wip

Author: dschom

packages/functional-tests/pages/index.ts

@@ -25,6 +25,7 @@ import { RelierPage } from './relier';
 import { ResetPasswordPage } from './resetPassword';
 import { SecondaryEmailPage } from './settings/secondaryEmail';
 import { SettingsPage } from './settings';
+import { SettingsPasskeyAddPage } from './settings/passkey';
 import { SigninPage } from './signin';
 import { SigninRecoveryChoicePage } from './signinRecoveryChoice';
 import { SigninRecoveryPhonePage } from './signinRecoveryPhone';
@@ -69,6 +70,7 @@ export function create(page: Page, target: BaseTarget) {
     resetPassword: new ResetPasswordPage(page, target),
     secondaryEmail: new SecondaryEmailPage(page, target),
     settings: new SettingsPage(page, target),
+    settingsPasskeyAdd: new SettingsPasskeyAddPage(page, target),
     signin: new SigninPage(page, target),
     signinRecoveryChoice: new SigninRecoveryChoicePage(page, target),
     signinRecoveryPhone: new SigninRecoveryPhonePage(page, target),

packages/functional-tests/pages/settings/components/unitRow.ts

@@ -85,6 +85,28 @@ export class RecoveryKeyRow extends UnitRow {
   }
 }
 
+export class PasskeyRow extends UnitRow {
+  get createButton() {
+    return this.page.getByTestId('passkey-unit-row-route');
+  }
+
+  get subRow() {
+    return this.page.getByTestId('passkey-sub-row');
+  }
+
+  get deleteButton() {
+    return this.page.getByRole('button', { name: 'Delete passkey' });
+  }
+
+  get deleteModalHeading() {
+    return this.page.getByRole('heading', { name: 'Delete your passkey?' });
+  }
+
+  get confirmDeleteButton() {
+    return this.page.getByTestId('confirm-delete-passkey-button');
+  }
+}
+
 export class TotpRow extends UnitRow {
   get addButton() {
     return this.page.getByTestId('two-step-unit-row-modal-button');

packages/functional-tests/pages/settings/index.ts

@@ -8,6 +8,7 @@ import {
   ConnectedServicesRow,
   DataCollectionRow,
   DisplayNameRow,
+  PasskeyRow,
   PasswordRow,
   PrimaryEmailRow,
   RecoveryKeyRow,
@@ -59,6 +60,10 @@ export class SettingsPage extends SettingsLayout {
     return this.lazyRow('two-step', TotpRow);
   }
 
+  get passkey() {
+    return this.lazyRow('passkey', PasskeyRow);
+  }
+
   get connectedServiceName() {
     return this.page.getByTestId('service-name');
   }
@@ -152,4 +157,14 @@ export class SettingsPage extends SettingsLayout {
       .fill(code);
     await this.page.getByRole('button', { name: 'Confirm' }).click();
   }
+
+  /**
+   * Confirms the MFA guard only if the modal is currently displayed. Safe to
+   * call when the cached JWT already satisfies the guard and no modal appears.
+   */
+  async confirmMfaGuardIfVisible(email: string) {
+    if (await this.isMfaGuardVisible()) {
+      await this.confirmMfaGuard(email);
+    }
+  }
 }

packages/functional-tests/pages/settings/passkey.ts

@@ -0,0 +1,26 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+import { PasskeyPage } from '../passkey';
+
+/**
+ * Page object for the `/settings/passkeys/add` page, which auto-starts a
+ * WebAuthn registration ceremony on mount. Extends PasskeyPage to pick up the
+ * virtual-authenticator lifecycle (init/cleanup) and `passkeyAuth` getter.
+ */
+export class SettingsPasskeyAddPage extends PasskeyPage {
+  readonly path = 'settings/passkeys/add';
+
+  get pageContainer() {
+    return this.page.getByTestId('page-passkey-add');
+  }
+
+  get creatingHeading() {
+    return this.page.getByRole('heading', { name: 'Creating passkey…' });
+  }
+
+  get cancelButton() {
+    return this.page.getByTestId('passkey-add-cancel');
+  }
+}

packages/functional-tests/tests/settings/passkey.spec.ts

@@ -0,0 +1,160 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+/*
+ * These tests require the passkey feature flags to be enabled on the content
+ * server (FEATURE_FLAGS_PASSKEYS_ENABLED=true and
+ * FEATURE_FLAGS_PASSKEY_REGISTRATION_ENABLED=true) and passkeys.enabled=true
+ * on the auth-server. The suite is skipped at runtime if the
+ * fxa-settings config reports either flag as disabled.
+ */
+
+import { Page, expect, test } from '../../lib/fixtures/standard';
+import { BaseTarget, Credentials } from '../../lib/targets/base';
+import { TestAccountTracker } from '../../lib/testAccountTracker';
+import { SettingsPage } from '../../pages/settings';
+import { SigninPage } from '../../pages/signin';
+
+test.describe('severity-1 #smoke', () => {
+  test.describe('passkey registration', () => {
+    test.beforeEach(async ({ pages: { configPage } }) => {
+      const config = await configPage.getConfig();
+      test.skip(
+        !config.featureFlags?.passkeysEnabled ||
+          !config.featureFlags?.passkeyRegistrationEnabled,
+        'Passkey feature flags are not enabled'
+      );
+    });
+
+    test('registers a new passkey', async ({
+      target,
+      pages: { page, settings, settingsPasskeyAdd, signin },
+      testAccountTracker,
+    }) => {
+      const { email } = await signInAccount(
+        target,
+        page,
+        settings,
+        signin,
+        testAccountTracker
+      );
+
+      await settings.goto();
+
+      await expect(settings.settingsHeading).toBeVisible();
+      await expect(settings.passkey.status).toHaveText('Not set');
+
+      await settingsPasskeyAdd.initPasskeys(page);
+
+      await settingsPasskeyAdd.passkeyAuth.success(async () => {
+        await settings.passkey.createButton.click();
+        await settings.confirmMfaGuard(email);
+      });
+
+      await expect(settings.settingsHeading).toBeVisible();
+      await expect(settings.alertBar).toHaveText('Passkey created');
+      await expect(settings.passkey.status).toHaveText('Enabled');
+      await expect(settings.passkey.subRow).toBeVisible();
+
+      const credentials = await settingsPasskeyAdd.passkeyAuth.getCredentials();
+      expect(credentials).toHaveLength(1);
+    });
+
+    test('cancels passkey registration', async ({
+      target,
+      pages: { page, settings, settingsPasskeyAdd, signin },
+      testAccountTracker,
+    }) => {
+      const { email } = await signInAccount(
+        target,
+        page,
+        settings,
+        signin,
+        testAccountTracker
+      );
+
+      await settings.goto();
+      await expect(settings.settingsHeading).toBeVisible();
+
+      // Initialize the virtual authenticator but do NOT enable presence
+      // simulation, so the WebAuthn ceremony hangs waiting for user input.
+      // This lets us exercise the Cancel button while the ceremony is in
+      // flight.
+      await settingsPasskeyAdd.initPasskeys(page);
+
+      await settings.passkey.createButton.click();
+      await settings.confirmMfaGuard(email);
+
+      await expect(settingsPasskeyAdd.pageContainer).toBeVisible();
+      await expect(settingsPasskeyAdd.creatingHeading).toBeVisible();
+
+      await settingsPasskeyAdd.cancelButton.click();
+
+      await expect(settings.settingsHeading).toBeVisible();
+      await expect(settings.passkey.status).toHaveText('Not set');
+      await expect(settings.passkey.subRow).toHaveCount(0);
+
+      const credentials = await settingsPasskeyAdd.passkeyAuth.getCredentials();
+      expect(credentials).toHaveLength(0);
+    });
+
+    test('deletes a registered passkey', async ({
+      target,
+      pages: { page, settings, settingsPasskeyAdd, signin },
+      testAccountTracker,
+    }) => {
+      const { email } = await signInAccount(
+        target,
+        page,
+        settings,
+        signin,
+        testAccountTracker
+      );
+
+      await settings.goto();
+      await expect(settings.settingsHeading).toBeVisible();
+      await expect(settings.passkey.status).toHaveText('Not set');
+
+      await settingsPasskeyAdd.initPasskeys(page);
+
+      await settingsPasskeyAdd.passkeyAuth.success(async () => {
+        await settings.passkey.createButton.click();
+        await settings.confirmMfaGuard(email);
+      });
+
+      await expect(settings.passkey.status).toHaveText('Enabled');
+
+      await settings.passkey.deleteButton.click();
+      await expect(settings.passkey.deleteModalHeading).toBeVisible();
+      await settings.passkey.confirmDeleteButton.click();
+
+      // The delete action is guarded by MfaGuard (scope: passkey); the
+      // cached JWT from registration usually satisfies it, but re-confirm
+      // if the modal appears.
+      await settings.confirmMfaGuardIfVisible(email);
+
+      await expect(settings.settingsHeading).toBeVisible();
+      await expect(settings.alertBar).toHaveText('Passkey deleted');
+      await expect(settings.passkey.status).toHaveText('Not set');
+      await expect(settings.passkey.subRow).toHaveCount(0);
+    });
+  });
+});
+
+async function signInAccount(
+  target: BaseTarget,
+  page: Page,
+  settings: SettingsPage,
+  signin: SigninPage,
+  testAccountTracker: TestAccountTracker
+): Promise<Credentials> {
+  const credentials = await testAccountTracker.signUp();
+  await page.goto(target.contentServerUrl);
+  await signin.fillOutEmailFirstForm(credentials.email);
+  await signin.fillOutPasswordForm(credentials.password);
+  await page.waitForURL(/settings/);
+  await expect(settings.settingsHeading).toBeVisible();
+
+  return credentials;
+}