: String
+  /// The passkey name.
+  let name: String
+  /// The credential ID.
+  let credentialID: String
+  /// The CollectedClientData object from the authenticator.
+  let clientDataJSON: String
+  /// The attestation object from the authenticator.
+  let attestationObject: String
+
+  init(idToken: String,
+       name: String,
+       credentialID: String,
+       clientDataJSON: String,
+       attestationObject: String,
+       requestConfiguration: AuthRequestConfiguration) {
+    self.idToken = idToken
+    self.name = name
+    self.credentialID = credentialID
+    self.clientDataJSON = clientDataJSON
+    self.attestationObject = attestationObject
+    super.init(
+      endpoint: finalizePasskeyEnrollmentEndPoint,
+      requestConfiguration: requestConfiguration,
+      useIdentityPlatform: true
+    )
+  }
+
+  var unencodedHTTPRequestBody: [String: AnyHashable]? {
+    var postBody: [String: AnyHashable] = [
+      "idToken": idToken,
+      "name": name,
+    ]
+    let authAttestationResponse: [String: AnyHashable] = [
+      "clientDataJSON": clientDataJSON,
+      "attestationObject": attestationObject,
+    ]
+    let authRegistrationResponse: [String: AnyHashable] = [
+      "id": credentialID,
+      "response": authAttestationResponse,
+    ]
+    postBody["authenticatorRegistrationResponse"] = authRegistrationResponse
+    if let tenantId = tenantID {
+      postBody["tenantId"] = tenantId
+    }
+    return postBody
+  }
+}

FirebaseAuth/Sources/Swift/Backend/RPC/FinalizePasskeyEnrollmentResponse.swift

@@ -0,0 +1,34 @@
+// Copyright 2025 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import Foundation
+
+@available(iOS 15.0, macOS 12.0, tvOS 16.0, *)
+struct FinalizePasskeyEnrollmentResponse: AuthRPCResponse {
+  /// The user raw access token.
+  let idToken: String
+  /// Refresh token for the authenticated user.
+  let refreshToken: String
+
+  init(dictionary: [String: AnyHashable]) throws {
+    guard
+      let idToken = dictionary["idToken"] as? String,
+      let refreshToken = dictionary["refreshToken"] as? String
+    else {
+      throw AuthErrorUtils.unexpectedResponse(deserializedResponse: dictionary)
+    }
+    self.idToken = idToken
+    self.refreshToken = refreshToken
+  }
+}

FirebaseAuth/Sources/Swift/User/User.swift

@@ -1102,6 +1102,33 @@ extension User: NSSecureCoding {}
       )
       return registrationRequest
     }
+
+    /// Finalize the passkey enrollment with the platfrom public key credential.
+    /// - Parameter platformCredential: The name for the passkey to be created.
+    @available(iOS 15.0, macOS 12.0, tvOS 16.0, *)
+    public func finalizePasskeyEnrollment(withPlatformCredential platformCredential: ASAuthorizationPlatformPublicKeyCredentialRegistration) async throws
+      -> AuthDataResult {
+      let credentialID = platformCredential.credentialID.base64EncodedString()
+      let clientDataJSON = platformCredential.rawClientDataJSON.base64EncodedString()
+      let attestationObject = platformCredential.rawAttestationObject!.base64EncodedString()
+
+      let request = FinalizePasskeyEnrollmentRequest(
+        idToken: rawAccessToken(),
+        name: passkeyName ?? "Unnamed account (Apple)",
+        credentialID: credentialID,
+        clientDataJSON: clientDataJSON,
+        attestationObject: attestationObject,
+        requestConfiguration: auth!.requestConfiguration
+      )
+      let response = try await backend.call(with: request)
+      let user = try await auth!.completeSignIn(
+        withAccessToken: response.idToken,
+        accessTokenExpirationDate: nil,
+        refreshToken: response.refreshToken,
+        anonymous: false
+      )
+      return AuthDataResult(withUser: user, additionalUserInfo: nil)
+    }
   #endif
 
   // MARK: Internal implementations below

FirebaseAuth/Tests/Unit/FinalizePasskeyEnrollmentRequestTests.swift

@@ -0,0 +1,114 @@
+// Copyright 2025 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#if os(iOS) || os(tvOS) || os(macOS)
+
+  @testable import FirebaseAuth
+  import FirebaseCore
+  import Foundation
+  import XCTest
+
+  @available(iOS 15.0, macOS 12.0, tvOS 16.0, *)
+  class FinalizePasskeyEnrollmentRequestTests: XCTestCase {
+    private var request: FinalizePasskeyEnrollmentRequest!
+    private var fakeConfig: AuthRequestConfiguration!
+
+    override func setUp() {
+      super.setUp()
+      fakeConfig = AuthRequestConfiguration(
+        apiKey: "FAKE_API_KEY",
+        appID: "FAKE_APP_ID"
+      )
+    }
+
+    override func tearDown() {
+      request = nil
+      fakeConfig = nil
+      super.tearDown()
+    }
+
+    func testInitWithValidParameters() {
+      request = FinalizePasskeyEnrollmentRequest(
+        idToken: "ID_TOKEN",
+        name: "MyPasskey",
+        credentialID: "CRED_ID",
+        clientDataJSON: "CLIENT_JSON",
+        attestationObject: "ATTEST_OBJ",
+        requestConfiguration: fakeConfig
+      )
+
+      XCTAssertEqual(request.idToken, "ID_TOKEN")
+      XCTAssertEqual(request.name, "MyPasskey")
+      XCTAssertEqual(request.credentialID, "CRED_ID")
+      XCTAssertEqual(request.clientDataJSON, "CLIENT_JSON")
+      XCTAssertEqual(request.attestationObject, "ATTEST_OBJ")
+      XCTAssertEqual(request.endpoint, "accounts/passkeyEnrollment:finalize")
+      XCTAssertTrue(request.useIdentityPlatform)
+    }
+
+    func testUnencodedHTTPRequestBodyWithoutTenantId() {
+      request = FinalizePasskeyEnrollmentRequest(
+        idToken: "ID_TOKEN",
+        name: "MyPasskey",
+        credentialID: "CRED_ID",
+        clientDataJSON: "CLIENT_JSON",
+        attestationObject: "ATTEST_OBJ",
+        requestConfiguration: fakeConfig
+      )
+
+      let body = request.unencodedHTTPRequestBody
+      XCTAssertNotNil(body)
+      XCTAssertEqual(body?["idToken"] as? String, "ID_TOKEN")
+      XCTAssertEqual(body?["name"] as? String, "MyPasskey")
+
+      let authReg = body?["authenticatorRegistrationResponse"] as? [String: AnyHashable]
+      XCTAssertNotNil(authReg)
+      XCTAssertEqual(authReg?["id"] as? String, "CRED_ID")
+
+      let authResp = authReg?["response"] as? [String: AnyHashable]
+      XCTAssertEqual(authResp?["clientDataJSON"] as? String, "CLIENT_JSON")
+      XCTAssertEqual(authResp?["attestationObject"] as? String, "ATTEST_OBJ")
+
+      XCTAssertNil(body?["tenantId"])
+    }
+
+    func testUnencodedHTTPRequestBodyWithTenantId() {
+      // setting up fake auth to set tenantId
+      let options = FirebaseOptions(googleAppID: "0:0000000000000:ios:0000000000000000",
+                                    gcmSenderID: "00000000000000000-00000000000-000000000")
+      options.apiKey = AuthTests.kFakeAPIKey
+      options.projectID = "myProjectID"
+      let name = "test-AuthTests\(AuthTests.testNum)"
+      AuthTests.testNum = AuthTests.testNum + 1
+      let fakeAuth = Auth(app: FirebaseApp(instanceWithName: name, options: options))
+      fakeAuth.tenantID = "TEST_TENANT"
+      let configWithTenant = AuthRequestConfiguration(
+        apiKey: "FAKE_API_KEY",
+        appID: "FAKE_APP_ID",
+        auth: fakeAuth
+      )
+      request = FinalizePasskeyEnrollmentRequest(
+        idToken: "ID_TOKEN",
+        name: "MyPasskey",
+        credentialID: "CRED_ID",
+        clientDataJSON: "CLIENT_JSON",
+        attestationObject: "ATTEST_OBJ",
+        requestConfiguration: configWithTenant
+      )
+      let body = request.unencodedHTTPRequestBody
+      XCTAssertEqual(body?["tenantId"] as? String, "TEST_TENANT")
+    }
+  }
+
+#endif

FirebaseAuth/Tests/Unit/FinalizePasskeyEnrollmentResponseTests.swift

@@ -0,0 +1,60 @@
+// Copyright 2025 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#if os(iOS) || os(tvOS) || os(macOS)
+
+  @testable import FirebaseAuth
+  import XCTest
+
+  @available(iOS 15.0, macOS 12.0, tvOS 16.0, *)
+  class FinalizePasskeyEnrollmentResponseTests: XCTestCase {
+    private func makeValidDictionary() -> [String: AnyHashable] {
+      return [
+        "idToken": "FAKE_ID_TOKEN" as AnyHashable,
+        "refreshToken": "FAKE_REFRESH_TOKEN" as AnyHashable,
+      ]
+    }
+
+    func testInitWithValidDictionary() throws {
+      let response = try FinalizePasskeyEnrollmentResponse(
+        dictionary: makeValidDictionary()
+      )
+      XCTAssertEqual(response.idToken, "FAKE_ID_TOKEN")
+      XCTAssertEqual(response.refreshToken, "FAKE_REFRESH_TOKEN")
+    }
+
+    func testInitWithMissingIdTokenThrowsError() {
+      var dict = makeValidDictionary()
+      dict.removeValue(forKey: "idToken")
+      XCTAssertThrowsError(
+        try FinalizePasskeyEnrollmentResponse(dictionary: dict)
+      )
+    }
+
+    func testInitWithMissingRefreshTokenThrowsError() {
+      var dict = makeValidDictionary()
+      dict.removeValue(forKey: "refreshToken")
+      XCTAssertThrowsError(
+        try FinalizePasskeyEnrollmentResponse(dictionary: dict)
+      )
+    }
+
+    func testInitWithEmptyDictionaryThrowsError() {
+      XCTAssertThrowsError(
+        try FinalizePasskeyEnrollmentResponse(dictionary: [:])
+      )
+    }
+  }
+
+#endif