Add PasskeyPromptCheck

mattcreaser · mattcreaser · commit 73f7de9862b2 · 2025-11-05T12:28:21.000-04:00
diff --git a/authenticator/src/main/java/com/amplifyframework/ui/authenticator/util/OsBuild.kt b/authenticator/src/main/java/com/amplifyframework/ui/authenticator/util/OsBuild.kt
@@ -0,0 +1,9 @@
+package com.amplifyframework.ui.authenticator.util
+
+import android.os.Build
+
+// Facade for android.os.Build to facilitate testing
+internal class OsBuild {
+    val sdkInt: Int
+        get() = Build.VERSION.SDK_INT
+}
diff --git a/authenticator/src/main/java/com/amplifyframework/ui/authenticator/util/PasskeyPromptCheck.kt b/authenticator/src/main/java/com/amplifyframework/ui/authenticator/util/PasskeyPromptCheck.kt
@@ -0,0 +1,37 @@
+package com.amplifyframework.ui.authenticator.util
+
+import com.amplifyframework.auth.AuthFactorType
+import com.amplifyframework.ui.authenticator.AuthenticatorConfiguration
+import com.amplifyframework.ui.authenticator.data.AuthenticationFlow
+import com.amplifyframework.ui.authenticator.data.PasskeyPrompt
+import com.amplifyframework.ui.authenticator.data.UserInfo
+import com.amplifyframework.ui.authenticator.enums.SignInSource
+
+// Utility class for checking whether a user should be shown a passkey prompt
+internal class PasskeyPromptCheck(private val authProvider: AuthProvider, private val osBuild: OsBuild = OsBuild()) {
+    suspend fun shouldPromptForPasskey(userInfo: UserInfo, config: AuthenticatorConfiguration): Boolean {
+        // Ensure that userHasPasskey is the last check so that the network request can be short-circuited by
+        // the local-only checks.
+        val authFlow = config.authenticationFlow
+        return authFlow is AuthenticationFlow.UserChoice &&
+            deviceSupportsPasskeyCreation() &&
+            passkeyPromptsEnabled(userInfo, authFlow) &&
+            !userHasPasskey()
+    }
+
+    // Passkey creation supported starting with API 28
+    private fun deviceSupportsPasskeyCreation() = osBuild.sdkInt >= 28
+
+    // Check whether passkey prompts are enabled by configuration
+    private fun passkeyPromptsEnabled(userInfo: UserInfo, authFlow: AuthenticationFlow.UserChoice): Boolean =
+        when (userInfo.signInSource) {
+            SignInSource.SignIn -> authFlow.passkeyPrompts.afterSignIn == PasskeyPrompt.Always
+            SignInSource.AutoSignIn -> authFlow.passkeyPrompts.afterSignUp == PasskeyPrompt.Always
+        }
+
+    // Check if the user already has a passkey registered
+    private suspend fun userHasPasskey() = when (val result = authProvider.getAvailableAuthFactors()) {
+        is AmplifyResult.Error -> true // Assume user already has passkey on error so we don't incorrectly prompt them
+        is AmplifyResult.Success -> result.data.any { it == AuthFactorType.WEB_AUTHN }
+    }
+}
diff --git a/authenticator/src/test/java/com/amplifyframework/ui/authenticator/util/PasskeyPromptCheckTest.kt b/authenticator/src/test/java/com/amplifyframework/ui/authenticator/util/PasskeyPromptCheckTest.kt
@@ -0,0 +1,177 @@
+package com.amplifyframework.ui.authenticator.util
+
+import com.amplifyframework.auth.AuthFactorType
+import com.amplifyframework.auth.exceptions.UnknownException
+import com.amplifyframework.ui.authenticator.AuthenticatorConfiguration
+import com.amplifyframework.ui.authenticator.data.AuthenticationFlow
+import com.amplifyframework.ui.authenticator.data.PasskeyPrompt
+import com.amplifyframework.ui.authenticator.data.PasskeyPrompts
+import com.amplifyframework.ui.authenticator.data.UserInfo
+import com.amplifyframework.ui.authenticator.enums.SignInSource
+import io.kotest.matchers.booleans.shouldBeFalse
+import io.kotest.matchers.booleans.shouldBeTrue
+import io.mockk.coEvery
+import io.mockk.every
+import io.mockk.mockk
+import kotlinx.coroutines.test.runTest
+import org.junit.Test
+
+class PasskeyPromptCheckTest {
+
+    private val authProvider = mockk<AuthProvider> {
+        coEvery { getAvailableAuthFactors() } returns
+            AmplifyResult.Success(listOf(AuthFactorType.PASSWORD_SRP, AuthFactorType.SMS_OTP))
+    }
+    private val osBuild = mockk<OsBuild> {
+        every { sdkInt } returns 30
+    }
+    private val passkeyPromptCheck = PasskeyPromptCheck(authProvider, osBuild)
+
+    @Test
+    fun `shouldPromptForPasskey returns false when auth flow is not UserChoice`() = runTest {
+        val userInfo = mockUserInfo()
+        val config = mockAuthenticatorConfiguration(authFlow = AuthenticationFlow.Password)
+
+        val result = passkeyPromptCheck.shouldPromptForPasskey(userInfo, config)
+        result.shouldBeFalse()
+    }
+
+    @Test
+    fun `shouldPromptForPasskey returns false when passkey prompts are disabled for SignIn`() = runTest {
+        val userInfo = mockUserInfo(source = SignInSource.SignIn)
+        val config = mockAuthenticatorConfiguration(
+            authFlow = AuthenticationFlow.UserChoice(
+                passkeyPrompts = PasskeyPrompts(afterSignIn = PasskeyPrompt.Never)
+            )
+        )
+
+        val result = passkeyPromptCheck.shouldPromptForPasskey(userInfo, config)
+        result.shouldBeFalse()
+    }
+
+    @Test
+    fun `shouldPromptForPasskey returns false when passkey prompts are disabled for AutoSignIn`() = runTest {
+        val userInfo = mockUserInfo(source = SignInSource.AutoSignIn)
+        val config = mockAuthenticatorConfiguration(
+            authFlow = AuthenticationFlow.UserChoice(
+                passkeyPrompts = PasskeyPrompts(afterSignUp = PasskeyPrompt.Never)
+            )
+        )
+
+        val result = passkeyPromptCheck.shouldPromptForPasskey(userInfo, config)
+        result.shouldBeFalse()
+    }
+
+    @Test
+    fun `shouldPromptForPasskey returns false when user already has passkey`() = runTest {
+        val userInfo = mockUserInfo()
+        val config = mockAuthenticatorConfiguration()
+
+        coEvery { authProvider.getAvailableAuthFactors() } returns AmplifyResult.Success(
+            listOf(AuthFactorType.PASSWORD, AuthFactorType.WEB_AUTHN)
+        )
+
+        val result = passkeyPromptCheck.shouldPromptForPasskey(userInfo, config)
+        result.shouldBeFalse()
+    }
+
+    @Test
+    fun `shouldPromptForPasskey returns false when getAvailableAuthFactors returns error`() = runTest {
+        val userInfo = mockUserInfo()
+        val config = mockAuthenticatorConfiguration()
+
+        coEvery { authProvider.getAvailableAuthFactors() } returns AmplifyResult.Error(
+            UnknownException("Network error")
+        )
+
+        val result = passkeyPromptCheck.shouldPromptForPasskey(userInfo, config)
+        result.shouldBeFalse()
+    }
+
+    @Test
+    fun `shouldPromptForPasskey returns false when os version is below 28`() = runTest {
+        val userInfo = mockUserInfo()
+        val config = mockAuthenticatorConfiguration()
+
+        every { osBuild.sdkInt } returns 27
+
+        val result = passkeyPromptCheck.shouldPromptForPasskey(userInfo, config)
+        result.shouldBeFalse()
+    }
+
+    @Test
+    fun `shouldPromptForPasskey returns true when os version is 28`() = runTest {
+        val userInfo = mockUserInfo()
+        val config = mockAuthenticatorConfiguration()
+
+        every { osBuild.sdkInt } returns 28
+
+        val result = passkeyPromptCheck.shouldPromptForPasskey(userInfo, config)
+        result.shouldBeTrue()
+    }
+
+    @Test
+    fun `shouldPromptForPasskey returns true when auth factor list is empty`() = runTest {
+        val userInfo = mockUserInfo()
+        val config = mockAuthenticatorConfiguration()
+
+        coEvery { authProvider.getAvailableAuthFactors() } returns AmplifyResult.Success(emptyList())
+
+        val result = passkeyPromptCheck.shouldPromptForPasskey(userInfo, config)
+        result.shouldBeTrue()
+    }
+
+    @Test
+    fun `shouldPromptForPasskey returns true when auth factors don't have webAuthn`() = runTest {
+        val userInfo = mockUserInfo()
+        val config = mockAuthenticatorConfiguration()
+
+        coEvery { authProvider.getAvailableAuthFactors() } returns AmplifyResult.Success(
+            AuthFactorType.entries - AuthFactorType.WEB_AUTHN
+        )
+
+        val result = passkeyPromptCheck.shouldPromptForPasskey(userInfo, config)
+        result.shouldBeTrue()
+    }
+
+    @Test
+    fun `shouldPromptForPasskey returns true for autoSignIn`() = runTest {
+        val userInfo = mockUserInfo(source = SignInSource.AutoSignIn)
+        val config = mockAuthenticatorConfiguration(
+            authFlow = AuthenticationFlow.UserChoice(
+                passkeyPrompts = PasskeyPrompts(
+                    afterSignIn = PasskeyPrompt.Never,
+                    afterSignUp = PasskeyPrompt.Always
+                )
+            )
+        )
+
+        val result = passkeyPromptCheck.shouldPromptForPasskey(userInfo, config)
+        result.shouldBeTrue()
+    }
+
+    @Test
+    fun `shouldPromptForPasskey returns true for normal signIn`() = runTest {
+        val userInfo = mockUserInfo(source = SignInSource.SignIn)
+        val config = mockAuthenticatorConfiguration(
+            authFlow = AuthenticationFlow.UserChoice(
+                passkeyPrompts = PasskeyPrompts(
+                    afterSignIn = PasskeyPrompt.Always,
+                    afterSignUp = PasskeyPrompt.Never
+                )
+            )
+        )
+
+        val result = passkeyPromptCheck.shouldPromptForPasskey(userInfo, config)
+        result.shouldBeTrue()
+    }
+
+    private fun mockUserInfo(source: SignInSource = SignInSource.SignIn) = mockk<UserInfo> {
+        every { signInSource } returns source
+    }
+
+    private fun mockAuthenticatorConfiguration(authFlow: AuthenticationFlow = AuthenticationFlow.UserChoice()) =
+        mockk<AuthenticatorConfiguration> {
+            every { authenticationFlow } returns authFlow
+        }
+}
