Merge pull request #19990 from mozilla/spike/passkey-chromium-func-test

chore(fxa): Add passkey functional test example

Author: nshirley

packages/functional-tests/README.md

@@ -14,6 +14,12 @@ The environments that this suite may run against are:
 
 Each has its own named script in [package.json](./package.json) or you can use `--project` when running `playwright test` manually. They are implemented in `lib/targets`.
 
+There is also a very small subset of tests that can _only_ run against Chromium browsers. These have slightly different project names, listed below, and should only be used when running the Passkey tests.
+
+- local-chromium
+- stage-chromium
+- production-chromium
+
 ### Running the tests
 
 If this is your first time running the tests, run `npx playwright install --with-deps` to install the browsers. Then:
@@ -114,6 +120,95 @@ test('totp test with proper cleanup', async ({
 // `testAccountTracker` cleanup will use secret attached to Credentials to destroy the account
 ```
 
+### Passkey Virtual Authenticator
+
+Testing passkeys requires simulating physical authenticator devices. The `PasskeyVirtualAuthenticator` uses Chrome DevTools Protocol (CDP) to create virtual authenticators in Chromium browsers, allowing automated testing of WebAuthn flows without real hardware.
+
+**Important**: Passkey tests only run in Chromium projects due to CDP dependency.
+
+#### Why the wrapper is necessary
+
+WebAuthn operations are asynchronous and require precise timing coordination. The browser must have a virtual authenticator registered and listening _before_ triggering passkey prompts, and to help with possible race conditions, _before_ the page loads and checks if the browser supports passkeys. The `success()` and `fail()` wrappers handle this coordination by:
+
+1. Setting up user verification state
+2. Enabling presence simulation
+3. Listening for CDP events (credential added/asserted)
+4. Executing your trigger function
+5. Waiting for operation completion or failure
+
+#### Basic Setup
+
+Whichever page you're on that should support passkeys can extend from `PasskeyPage` instead of the `BaseLayout` page. This provides the framework for setting up and using the faked authentication.
+
+```ts
+// change BaseLayout
+export class SigninPage extends BaseLayout {
+  /** */
+}
+// to PasskeyPage
+export class SigninPage extends PasskeyPage {
+  /** */
+}
+```
+
+Initialize once per test via the `initPasskeys` function now available on the page. Call this as soon as possible, before navigating to the page if possible.
+
+```ts
+test('passkey registration', async ({ pages: { page, signin } }) => {
+  // Skip non-Chromium browsers
+  test.skip(
+    page.context().browser()?.browserType().name() !== 'chromium',
+    'Passkeys tests run on chromium only'
+  );
+
+  await signin.initPasskeys(page);
+  // Now ready to test passkey operations
+});
+```
+
+#### Testing successful passkey operations
+
+Use `success()` to simulate a user approving the passkey prompt:
+
+```ts
+// Do setup as describe above.
+// Wrap the action that triggers the passkey prompt
+await signin.passkeyAuth.success(async () => {
+  return page.getByRole('button', { name: 'Sign in with passkey' }).click();
+});
+
+// Verify success (e.g., check we're signed in)
+await expect(page.getByText('Welcome back')).toBeVisible();
+
+// Optional: verify a credential was created
+const creds = await signin.passkeyAuth.getCredentials();
+expect(creds.length).toBeGreaterThan(0);
+```
+
+#### Testing cancelled/failed passkey operations
+
+Use `fail()` to simulate a user cancelling or failing verification. Since CDP doesn't emit failure events, you must provide a `postCheck` callback that waits for the failure to be processed:
+
+```ts
+await signin.passkeyAuth.fail(
+  async () => {
+    // Trigger action that would show passkey prompt
+    return page.getByRole('button', { name: 'Sign in with passkey' }).click();
+  },
+  async () => {
+    // Wait for error message or use small timeout
+    return expect(page.getByText('Authentication failed')).toBeVisible();
+  }
+);
+
+// Verify failure state (e.g., Error message)
+await expect(page.getByText('Failed to create Passkey')).toBeVisible();
+
+// Optional: verify no credential was created
+const creds = await signin.passkeyAuth.getCredentials();
+expect(creds.length).toBe(0);
+```
+
 ### MFA Guard
 
 To support increased security, there are multiple locations that have an MFA Guard wrapping them within settings. If your test needs to interact with or bypass this, there are two options.
@@ -255,6 +350,7 @@ When tests fail in CircleCI, the CI reporter automatically generates clickable t
 2. **Summary** - At the end of the test run with all failed test traces grouped together
 
 Example output:
+
 ```
 [26/35] ❌ tests/settings/avatar.spec.ts: open and close avatar drop-down menu (19s)
 Error: Timed out 10000ms waiting for expect(locator).toBeVisible()
@@ -263,6 +359,7 @@ Error: Timed out 10000ms waiting for expect(locator).toBeVisible()
 ```
 
 The summary at the end groups traces by test (including retries):
+
 ```
 📊 Failed test traces:
   tests/settings/avatar.spec.ts: open and close avatar drop-down menu
@@ -271,6 +368,7 @@ The summary at the end groups traces by test (including retries):
 ```
 
 The reporter also tracks:
+
 - **Progress**: `[5/35]` shows completed tests out of total
 - **Retries**: Total retry count and which attempt `(retry #1)`
 - **Flaky tests**: Tests that failed initially but passed on retry

packages/functional-tests/lib/fixtures/standard.ts

@@ -15,6 +15,7 @@ import { create as createPages } from '../../pages';
 import { ServerTarget, TargetName, create } from '../targets';
 import { BaseTarget } from '../targets/base';
 import { TestAccountTracker } from '../testAccountTracker';
+import { PasskeyPage } from '../../pages/passkey';
 import { existsSync, readFileSync } from 'fs';
 import { join, dirname, basename } from 'path';
 
@@ -47,6 +48,12 @@ export const test = base.extend<TestOptions, WorkerOptions>({
   pages: async ({ target, page }, use) => {
     const pages = createPages(page, target);
     await use(pages);
+    // Cleanup passkey CDP sessions from any page that used them
+    for (const pageInstance of Object.values(pages)) {
+      if (pageInstance instanceof PasskeyPage) {
+        await pageInstance.cleanupPasskeys();
+      }
+    }
   },
 
   syncBrowserPages: async ({ target }, use, testInfo) => {

packages/functional-tests/lib/passkeyVirtualAuthenticator.ts

@@ -0,0 +1,224 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+import * as pwCore from 'playwright-core/types/protocol';
+import { CDPSession } from '@playwright/test';
+
+const DEFAULT_OPTS: pwCore.Protocol.WebAuthn.VirtualAuthenticatorOptions = {
+  protocol: 'ctap2',
+  transport: 'internal',
+  hasResidentKey: true,
+  hasUserVerification: true,
+  isUserVerified: true,
+  automaticPresenceSimulation: false,
+};
+
+type Trigger = () => Promise<void>;
+type PostCheck = () => Promise<void>;
+
+export class PasskeyVirtualAuthenticator {
+  private authenticatorId = '';
+
+  constructor(
+    private readonly client: CDPSession,
+    private readonly opts: pwCore.Protocol.WebAuthn.VirtualAuthenticatorOptions = DEFAULT_OPTS
+  ) {}
+
+  /**
+   * Creates the virtual authenticator in the browser via CDP.
+   *
+   * Be sure to call this before using any other methods.
+   * @param overrides
+   * @returns
+   */
+  async create(
+    overrides?: Partial<pwCore.Protocol.WebAuthn.VirtualAuthenticatorOptions>
+  ) {
+    await this.client.send('WebAuthn.enable');
+
+    const { authenticatorId } = await this.client.send(
+      'WebAuthn.addVirtualAuthenticator',
+      {
+        options: {
+          ...this.opts,
+          ...overrides,
+          automaticPresenceSimulation: false,
+        },
+      }
+    );
+
+    this.authenticatorId = authenticatorId;
+    return authenticatorId;
+  }
+
+  /**
+   * Removes the virtual authenticator from the browser via CDP.
+   * @returns
+   */
+  async dispose() {
+    if (!this.authenticatorId) return;
+    await this.client.send('WebAuthn.removeVirtualAuthenticator', {
+      authenticatorId: this.authenticatorId,
+    });
+    this.authenticatorId = '';
+  }
+
+  /**
+   * Cleanup the virtual authenticator and detach the CDP session.
+   * Safe to call even if not initialized - will silently skip.
+   */
+  async cleanup() {
+    await this.dispose();
+    try {
+      await this.client.send('WebAuthn.disable');
+    } catch {
+      // Ignore errors if already disabled
+    }
+    await this.client.detach();
+  }
+
+  /**
+   * Check how many credentials are stored in the virtual authenticator.
+   *
+   * Useful for verifying that a credential was created during registration,
+   * or testing multiple registered credential flows.
+   * @returns
+   */
+  async getCredentials() {
+    this.assertInit();
+    const result = await this.client.send('WebAuthn.getCredentials', {
+      authenticatorId: this.authenticatorId,
+    });
+    return result.credentials;
+  }
+
+  /**
+   * Simulate a *successful* passkey operation.
+   *
+   * Example:
+   * ```ts
+   * await passkeyAuth.success(async () => {
+   *   // Action that would show the Passkey prompt - this should return a promise
+   *   return signInPage.signinWithPasskey();
+   *   // event listener will resolve when operation completes
+   *   }
+   * });
+   * // then test asserts we're signed in or other success condition
+   * ```
+   * @param trigger
+   */
+  async success(trigger: Trigger) {
+    this.assertInit();
+
+    // Enable presence simulation FIRST, before anything else
+    // This gives the browser maximum time to activate it
+    await this.client.send('WebAuthn.setAutomaticPresenceSimulation', {
+      authenticatorId: this.authenticatorId,
+      enabled: true,
+    });
+
+    const operationCompleted = this.waitForOneOf([
+      'WebAuthn.credentialAdded',
+      'WebAuthn.credentialAsserted',
+    ]);
+
+    await this.client.send('WebAuthn.setUserVerified', {
+      authenticatorId: this.authenticatorId,
+      isUserVerified: true,
+    });
+
+    // Wait to ensure presence simulation is fully active
+    await new Promise((resolve) => setTimeout(resolve, 500));
+
+    try {
+      await trigger();
+      await operationCompleted;
+    } finally {
+      await this.client.send('WebAuthn.setAutomaticPresenceSimulation', {
+        authenticatorId: this.authenticatorId,
+        enabled: false,
+      });
+    }
+  }
+
+  /**
+   * Simulate a *failed/cancelled* passkey operation.
+   * There’s no CDP event for failure, so you must provide a post-check or use a small timeout.
+   *
+   * Example:
+   * ```ts
+   * await passkeyAuth.fail(async () => {
+   *   // Same as `success`, trigger an action that
+   *   // would show the Passkey prompt - this should return a promise
+   *   return signInPage.signinWithPasskey();
+   * }, async () => {
+   *   // Return a promise that will resolve after the 'cancellation' is processed.
+   *   // This could be a small timeout, or an assertion that an error message is shown.
+   *   return expect(page.locator('#error-message')).toBeVisible();
+   * });
+   * // then test asserts we're still signed out or other failure condition
+   * // or check the `getCredentials()` to verify no new credentials were created
+   * ```
+   */
+  async fail(trigger: Trigger, postCheck: PostCheck) {
+    this.assertInit();
+
+    // Enable presence simulation FIRST, before anything else
+    await this.client.send('WebAuthn.setAutomaticPresenceSimulation', {
+      authenticatorId: this.authenticatorId,
+      enabled: true,
+    });
+
+    await this.client.send('WebAuthn.setUserVerified', {
+      authenticatorId: this.authenticatorId,
+      isUserVerified: false,
+    });
+
+    // Wait to ensure presence simulation is fully active
+    await new Promise((resolve) => setTimeout(resolve, 500));
+
+    try {
+      await trigger();
+      await postCheck();
+    } finally {
+      await this.client.send('WebAuthn.setAutomaticPresenceSimulation', {
+        authenticatorId: this.authenticatorId,
+        enabled: false,
+      });
+    }
+  }
+
+  private waitForOneOf(
+    events: Array<'WebAuthn.credentialAdded' | 'WebAuthn.credentialAsserted'>
+  ) {
+    return new Promise<void>((resolve) => {
+      let done = false;
+
+      const handlers = events.map(() => {
+        const handler = () => {
+          if (done) return;
+          done = true;
+          // remove all handlers when one fires
+          for (let i = 0; i < events.length; i++) {
+            this.client.off(events[i], handlers[i]);
+          }
+          resolve();
+        };
+        return handler;
+      });
+
+      for (let i = 0; i < events.length; i++) {
+        this.client.on(events[i], handlers[i]);
+      }
+    });
+  }
+
+  private assertInit() {
+    if (!this.authenticatorId) {
+      throw new Error(
+        'PasskeyVirtualAuthenticator not initialized. Call init() first.'
+      );
+    }
+  }
+}

packages/functional-tests/pages/index.ts

@@ -37,6 +37,9 @@ import { TotpPage } from './settings/totp';
 import { InlineRecoveryKey } from './inlineRecoveryKey';
 import { SignupConfirmedSyncPage } from './signupConfirmedSync';
 import { InlineTotpSetupPage } from './inlineTotpSetup';
+import { PasskeyExamplePage } from './passkey';
+
+export { PasskeyPage } from './passkey';
 
 export function create(page: Page, target: BaseTarget) {
   return {
@@ -74,5 +77,6 @@ export function create(page: Page, target: BaseTarget) {
     signupConfirmedSync: new SignupConfirmedSyncPage(page, target),
     termsOfService: new TermsOfService(page, target),
     totp: new TotpPage(page, target),
+    passkeysExample: new PasskeyExamplePage(page, target),
   };
 }