Skip to content

feat: migrate macos sign in flow to native ui form#8

Merged
sirily11 merged 7 commits into
mainfrom
rxcode/native-macOS
May 26, 2026
Merged

feat: migrate macos sign in flow to native ui form#8
sirily11 merged 7 commits into
mainfrom
rxcode/native-macOS

Conversation

@sirily11

Copy link
Copy Markdown
Contributor

No description provided.

sirily11 and others added 4 commits May 26, 2026 16:45
…-exchange diagnostics

Adds native macOS authentication flows (passkey sign-in/registration, username/password
sign-in/signup) alongside the existing OAuth authorization_code + PKCE flow, expanded
RxSignInView UI with appearance configuration, AASA-associated-domains entitlements
for the test app, and Base64URL helpers. Token-exchange errors now log the HTTP
response body and surface it in the thrown error to make 400/4xx failures from
rxlab-auth diagnosable end-to-end.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…h/passkey routes

Switches the macOS test app to the new rxlab-auth native passkey OAuth endpoints
(/api/oauth/passkey/authenticate/{options,verify} and /register/{options,verify})
that mint OAuth access/refresh tokens, replacing the browser-cookie-only
/api/auth/passkey routes.

Reshapes the passkey verify request bodies to nest the WebAuthn credential under
a `credential` field and use `session_id` (snake_case) instead of `request_id`,
matching the new server contract. Extends the challenge-response decoders to
accept the new `sessionId` field, nested `user`/`rp` objects, and the
`allowCredentials` (vs `allowedCredentials`) array name.

Narrows the test app's requested scopes to ["openid"] to match the client row's
allowedScopes (read:profile / read:email can be granted later via admin).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…ia admin allow-list

rxlab-auth's native passkey routes now gate on the requesting client's
admin-configured redirect_uris allow-list instead of a signInPermission flag,
matching the authorization_code flow's client-validation model. Adds redirect_uri
(snake_case) to both PasskeyChallengeRequest and PasskeyRegistrationChallengeRequest
encoders and passes configuration.redirectURI through at the two call sites.
Verify request bodies are unchanged — the server recovers the validated
redirect_uri from the challenge stored in Redis.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…h UI to sign-in with info banner

The rxlab-auth /api/oauth/signup route returns HTTP 201 with
{email_verification_required:true} when an account is created but the user must
click an email link before tokens will be issued. Previously the client treated
this non-200 response as a tokenExchangeFailed error.

Adds a public SignupResult enum (.authenticated | .emailVerificationRequired(email))
returned from OAuthManager.signUp, plus a parallel infoMessage state with
clearInfo() so the UI can surface non-error confirmations. The signup path now
uses a dedicated sendSignupRequest that accepts any 2xx, prefers the pending-
verification decoder, and falls back to TokenResponse for the E2E inline-tokens
mode.

RxSignInView's macOS form now switches mode back to .signIn on
.emailVerificationRequired, clears the password/name fields, and renders a glass
info-banner ("Check <email> for a verification link, then sign in.") parallel
to the existing error overlay.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings May 26, 2026 10:54
@autopilot-project-manager autopilot-project-manager Bot added the enhancement New feature or request label May 26, 2026

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

@sirily11 sirily11 force-pushed the rxcode/native-macOS branch from ebaabe4 to ed08aca Compare May 26, 2026 14:43
sirily11 and others added 2 commits May 26, 2026 22:52
…signing

The package now targets .macOS(.v26) / .iOS(.v26), so xctest bundles built
on the macos-latest runner link against macOS 26 and fail to load on the
runner's older OS ("built for macOS 26.0 which is newer than running OS").
Drop swift test there and run it on the self-hosted macOS 26 runner.

The test app now declares com.apple.developer.associated-domains, which
ad-hoc signing cannot grant; launchd rejects the binary with Runningboard
error 5. Pass CODE_SIGN_ENTITLEMENTS="" on the xcodebuild test commands
so CI builds without the entitlement.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The native macOS sign-in form's SecureField placeholder is now driven by
the server schema (defaults to "••••••••"), so the helper's lookup by
"Enter your password" no longer matches. Use the accessibility identifiers
that RxSignInView already sets ("email-field" / "password-field").

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@sirily11 sirily11 merged commit 126ee07 into main May 26, 2026
4 checks passed
@sirily11 sirily11 deleted the rxcode/native-macOS branch May 26, 2026 15:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

enhancement New feature or request

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants