feat: migrate macos sign in flow to native ui form#8
Merged
Conversation
…-exchange diagnostics Adds native macOS authentication flows (passkey sign-in/registration, username/password sign-in/signup) alongside the existing OAuth authorization_code + PKCE flow, expanded RxSignInView UI with appearance configuration, AASA-associated-domains entitlements for the test app, and Base64URL helpers. Token-exchange errors now log the HTTP response body and surface it in the thrown error to make 400/4xx failures from rxlab-auth diagnosable end-to-end. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…h/passkey routes
Switches the macOS test app to the new rxlab-auth native passkey OAuth endpoints
(/api/oauth/passkey/authenticate/{options,verify} and /register/{options,verify})
that mint OAuth access/refresh tokens, replacing the browser-cookie-only
/api/auth/passkey routes.
Reshapes the passkey verify request bodies to nest the WebAuthn credential under
a `credential` field and use `session_id` (snake_case) instead of `request_id`,
matching the new server contract. Extends the challenge-response decoders to
accept the new `sessionId` field, nested `user`/`rp` objects, and the
`allowCredentials` (vs `allowedCredentials`) array name.
Narrows the test app's requested scopes to ["openid"] to match the client row's
allowedScopes (read:profile / read:email can be granted later via admin).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…ia admin allow-list rxlab-auth's native passkey routes now gate on the requesting client's admin-configured redirect_uris allow-list instead of a signInPermission flag, matching the authorization_code flow's client-validation model. Adds redirect_uri (snake_case) to both PasskeyChallengeRequest and PasskeyRegistrationChallengeRequest encoders and passes configuration.redirectURI through at the two call sites. Verify request bodies are unchanged — the server recovers the validated redirect_uri from the challenge stored in Redis. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…h UI to sign-in with info banner
The rxlab-auth /api/oauth/signup route returns HTTP 201 with
{email_verification_required:true} when an account is created but the user must
click an email link before tokens will be issued. Previously the client treated
this non-200 response as a tokenExchangeFailed error.
Adds a public SignupResult enum (.authenticated | .emailVerificationRequired(email))
returned from OAuthManager.signUp, plus a parallel infoMessage state with
clearInfo() so the UI can surface non-error confirmations. The signup path now
uses a dedicated sendSignupRequest that accepts any 2xx, prefers the pending-
verification decoder, and falls back to TokenResponse for the E2E inline-tokens
mode.
RxSignInView's macOS form now switches mode back to .signIn on
.emailVerificationRequired, clears the password/name fields, and renders a glass
info-banner ("Check <email> for a verification link, then sign in.") parallel
to the existing error overlay.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
ebaabe4 to
ed08aca
Compare
…signing
The package now targets .macOS(.v26) / .iOS(.v26), so xctest bundles built
on the macos-latest runner link against macOS 26 and fail to load on the
runner's older OS ("built for macOS 26.0 which is newer than running OS").
Drop swift test there and run it on the self-hosted macOS 26 runner.
The test app now declares com.apple.developer.associated-domains, which
ad-hoc signing cannot grant; launchd rejects the binary with Runningboard
error 5. Pass CODE_SIGN_ENTITLEMENTS="" on the xcodebuild test commands
so CI builds without the entitlement.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The native macOS sign-in form's SecureField placeholder is now driven by
the server schema (defaults to "••••••••"), so the helper's lookup by
"Enter your password" no longer matches. Use the accessibility identifiers
that RxSignInView already sets ("email-field" / "password-field").
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.