implementing passkey unenrollment (#15189)

srushtisv · web-flow · commit 4d6831bdb432 · 2025-08-14T00:15:03.000+05:30
diff --git a/FirebaseAuth/Sources/Swift/Backend/AuthBackend.swift b/FirebaseAuth/Sources/Swift/Backend/AuthBackend.swift
@@ -355,6 +355,7 @@ final class AuthBackend: AuthBackendProtocol {
       .missingIosBundleIDError(message: serverDetailErrorMessage)
     case "MISSING_ANDROID_PACKAGE_NAME": return AuthErrorUtils
       .missingAndroidPackageNameError(message: serverDetailErrorMessage)
+    case "PASSKEY_ENROLLMENT_NOT_FOUND": return AuthErrorUtils.missingPasskeyEnrollment()
     case "UNAUTHORIZED_DOMAIN": return AuthErrorUtils
       .unauthorizedDomainError(message: serverDetailErrorMessage)
     case "INVALID_CONTINUE_URI": return AuthErrorUtils
diff --git a/FirebaseAuth/Sources/Swift/Backend/RPC/GetAccountInfoResponse.swift b/FirebaseAuth/Sources/Swift/Backend/RPC/GetAccountInfoResponse.swift
@@ -92,6 +92,9 @@ struct GetAccountInfoResponse: AuthRPCResponse {
 
     let mfaEnrollments: [AuthProtoMFAEnrollment]?
 
+    /// A list of the user’s enrolled passkeys.
+    let enrolledPasskeys: [PasskeyInfo]?
+
     /// Designated initializer.
     /// - Parameter dictionary: The provider user info data from endpoint.
     init(dictionary: [String: Any]) {
@@ -133,6 +136,11 @@ struct GetAccountInfoResponse: AuthRPCResponse {
       } else {
         mfaEnrollments = nil
       }
+      if let passkeyEnrollmentData = dictionary["passkeys"] as? [[String: AnyHashable]] {
+        enrolledPasskeys = passkeyEnrollmentData.map { PasskeyInfo(dictionary: $0) }
+      } else {
+        enrolledPasskeys = nil
+      }
     }
   }
 
diff --git a/FirebaseAuth/Sources/Swift/Backend/RPC/Proto/PasskeyInfo.swift b/FirebaseAuth/Sources/Swift/Backend/RPC/Proto/PasskeyInfo.swift
@@ -0,0 +1,40 @@
+// Copyright 2025 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import Foundation
+
+public final class PasskeyInfo: NSObject, AuthProto, NSSecureCoding, Sendable {
+  /// The display name for this passkey.
+  public let name: String?
+  /// The credential ID used by the server.
+  public let credentialID: String?
+  required init(dictionary: [String: AnyHashable]) {
+    name = dictionary["name"] as? String
+    credentialID = dictionary["credentialId"] as? String
+  }
+
+  // NSSecureCoding
+  public static var supportsSecureCoding: Bool { true }
+
+  public func encode(with coder: NSCoder) {
+    coder.encode(name, forKey: "name")
+    coder.encode(credentialID, forKey: "credentialId")
+  }
+
+  public required init?(coder: NSCoder) {
+    name = coder.decodeObject(of: NSString.self, forKey: "name") as String?
+    credentialID = coder.decodeObject(of: NSString.self, forKey: "credentialId") as String?
+    super.init()
+  }
+}
diff --git a/FirebaseAuth/Sources/Swift/Backend/RPC/SetAccountInfoRequest.swift b/FirebaseAuth/Sources/Swift/Backend/RPC/SetAccountInfoRequest.swift
@@ -73,6 +73,8 @@ private let kDeleteProvidersKey = "deleteProvider"
 /// The key for the "returnSecureToken" value in the request.
 private let kReturnSecureTokenKey = "returnSecureToken"
 
+private let kDeletePasskeysKey = "deletePasskey"
+
 /// The key for the tenant id value in the request.
 private let kTenantIDKey = "tenantId"
 
@@ -131,6 +133,9 @@ class SetAccountInfoRequest: IdentityToolkitRequest, AuthRPCRequest {
   /// The default value is `true` .
   var returnSecureToken: Bool = true
 
+  /// The list of credential IDs of the passkeys to be deleted.
+  var deletePasskeys: [String]? = nil
+
   init(accessToken: String? = nil, requestConfiguration: AuthRequestConfiguration) {
     self.accessToken = accessToken
     super.init(endpoint: kSetAccountInfoEndpoint, requestConfiguration: requestConfiguration)
@@ -183,6 +188,9 @@ class SetAccountInfoRequest: IdentityToolkitRequest, AuthRPCRequest {
     if returnSecureToken {
       postBody[kReturnSecureTokenKey] = true
     }
+    if let deletePasskeys {
+      postBody[kDeletePasskeysKey] = deletePasskeys
+    }
     if let tenantID {
       postBody[kTenantIDKey] = tenantID
     }
diff --git a/FirebaseAuth/Sources/Swift/User/User.swift b/FirebaseAuth/Sources/Swift/User/User.swift
@@ -67,6 +67,7 @@ extension User: NSSecureCoding {}
     ///
     /// This property is available on iOS only.
     @objc public private(set) var multiFactor: MultiFactor
+    public private(set) var enrolledPasskeys: [PasskeyInfo]?
   #endif
 
   /// [Deprecated] Updates the email address for the user.
@@ -1134,6 +1135,25 @@ extension User: NSSecureCoding {}
       )
       return AuthDataResult(withUser: user, additionalUserInfo: nil)
     }
+
+    @available(iOS 15.0, macOS 12.0, tvOS 16.0, *)
+    public func unenrollPasskey(withCredentialID credentialID: String) async throws {
+      guard !credentialID.isEmpty else {
+        throw AuthErrorCode.missingPasskeyEnrollment
+      }
+      let request = SetAccountInfoRequest(
+        requestConfiguration: auth!.requestConfiguration
+      )
+      request.deletePasskeys = [credentialID]
+      request.accessToken = rawAccessToken()
+      let response = try await backend.call(with: request)
+      _ = try await auth!.completeSignIn(
+        withAccessToken: response.idToken,
+        accessTokenExpirationDate: response.approximateExpirationDate,
+        refreshToken: response.refreshToken,
+        anonymous: false
+      )
+    }
   #endif
 
   // MARK: Internal implementations below
@@ -1157,6 +1177,7 @@ extension User: NSSecureCoding {}
     tenantID = nil
     #if os(iOS)
       multiFactor = MultiFactor(withMFAEnrollments: [])
+      enrolledPasskeys = []
     #endif
     uid = ""
     hasEmailPasswordCredential = false
@@ -1391,6 +1412,7 @@ extension User: NSSecureCoding {}
         multiFactor = MultiFactor(withMFAEnrollments: enrollments)
       }
       multiFactor.user = self
+      enrolledPasskeys = user.enrolledPasskeys ?? []
     #endif
   }
 
@@ -1787,6 +1809,7 @@ extension User: NSSecureCoding {}
   private let kMetadataCodingKey = "metadata"
   private let kMultiFactorCodingKey = "multiFactor"
   private let kTenantIDCodingKey = "tenantID"
+  private let kEnrolledPasskeysKey = "passkeys"
 
   public static let supportsSecureCoding = true
 
@@ -1809,6 +1832,7 @@ extension User: NSSecureCoding {}
     coder.encode(tokenService, forKey: kTokenServiceCodingKey)
     #if os(iOS)
       coder.encode(multiFactor, forKey: kMultiFactorCodingKey)
+      coder.encode(enrolledPasskeys, forKey: kEnrolledPasskeysKey)
     #endif
   }
 
@@ -1838,6 +1862,9 @@ extension User: NSSecureCoding {}
     let tenantID = coder.decodeObject(of: NSString.self, forKey: kTenantIDCodingKey) as? String
     #if os(iOS)
       let multiFactor = coder.decodeObject(of: MultiFactor.self, forKey: kMultiFactorCodingKey)
+      let passkeyAllowed: [AnyClass] = [NSArray.self, PasskeyInfo.self]
+      let passkeys = coder.decodeObject(of: passkeyAllowed,
+                                        forKey: kEnrolledPasskeysKey) as? [PasskeyInfo]
     #endif
     self.tokenService = tokenService
     uid = userID
@@ -1871,6 +1898,7 @@ extension User: NSSecureCoding {}
       self.multiFactor = multiFactor ?? MultiFactor()
       super.init()
       multiFactor?.user = self
+      enrolledPasskeys = passkeys ?? []
     #endif
   }
 }
diff --git a/FirebaseAuth/Sources/Swift/Utilities/AuthErrorUtils.swift b/FirebaseAuth/Sources/Swift/Utilities/AuthErrorUtils.swift
@@ -235,6 +235,10 @@ class AuthErrorUtils {
     error(code: .missingVerificationCode, message: message)
   }
 
+  static func missingPasskeyEnrollment() -> Error {
+    error(code: .missingPasskeyEnrollment)
+  }
+
   static func invalidVerificationCodeError(message: String?) -> Error {
     error(code: .invalidVerificationCode, message: message)
   }
diff --git a/FirebaseAuth/Sources/Swift/Utilities/AuthErrors.swift b/FirebaseAuth/Sources/Swift/Utilities/AuthErrors.swift
@@ -336,6 +336,8 @@ import Foundation
   /// Indicates that the reCAPTCHA SDK actions class failed to create.
   case recaptchaActionCreationFailed = 17210
 
+  case missingPasskeyEnrollment = 17212
+
   /// Indicates an error occurred while attempting to access the keychain.
   case keychainError = 17995
 
@@ -528,6 +530,8 @@ import Foundation
       return kErrorSiteKeyMissing
     case .recaptchaActionCreationFailed:
       return kErrorRecaptchaActionCreationFailed
+    case .missingPasskeyEnrollment:
+      return kErrorMissingPasskeyEnrollment
     }
   }
 
@@ -719,6 +723,8 @@ import Foundation
       return "ERROR_RECAPTCHA_SITE_KEY_MISSING"
     case .recaptchaActionCreationFailed:
       return "ERROR_RECAPTCHA_ACTION_CREATION_FAILED"
+    case .missingPasskeyEnrollment:
+      return "ERROR_PASSKEY_ENROLLMENT_NOT_FOUND"
     }
   }
 }
@@ -996,3 +1002,6 @@ private let kErrorSiteKeyMissing =
 private let kErrorRecaptchaActionCreationFailed =
   "The reCAPTCHA SDK action class failed to initialize. See " +
   "https://cloud.google.com/recaptcha-enterprise/docs/instrument-ios-apps"
+
+private let kErrorMissingPasskeyEnrollment =
+  "Cannot find the passkey linked to the current account."
diff --git a/FirebaseAuth/Tests/Unit/GetAccountInfoTests.swift b/FirebaseAuth/Tests/Unit/GetAccountInfoTests.swift
@@ -80,6 +80,15 @@ class GetAccountInfoTests: RPCBaseTests {
     let kEmailVerifiedKey = "emailVerified"
     let kLocalIDKey = "localId"
     let kTestLocalID = "testLocalId"
+    let kPasskeysKey = "passkeys"
+
+    // Fake PasskeyInfo
+    let testCredentialId = "credential_id"
+    let testPasskeyName = "Test Passkey"
+    let passkeys = [[
+      "credentialId": testCredentialId,
+      "name": testPasskeyName,
+    ]]
 
     let usersIn = [[
       kProviderUserInfoKey: [[
@@ -95,6 +104,7 @@ class GetAccountInfoTests: RPCBaseTests {
       kPhotoUrlKey: kTestPhotoURL,
       kEmailVerifiedKey: true,
       kPasswordHashKey: kTestPasswordHash,
+      kPasskeysKey: passkeys,
     ] as [String: Any]]
     let rpcIssuer = try XCTUnwrap(self.rpcIssuer)
 
@@ -119,6 +129,43 @@ class GetAccountInfoTests: RPCBaseTests {
     XCTAssertEqual(firstProviderUser.email, kTestEmail)
     XCTAssertEqual(firstProviderUser.providerID, kTestProviderID)
     XCTAssertEqual(firstProviderUser.federatedID, kTestFederatedID)
+    let enrolledPasskeys = try XCTUnwrap(firstUser.enrolledPasskeys)
+    XCTAssertEqual(enrolledPasskeys.count, 1)
+    XCTAssertEqual(enrolledPasskeys[0].credentialID, testCredentialId)
+    XCTAssertEqual(enrolledPasskeys[0].name, testPasskeyName)
+  }
+
+  func testInitWithMultipleEnrolledPasskeys() throws {
+    let passkey1: [String: AnyHashable] = ["name": "passkey1", "credentialId": "cred1"]
+    let passkey2: [String: AnyHashable] = ["name": "passkey2", "credentialId": "cred2"]
+    let userDict: [String: AnyHashable] = [
+      "localId": "user123",
+      "email": "user@example.com",
+      "passkeys": [passkey1, passkey2],
+    ]
+    let dict: [String: AnyHashable] = ["users": [userDict]]
+    let response = try GetAccountInfoResponse(dictionary: dict)
+    let users = try XCTUnwrap(response.users)
+    let firstUser = try XCTUnwrap(users.first)
+    let enrolledPasskeys = try XCTUnwrap(firstUser.enrolledPasskeys)
+    XCTAssertEqual(enrolledPasskeys.count, 2)
+    XCTAssertEqual(enrolledPasskeys[0].name, "passkey1")
+    XCTAssertEqual(enrolledPasskeys[0].credentialID, "cred1")
+    XCTAssertEqual(enrolledPasskeys[1].name, "passkey2")
+    XCTAssertEqual(enrolledPasskeys[1].credentialID, "cred2")
+  }
+
+  func testInitWithNoEnrolledPasskeys() throws {
+    let userDict: [String: AnyHashable] = [
+      "localId": "user123",
+      "email": "user@example.com",
+      // No "passkeys" present
+    ]
+    let dict: [String: AnyHashable] = ["users": [userDict]]
+    let response = try GetAccountInfoResponse(dictionary: dict)
+    let users = try XCTUnwrap(response.users)
+    let firstUser = try XCTUnwrap(users.first)
+    XCTAssertNil(firstUser.enrolledPasskeys)
   }
 
   private func makeGetAccountInfoRequest() -> GetAccountInfoRequest {
diff --git a/FirebaseAuth/Tests/Unit/SetAccountInfoTests.swift b/FirebaseAuth/Tests/Unit/SetAccountInfoTests.swift
@@ -64,6 +64,8 @@ class SetAccountInfoTests: RPCBaseTests {
     let kTestDeleteProviders = "TestDeleteProviders"
     let kReturnSecureTokenKey = "returnSecureToken"
     let kTestAccessToken = "accessToken"
+    let kDeletePasskeysKey = "deletePasskey"
+    let kDeletePasskey = "credential_id"
     let kExpectedAPIURL =
       "https://www.googleapis.com/identitytoolkit/v3/relyingparty/setAccountInfo?key=APIKey"
 
@@ -82,6 +84,7 @@ class SetAccountInfoTests: RPCBaseTests {
     request.captchaResponse = kTestCaptchaResponse
     request.deleteAttributes = [kTestDeleteAttributes]
     request.deleteProviders = [kTestDeleteProviders]
+    request.deletePasskeys = [kDeletePasskey]
 
     try await checkRequest(
       request: request,
@@ -105,6 +108,7 @@ class SetAccountInfoTests: RPCBaseTests {
     XCTAssertEqual(decodedRequest[kDeleteAttributesKey] as? [String], [kTestDeleteAttributes])
     XCTAssertEqual(decodedRequest[kDeleteProvidersKey] as? [String], [kTestDeleteProviders])
     XCTAssertEqual(decodedRequest[kReturnSecureTokenKey] as? Bool, true)
+    XCTAssertEqual(decodedRequest[kDeletePasskeysKey] as? [String], [kDeletePasskey])
   }
 
   func testSetAccountInfoErrors() async throws {
@@ -122,6 +126,7 @@ class SetAccountInfoTests: RPCBaseTests {
     let kInvalidRecipientEmailErrorMessage = "INVALID_RECIPIENT_EMAIL"
     let kWeakPasswordErrorMessage = "WEAK_PASSWORD : Password should be at least 6 characters"
     let kWeakPasswordClientErrorMessage = "Password should be at least 6 characters"
+    let kInvalidCredentialIdForPasskeyUnenroll = "PASSKEY_ENROLLMENT_NOT_FOUND"
 
     try await checkBackendError(
       request: setAccountInfoRequest(),
@@ -189,6 +194,11 @@ class SetAccountInfoTests: RPCBaseTests {
       message: kInvalidRecipientEmailErrorMessage,
       errorCode: AuthErrorCode.invalidRecipientEmail
     )
+    try await checkBackendError(
+      request: setAccountInfoRequest(),
+      message: kInvalidCredentialIdForPasskeyUnenroll,
+      errorCode: AuthErrorCode.missingPasskeyEnrollment
+    )
   }
 
   /** @fn testSuccessfulSetAccountInfoResponse
diff --git a/FirebaseAuth/Tests/Unit/UserTests.swift b/FirebaseAuth/Tests/Unit/UserTests.swift

Original file line number	Diff line number	Diff line change
`@@ -92,6 +92,9 @@ struct GetAccountInfoResponse: AuthRPCResponse {`
`92`	`92`
`93`	`93`	`let mfaEnrollments: [AuthProtoMFAEnrollment]?`
`94`	`94`
	`95`	`+ /// A list of the user’s enrolled passkeys.`
	`96`	`+ let enrolledPasskeys: [PasskeyInfo]?`
	`97`	`+`
`95`	`98`	`/// Designated initializer.`
`96`	`99`	`/// - Parameter dictionary: The provider user info data from endpoint.`
`97`	`100`	`init(dictionary: [String: Any]) {`
`@@ -133,6 +136,11 @@ struct GetAccountInfoResponse: AuthRPCResponse {`
`133`	`136`	`} else {`
`134`	`137`	`mfaEnrollments = nil`
`135`	`138`	`}`
	`139`	`+ if let passkeyEnrollmentData = dictionary["passkeys"] as? [[String: AnyHashable]] {`
	`140`	`+ enrolledPasskeys = passkeyEnrollmentData.map { PasskeyInfo(dictionary: $0) }`
	`141`	`+ } else {`
	`142`	`+ enrolledPasskeys = nil`
	`143`	`+ }`
`136`	`144`	`}`
`137`	`145`	`}`
`138`	`146`
Original file line number	Diff line number	Diff line change
`@@ -235,6 +235,10 @@ class AuthErrorUtils {`
`235`	`235`	`error(code: .missingVerificationCode, message: message)`
`236`	`236`	`}`
`237`	`237`
	`238`	`+ static func missingPasskeyEnrollment() -> Error {`
	`239`	`+ error(code: .missingPasskeyEnrollment)`
	`240`	`+ }`
	`241`	`+`
`238`	`242`	`static func invalidVerificationCodeError(message: String?) -> Error {`
`239`	`243`	`error(code: .invalidVerificationCode, message: message)`
`240`	`244`	`}`
Original file line number	Diff line number	Diff line change
`@@ -336,6 +336,8 @@ import Foundation`
`336`	`336`	`/// Indicates that the reCAPTCHA SDK actions class failed to create.`
`337`	`337`	`case recaptchaActionCreationFailed = 17210`
`338`	`338`
	`339`	`+ case missingPasskeyEnrollment = 17212`
	`340`	`+`
`339`	`341`	`/// Indicates an error occurred while attempting to access the keychain.`
`340`	`342`	`case keychainError = 17995`
`341`	`343`
`@@ -528,6 +530,8 @@ import Foundation`
`528`	`530`	`return kErrorSiteKeyMissing`
`529`	`531`	`case .recaptchaActionCreationFailed:`
`530`	`532`	`return kErrorRecaptchaActionCreationFailed`
	`533`	`+ case .missingPasskeyEnrollment:`
	`534`	`+ return kErrorMissingPasskeyEnrollment`
`531`	`535`	`}`
`532`	`536`	`}`
`533`	`537`
`@@ -719,6 +723,8 @@ import Foundation`
`719`	`723`	`return "ERROR_RECAPTCHA_SITE_KEY_MISSING"`
`720`	`724`	`case .recaptchaActionCreationFailed:`
`721`	`725`	`return "ERROR_RECAPTCHA_ACTION_CREATION_FAILED"`
	`726`	`+ case .missingPasskeyEnrollment:`
	`727`	`+ return "ERROR_PASSKEY_ENROLLMENT_NOT_FOUND"`
`722`	`728`	`}`
`723`	`729`	`}`
`724`	`730`	`}`
`@@ -996,3 +1002,6 @@ private let kErrorSiteKeyMissing =`
`996`	`1002`	`private let kErrorRecaptchaActionCreationFailed =`
`997`	`1003`	`"The reCAPTCHA SDK action class failed to initialize. See " +`
`998`	`1004`	`"https://cloud.google.com/recaptcha-enterprise/docs/instrument-ios-apps"`
	`1005`	`+`
	`1006`	`+private let kErrorMissingPasskeyEnrollment =`
	`1007`	`+ "Cannot find the passkey linked to the current account."`