feat(journey-client): webauthn conditional mediation autofill passkey support …

[vatsalparikh]

JIRA Ticket

pingidentity.atlassian.net/browse/SDKS-4612

Description

Add WebAuthn conditional mediation (passkey autofill) support to @forgerock/journey-client.
This enables consumers to opt-in to conditional UI by passing mediation: 'conditional' and an AbortSignal through to navigator.credentials.get(...) with a helper to feature-detect browser support.

What changed

• WebAuthn authenticate now supports conditional mediation: WebAuthn.authenticate(step, mediation?, signal?)
• Forwards mediation and signal to navigator.credentials.get({ publicKey, mediation, signal })
• Requires an AbortSignal when mediation === 'conditional' If conditional mediation is requested but unsupported, throws NotSupportedError and existing error handling sets the hidden outcome to unsupported
• Added WebAuthn.isConditionalMediationSupported() helper for feature detection
• Added unit tests
• Updated journey app to show autofill passkey option

How to test

• Build and start the journey app by going to e2e/journey-app folder and with commands pnpm build followed by pnpm serve
• Register with webauthn by going to TEST_WebAuthn-Registration journey and then try authenticating by going to TEST_AutofillPasskeyWebAuthn journey which has the autofill option. You can follow the attached recording for reference.

Recording

Screen.Recording.2026-04-23.at.11.53.07.AM.mov

Did you add a changeset?

Yes

Summary by CodeRabbit

• New Features

  • Adds passkey conditional mediation (browser autofill) support for smoother sign-in flows.
  • APIs updated to allow mediation choice and cancellation control.
  • Adds a helper to detect whether conditional mediation is available.

• Bug Fixes / UX

  • Improved browser autofill hints on credential inputs for better passkey autofill.

• Tests

  • Added unit tests covering conditional mediation behavior and failure cases.

[changeset-bot]

🦋 Changeset detected

Latest commit: 31044cf

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 12 packages

Name	Type
@forgerock/journey-client	Minor
@forgerock/davinci-client	Minor
@forgerock/device-client	Minor
@forgerock/oidc-client	Minor
@forgerock/protect	Minor
@forgerock/sdk-types	Minor
@forgerock/sdk-utilities	Minor
@forgerock/iframe-manager	Minor
@forgerock/sdk-logger	Minor
@forgerock/sdk-oidc	Minor
@forgerock/sdk-request-middleware	Minor
@forgerock/storage	Minor

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds WebAuthn conditional mediation support: extends WebAuthn APIs with optional mediation and signal parameters, adds isConditionalMediationSupported(), updates tests and a changeset, and refactors the e2e journey app to attempt conditional mediation (focusing a webauthn-autocompleted input) with fallbacks and error handling.

Changes

Cohort / File(s)	Summary
WebAuthn Core Library packages/journey-client/src/lib/webauthn/webauthn.ts, packages/journey-client/src/lib/webauthn/webauthn.test.ts, packages/journey-client/api-report/journey-client.webauthn.api.md	authenticate() and getAuthenticationCredential() accept optional mediation and signal. Added isConditionalMediationSupported(). Enforce AbortSignal for mediation === 'conditional', perform runtime support check, throw NotSupportedError when unsupported, forward mediation/signal to navigator.credentials.get(). New tests cover unsupported, missing-signal, and successful conditional flows.
E2E App Input Components e2e/journey-app/components/text-input.ts, e2e/journey-app/components/validated-username.ts	Set autocomplete="webauthn" on relevant text inputs (NameCallback and validated username) to enable conditional mediation autofill.
E2E App WebAuthn Orchestration e2e/journey-app/components/webauthn-step.ts, e2e/journey-app/main.ts	Added handleWebAuthnStep() to orchestrate auth/registration flows: focuses autocomplete="webauthn" input, attempts WebAuthn.authenticate(step, 'conditional', signal) when supported, returns {callbacksRendered, didSubmit} to main.ts which now uses those flags to control further rendering and submission. Error paths call setError(...) and return without submitting.
Changeset / Docs .changeset/ready-snakes-sell.md	New changeset documenting API signature changes, conditional mediation behavior, requirement for AbortSignal, and the new isConditionalMediationSupported() helper.

Sequence Diagram

sequenceDiagram
    participant Client as Journey App
    participant Handler as WebAuthn Handler
    participant Support as Browser Capability<br/>(PublicKeyCredential.isConditionalMediationAvailable)
    participant Credentials as navigator.credentials
    participant Server as Backend

    Client->>Handler: authenticate(step, 'conditional', signal)
    Handler->>Support: isConditionalMediationSupported()
    alt Conditional Mediation Unsupported
        Support-->>Handler: false
        Handler-->>Client: throw NotSupportedError / setError('unsupported')
    else Conditional Mediation Supported
        Support-->>Handler: true
        alt AbortSignal Missing
            Handler-->>Client: throw Error / setError(message)
        else AbortSignal Provided
            Handler->>Credentials: get({mediation:'conditional', signal, ...})
            alt User Authenticates
                Credentials-->>Handler: PublicKeyCredential
                Handler->>Server: submitForm()
                Server-->>Handler: Response
                Handler-->>Client: return {callbacksRendered, didSubmit:true}
            else Abort/Other Error
                Credentials-->>Handler: AbortError / Error
                Handler-->>Client: setError(message) / return didSubmit:false
            end
        end
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

Possibly related PRs

• feat(journey-app): delete webauthn devices using device client #549 — Related changes to WebAuthn handling and e2e journey flow that overlap with conditional mediation orchestration and component changes.

Suggested reviewers

• cerebrl
• ancheetah
• SteinGabriel
• ryanbas21

Poem

🐰 Hops of joy for mediation new,
Signals set and inputs primed,
Conditional keys hop into view,
Autofill hums, the flow aligned,
A tiny rabbit cheers the bind!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 20.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main feature added: WebAuthn conditional mediation support for passkey autofill in the journey-client package.
Description check	✅ Passed	The description fully addresses the template with a JIRA ticket, comprehensive details about what changed, how to test, and confirmation of a changeset.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch sdks-4612

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[nx-cloud]

View your CI Pipeline Execution ↗ for commit 31044cf

Command	Status	Duration	Result
nx run-many -t build --no-agents	✅ Succeeded	<1s	View ↗
nx affected -t build lint test typecheck e2e-ci	✅ Succeeded	3m 21s	View ↗

---

☁️ Nx Cloud last updated this comment at 2026-04-23 20:28:29 UTC

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

e2e/journey-app/components/webauthn-step.ts (1)

68-69: Redundant conditional-mediation support check.

WebAuthn.authenticate(..., 'conditional', signal) already calls isConditionalMediationSupported() internally and throws NotSupportedError if unsupported. Calling it here too means two async feature-detection round-trips per auth step. Consider caching the result, or relying on authenticate()'s internal check and falling back on the NotSupportedError rejection.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@e2e/journey-app/components/webauthn-step.ts` around lines 68 - 69, The extra
await WebAuthn.isConditionalMediationSupported() + if (isConditionalSupported &&
conditionalInput) is redundant and causes double feature-detection; remove that
pre-check and always call WebAuthn.authenticate(..., 'conditional', signal) when
conditionalInput is available, then catch the rejection and detect a
NotSupportedError (or exception.name === 'NotSupportedError') to fall back to
the non-conditional path. If you care about avoiding repeated detection calls,
add a small cache (e.g., a module-level cachedConditionalSupported flag
checked/updated when WebAuthn.isConditionalMediationSupported() is first called)
and use it instead of awaiting every time. Ensure references to
WebAuthn.authenticate, WebAuthn.isConditionalMediationSupported, and the
conditionalInput handling are updated accordingly.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@e2e/journey-app/components/webauthn-step.ts`:
- Around line 70-78: handleWebAuthnStep currently launches
WebAuthn.authenticate(step, 'conditional', controller.signal) with a local
AbortController that is never aborted, so the in-flight promise can later call
submitForm() or setError() against a stale step; fix by exposing and using an
abort mechanism (e.g., return or register the controller via a module-level
hook) so callers (main.ts and the submit handler) can call controller.abort()
whenever renderForm()/step changes, the form is submitted, or the component is
torn down; specifically ensure the AbortController created in handleWebAuthnStep
(and used in WebAuthn.authenticate) is aborted from main.ts before calling
journeyClient.next(...) and when swapping steps to prevent stale
submitForm()/setError() invocations.
- Around line 71-75: The catch block on WebAuthn.authenticate currently treats
every rejection as a user-facing error; change it so AbortError is ignored: in
the promise rejection handler for WebAuthn.authenticate(step, 'conditional',
controller.signal) check the thrown error (e.g., if (err?.name === 'AbortError')
return;), and only call setError('WebAuthn failed or was cancelled. Please try
again or use a different method.') for non-AbortError failures so cancellations
from the conditional flow (controller.signal/step changes) are not surfaced to
the user; keep successful flow calling submitForm() unchanged.

---

Nitpick comments:
In `@e2e/journey-app/components/webauthn-step.ts`:
- Around line 68-69: The extra await WebAuthn.isConditionalMediationSupported()
+ if (isConditionalSupported && conditionalInput) is redundant and causes double
feature-detection; remove that pre-check and always call
WebAuthn.authenticate(..., 'conditional', signal) when conditionalInput is
available, then catch the rejection and detect a NotSupportedError (or
exception.name === 'NotSupportedError') to fall back to the non-conditional
path. If you care about avoiding repeated detection calls, add a small cache
(e.g., a module-level cachedConditionalSupported flag checked/updated when
WebAuthn.isConditionalMediationSupported() is first called) and use it instead
of awaiting every time. Ensure references to WebAuthn.authenticate,
WebAuthn.isConditionalMediationSupported, and the conditionalInput handling are
updated accordingly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 8f68f8e4-60dd-4731-ad4c-0ede19ab8556

📥 Commits

Reviewing files that changed from the base of the PR and between 8e77da3 and 64195ab.

📒 Files selected for processing (8)

• .changeset/ready-snakes-sell.md
• e2e/journey-app/components/text-input.ts
• e2e/journey-app/components/validated-username.ts
• e2e/journey-app/components/webauthn-step.ts
• e2e/journey-app/main.ts
• packages/journey-client/api-report/journey-client.webauthn.api.md
• packages/journey-client/src/lib/webauthn/webauthn.test.ts
• packages/journey-client/src/lib/webauthn/webauthn.ts

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Stale in-flight conditional authenticate can submit or error against a newer step.

handleWebAuthnStep returns { callbacksRendered: true, didSubmit: false } while the WebAuthn.authenticate(step, 'conditional', controller.signal) promise keeps running in the background. The AbortController is created but never aborted, so if the user submits via a different method (e.g., username/password on the same step) or renderForm() is invoked again for a new step, the in-flight conditional request can still resolve later and call submitForm() on a now-stale step, or call setError() over the new UI. You should abort the controller when the step changes / form is submitted / component is torn down.

Suggested direction

Expose an abort hook (or module-level controller) so main.ts can cancel the in-flight conditional request before navigating to the next step, and abort it inside the submit handler in main.ts before calling journeyClient.next(...).

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@e2e/journey-app/components/webauthn-step.ts` around lines 70 - 78,
handleWebAuthnStep currently launches WebAuthn.authenticate(step, 'conditional',
controller.signal) with a local AbortController that is never aborted, so the
in-flight promise can later call submitForm() or setError() against a stale
step; fix by exposing and using an abort mechanism (e.g., return or register the
controller via a module-level hook) so callers (main.ts and the submit handler)
can call controller.abort() whenever renderForm()/step changes, the form is
submitted, or the component is torn down; specifically ensure the
AbortController created in handleWebAuthnStep (and used in
WebAuthn.authenticate) is aborted from main.ts before calling
journeyClient.next(...) and when swapping steps to prevent stale
submitForm()/setError() invocations.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Don't surface an error for AbortError in the conditional flow.

With conditional mediation, authenticate() intentionally rethrows AbortError without mutating the hidden outcome because cancellations are expected (user picked a different method, step changed, controller aborted). The blanket .catch(() => setError(...)) here turns every cancellation into a user-visible "WebAuthn failed or was cancelled" message, which will be noisy during normal autofill UX.

-      void WebAuthn.authenticate(step, 'conditional', controller.signal)
-        .then(() => submitForm())
-        .catch(() => {
-          setError('WebAuthn failed or was cancelled. Please try again or use a different method.');
-        });
+      void WebAuthn.authenticate(step, 'conditional', controller.signal)
+        .then(() => submitForm())
+        .catch((err: unknown) => {
+          if (err instanceof Error && err.name === 'AbortError') return;
+          setError('WebAuthn failed or was cancelled. Please try again or use a different method.');
+        });

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@e2e/journey-app/components/webauthn-step.ts` around lines 71 - 75, The catch
block on WebAuthn.authenticate currently treats every rejection as a user-facing
error; change it so AbortError is ignored: in the promise rejection handler for
WebAuthn.authenticate(step, 'conditional', controller.signal) check the thrown
error (e.g., if (err?.name === 'AbortError') return;), and only call
setError('WebAuthn failed or was cancelled. Please try again or use a different
method.') for non-AbortError failures so cancellations from the conditional flow
(controller.signal/step changes) are not surfaced to the user; keep successful
flow calling submitForm() unchanged.

[codecov-commenter]

Codecov Report

❌ Patch coverage is 94.73684% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 16.05%. Comparing base (5d6747a) to head (31044cf).
⚠️ Report is 37 commits behind head on main.

Files with missing lines	Patch %	Lines
...ckages/journey-client/src/lib/webauthn/webauthn.ts	94.73%	2 Missing ⚠️

❌ Your project status has failed because the head coverage (16.05%) is below the target coverage (40.00%). You can increase the head coverage or adjust the target coverage.

Additional details and impacted files

@@             Coverage Diff             @@
##             main     #581       +/-   ##
===========================================
- Coverage   70.90%   16.05%   -54.85%     
===========================================
  Files          53      154      +101     
  Lines        2021    26700    +24679     
  Branches      377     1152      +775     
===========================================
+ Hits         1433     4288     +2855     
- Misses        588    22412    +21824     

Files with missing lines	Coverage Δ
...ckages/journey-client/src/lib/webauthn/webauthn.ts	45.83% <94.73%> (+28.49%)	⬆️

... and 102 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[pkg-pr-new]

Open in StackBlitz

@forgerock/davinci-client

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/davinci-client@581

@forgerock/device-client

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/device-client@581

@forgerock/journey-client

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/journey-client@581

@forgerock/oidc-client

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/oidc-client@581

@forgerock/protect

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/protect@581

@forgerock/sdk-types

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/sdk-types@581

@forgerock/sdk-utilities

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/sdk-utilities@581

@forgerock/iframe-manager

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/iframe-manager@581

@forgerock/sdk-logger

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/sdk-logger@581

@forgerock/sdk-oidc

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/sdk-oidc@581

@forgerock/sdk-request-middleware

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/sdk-request-middleware@581

@forgerock/storage

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/storage@581

commit: 31044cf

[github-actions]

Deployed 061c866 to https://ForgeRock.github.io/ping-javascript-sdk/pr-581/061c866bd360b2c21cf4a25c021e05d38d89eccc branch gh-pages in ForgeRock/ping-javascript-sdk

[github-actions]

📦 Bundle Size Analysis

📦 Bundle Size Analysis

🚨 Significant Changes

🔻 @forgerock/device-client - 0.0 KB (-9.9 KB, -100.0%)
🔻 @forgerock/journey-client - 0.0 KB (-89.9 KB, -100.0%)
🔺 @forgerock/journey-client - 91.1 KB (+1.2 KB, +1.3%)

📊 Minor Changes

📉 @forgerock/device-client - 9.9 KB (-0.0 KB)
📉 @forgerock/davinci-client - 48.0 KB (-0.0 KB)

➖ No Changes

➖ @forgerock/oidc-client - 25.2 KB
➖ @forgerock/sdk-utilities - 11.2 KB
➖ @forgerock/sdk-types - 7.9 KB
➖ @forgerock/protect - 150.1 KB
➖ @forgerock/storage - 1.5 KB
➖ @forgerock/sdk-oidc - 4.8 KB
➖ @forgerock/sdk-request-middleware - 4.5 KB
➖ @forgerock/sdk-logger - 1.6 KB
➖ @forgerock/iframe-manager - 2.4 KB

---

14 packages analyzed • Baseline from latest main build

Legend

🆕 New package
🔺 Size increased
🔻 Size decreased
➖ No change

ℹ️ How bundle sizes are calculated

• Current Size: Total gzipped size of all files in the package's dist directory
• Baseline: Comparison against the latest build from the main branch
• Files included: All build outputs except source maps and TypeScript build cache
• Exclusions: .map, .tsbuildinfo, and .d.ts.map files

---

_{🔄 Updated automatically on each push to this PR}

[coderabbitai]

🧹 Nitpick comments (1)

packages/journey-client/src/lib/webauthn/webauthn.ts (1)

355-371: Optional: mirror the signal guard inside getAuthenticationCredential for defense-in-depth.

authenticate() enforces that mediation === 'conditional' requires an AbortSignal, but getAuthenticationCredential is a public static method on an exported class (surfaced in journey-client.webauthn.api.md). A caller invoking it directly with mediation: 'conditional' and no signal will get a browser-level rejection, which is acceptable, but a thin guard here would make the public API self-consistent and keep error messages uniform. Not blocking.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/journey-client/src/lib/webauthn/webauthn.ts` around lines 355 - 371,
Add a defensive guard in getAuthenticationCredential: before calling
navigator.credentials.get, check if mediation === 'conditional' and signal is
falsy, and if so throw an Error with a clear message like "AbortSignal required
when mediation === 'conditional'" and set the error name to
WebAuthnOutcomeType.InvalidStateError (mirroring the enforcement in
authenticate); place this check in the getAuthenticationCredential method just
after the PublicKeyCredential feature check and before the call to
navigator.credentials.get so callers who invoke getAuthenticationCredential
directly get a consistent, descriptive error.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@packages/journey-client/src/lib/webauthn/webauthn.ts`:
- Around line 355-371: Add a defensive guard in getAuthenticationCredential:
before calling navigator.credentials.get, check if mediation === 'conditional'
and signal is falsy, and if so throw an Error with a clear message like
"AbortSignal required when mediation === 'conditional'" and set the error name
to WebAuthnOutcomeType.InvalidStateError (mirroring the enforcement in
authenticate); place this check in the getAuthenticationCredential method just
after the PublicKeyCredential feature check and before the call to
navigator.credentials.get so callers who invoke getAuthenticationCredential
directly get a consistent, descriptive error.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 9f1390bc-a634-4fc6-9b70-94c33f98dafb

📥 Commits

Reviewing files that changed from the base of the PR and between 64195ab and 31044cf.

📒 Files selected for processing (8)

• .changeset/ready-snakes-sell.md
• e2e/journey-app/components/text-input.ts
• e2e/journey-app/components/validated-username.ts
• e2e/journey-app/components/webauthn-step.ts
• e2e/journey-app/main.ts
• packages/journey-client/api-report/journey-client.webauthn.api.md
• packages/journey-client/src/lib/webauthn/webauthn.test.ts
• packages/journey-client/src/lib/webauthn/webauthn.ts

✅ Files skipped from review due to trivial changes (2)

• e2e/journey-app/components/text-input.ts
• e2e/journey-app/components/validated-username.ts

🚧 Files skipped from review as they are similar to previous changes (2)

• .changeset/ready-snakes-sell.md
• e2e/journey-app/main.ts