Skip to content

test(e2e): Add passkey/WebAuthn e2e tests#8090

Open
tmilewski wants to merge 3 commits intomainfrom
tom/user-4972-test-passkeyswebauthn
Open

test(e2e): Add passkey/WebAuthn e2e tests#8090
tmilewski wants to merge 3 commits intomainfrom
tom/user-4972-test-passkeyswebauthn

Conversation

@tmilewski
Copy link
Copy Markdown
Member

@tmilewski tmilewski commented Mar 16, 2026
edited by coderabbitai bot
Loading

Description

  • Add passkey e2e tests covering registration, sign-in, rename, and removal flows against the Tanstack React Start template
  • Uses Chrome DevTools Protocol (CDP) virtual authenticators to simulate WebAuthn hardware without real devices
  • Overrides navigator.webdriver to bypass Clerk's bot-detection check that blocks WebAuthn in automated browsers
  • Exports/imports CDP credentials across test boundaries to enable separate register and sign-in tests

Checklist

  • pnpm test runs as expected.
  • pnpm build runs as expected.
  • (If applicable) JSDoc comments have been added or updated for any package exports
  • (If applicable) Documentation has been updated

Type of change

  • 🐛 Bug fix
  • 🌟 New feature
  • 🔨 Breaking change
  • 📖 Refactoring / dependency upgrade / documentation
  • other: Test

Summary by CodeRabbit

  • New Features
    • Added passkey authentication support: users can register, sign in, rename, and remove passkeys for improved account security.
  • Tests
    • Added end-to-end test coverage for passkey flows (registration, sign-in, rename, removal) to ensure reliability across browsers and virtual authenticators.

@tmilewski tmilewski self-assigned this Mar 16, 2026
@vercel
Copy link
Copy Markdown

vercel bot commented Mar 16, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
clerk-js-sandbox Ready Ready Preview, Comment Mar 31, 2026 0:13am

Request Review

@changeset-bot
Copy link
Copy Markdown

changeset-bot bot commented Mar 16, 2026
edited
Loading

🦋 Changeset detected

Latest commit: 0ce3bbe

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 0 packages

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai bot commented Mar 16, 2026
edited
Loading

📝 Walkthrough

Walkthrough

Added an empty changeset file at .changeset/three-clowns-travel.md; introduced a new environment preset withPasskeys in integration/presets/envs.ts that sources CLERK_SECRET_KEY and CLERK_PUBLISHABLE_KEY from instanceKeys.get('with-passkeys'); added a long-running app preset tanstack.react-start.withPasskeys in integration/presets/longRunningApps.ts; and added integration tests at integration/tests/tanstack-start/passkeys.test.ts exercising passkey registration, sign-in, rename, and removal using a CDP virtual authenticator and related setup/teardown helpers.

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately reflects the main change: adding WebAuthn/passkey end-to-end tests for integration testing.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

Comment @coderabbitai help to get the list of available commands and usage tips.

@pkg-pr-new
Copy link
Copy Markdown

pkg-pr-new bot commented Mar 16, 2026
edited
Loading

Open in StackBlitz

@clerk/agent-toolkit

npm i https://pkg.pr.new/@clerk/agent-toolkit@8090

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@8090

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@8090

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@8090

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@8090

@clerk/dev-cli

npm i https://pkg.pr.new/@clerk/dev-cli@8090

@clerk/expo

npm i https://pkg.pr.new/@clerk/expo@8090

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@8090

@clerk/express

npm i https://pkg.pr.new/@clerk/express@8090

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@8090

@clerk/hono

npm i https://pkg.pr.new/@clerk/hono@8090

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@8090

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@8090

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@8090

@clerk/react

npm i https://pkg.pr.new/@clerk/react@8090

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@8090

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@8090

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@8090

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@8090

@clerk/ui

npm i https://pkg.pr.new/@clerk/ui@8090

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@8090

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@8090

commit: 0ce3bbe

coderabbitai[bot]
coderabbitai bot reviewed Mar 16, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@integration/presets/envs.ts`:
- Around line 217-221: The code assumes instanceKeys.get('with-passkeys') exists
when building withPasskeys; guard that lookup first (e.g., fetch const keys =
instanceKeys.get('with-passkeys')) and only call .sk/.pk if keys is defined,
otherwise handle the missing case (throw a clear error or skip creating
withPasskeys) so setEnvVariable('private', 'CLERK_SECRET_KEY', ...) and
setEnvVariable('public', 'CLERK_PUBLISHABLE_KEY', ...) never dereference
undefined; update the block that constructs withPasskeys (the base.clone()
chain) to use the guarded keys variable and appropriate fallback or explicit
failure.
ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: ASSERTIVE

Plan: Pro

Run ID: a08dfd39-1cd4-4a9a-b973-a2baf2b57ee5

📥 Commits

Reviewing files that changed from the base of the PR and between 291733c and 98381a9.

📒 Files selected for processing (4)
  • .changeset/three-clowns-travel.md
  • integration/presets/envs.ts
  • integration/presets/longRunningApps.ts
  • integration/tests/tanstack-start/passkeys.test.ts

coderabbitai[bot]
coderabbitai bot reviewed Mar 31, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

♻️ Duplicate comments (1)
integration/presets/envs.ts (1)

247-251: ⚠️ Potential issue | 🔴 Critical

Use withInstanceKeys for withPasskeys to avoid staging misconfiguration and unsafe key dereference.

This block bypasses the staging-aware helper and directly dereferences instanceKeys.get('with-passkeys'); that can crash when keys are missing, and in E2E_STAGING=1 it won’t get staging PK/SK + CLERK_API_URL, so the app can be filtered out by staging readiness checks.

🔧 Proposed fix 
-const withPasskeys = base
-  .clone()
-  .setId('withPasskeys')
-  .setEnvVariable('private', 'CLERK_SECRET_KEY', instanceKeys.get('with-passkeys').sk)
-  .setEnvVariable('public', 'CLERK_PUBLISHABLE_KEY', instanceKeys.get('with-passkeys').pk);
+const withPasskeys = withInstanceKeys(
+  'with-passkeys',
+  base.clone().setId('withPasskeys'),
+);
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@integration/presets/envs.ts` around lines 247 - 251, Replace the direct
dereference of instanceKeys in the withPasskeys preset with the staging-aware
helper; instead of using base.clone().setEnvVariable(...) and
instanceKeys.get('with-passkeys'), call the withInstanceKeys helper (using the
'with-passkeys' instance key) to produce the preset so keys and CLERK_API_URL
are populated safely for staging and missing-key cases; update the withPasskeys
creation to use withInstanceKeys with the same id ('withPasskeys') and avoid
direct instanceKeys.get(...) access.
🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@integration/presets/envs.ts`:
- Around line 247-251: Replace the direct dereference of instanceKeys in the
withPasskeys preset with the staging-aware helper; instead of using
base.clone().setEnvVariable(...) and instanceKeys.get('with-passkeys'), call the
withInstanceKeys helper (using the 'with-passkeys' instance key) to produce the
preset so keys and CLERK_API_URL are populated safely for staging and
missing-key cases; update the withPasskeys creation to use withInstanceKeys with
the same id ('withPasskeys') and avoid direct instanceKeys.get(...) access.
ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: ASSERTIVE

Plan: Pro

Run ID: 6de8e3d1-8f1f-403d-8053-3c7a6f09754c

📥 Commits

Reviewing files that changed from the base of the PR and between 98381a9 and 0ce3bbe.

📒 Files selected for processing (2)
  • integration/presets/envs.ts
  • integration/presets/longRunningApps.ts

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@tmilewski tmilewski

Labels

integration

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tmilewski @wobsoriano