fix: fido-errors

[ryanbas21]

JIRA Ticket

https://pingidentity.atlassian.net/browse/SDKS-4480

Description

Adds WebAuthn error code propagation for FIDO operations, allowing consumers to send standardized error codes back to DaVinci when FIDO registration or authentication fails.

One note: explicitly not auto-submitting the error, and leaving that to the developer

Summary by CodeRabbit

• New Features

  • FIDO responses now include WebAuthn error codes for finer-grained handling.
  • FIDO client accepts optional logging configuration for per-call logger control.

• Improvements

  • Standardized mapping for common WebAuthn error types (e.g., NotAllowed, Abort, InvalidState, NotSupported, Security, Timeout, Unknown).
  • Action requests now include an empty formData object to preserve API contract.

• Tests

  • Added comprehensive tests covering FIDO flows, error mappings, and the formData behavior.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[changeset-bot]

🦋 Changeset detected

Latest commit: b975a8b

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 12 packages

Name	Type
@forgerock/davinci-client	Patch
@forgerock/device-client	Patch
@forgerock/journey-client	Patch
@forgerock/oidc-client	Patch
@forgerock/protect	Patch
@forgerock/sdk-types	Patch
@forgerock/sdk-utilities	Patch
@forgerock/iframe-manager	Patch
@forgerock/sdk-logger	Patch
@forgerock/sdk-oidc	Patch
@forgerock/sdk-request-middleware	Patch
@forgerock/storage	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[coderabbitai]

Walkthrough

Adds FIDO/WebAuthn error-code mapping and propagation, a per-call FIDO client logger config, replaces console.error with SDK logging, and ensures action requests include an explicit empty formData field.

Changes

Cohort / File(s)	Summary
FIDO Types & Error Utilities packages/davinci-client/src/lib/fido/fido.types.ts	Adds FidoErrorCode union, runtime guards, toFidoErrorCode() mapper, and createFidoError() to map DOMException/WebAuthn errors into standardized GenericError objects.
FIDO Client Implementation packages/davinci-client/src/lib/fido/fido.ts	Adds FidoClientConfig (logger config), changes fido() signature to accept an optional config, creates a per-call logger, replaces console.error and ad-hoc error returns with createFidoError() and logged messages for register/authenticate flows.
FIDO Tests packages/davinci-client/src/lib/fido/fido.test.ts, packages/davinci-client/src/lib/fido/fido.types.test.ts	Adds tests for register/authenticate success paths, DOMException-to-FIDO-code mappings, UnknownError handling, and logger behavior/config acceptance.
Action Request Utilities & Tests packages/davinci-client/src/lib/davinci.utils.ts, packages/davinci-client/src/lib/davinci.utils.test.ts	transformActionRequest() now includes formData: {} in returned DaVinciRequest.parameters.data; tests updated/added to assert presence of empty formData.
Public Types Export packages/davinci-client/src/types.ts	Exports FidoClientConfig and FidoErrorCode from FIDO modules in the public type barrel.
Changelog .changeset/fido-error-codes.md	Documents WebAuthn error code propagation, logger config option, formData contract, and guidance for forwarding FIDO error codes via DaVinci flow.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

• Review toFidoErrorCode() mappings and runtime guards in fido.types.ts.
• Verify per-call logger instantiation and uses in fido.ts (default level, custom logger passthrough, and removal of console usage).
• Check transformActionRequest() change (addition of formData: {}) for API contract compatibility and updated tests.

Possibly related PRs

• SDKS-4377: Implement FIDO module in DaVinci client #468 — Prior changes to the FIDO client and related fido.* code; likely overlaps with error-handling, types, and logger changes.

Suggested reviewers

• cerebrl

Poem

🐰✨ I hopped through specs by moonlit code,
Mapped every DOMException down the road,
Logs now purr and formData's set,
FIDO errors find their proper net,
A rabbit's patch, neatly bestowed.

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 57.14% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'fix: fido-errors' directly and clearly describes the main change—fixing FIDO error handling by adding WebAuthn error code propagation.
Description check	✅ Passed	The description includes both required sections: a JIRA ticket reference and a clear explanation of the changes, meeting the template requirements.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fido-errors

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[nx-cloud]

View your CI Pipeline Execution ↗ for commit b975a8b

Command	Status	Duration	Result
nx run-many -t build --no-agents	✅ Succeeded	<1s	View ↗
nx affected -t build lint test e2e-ci	✅ Succeeded	5m 37s	View ↗

---

☁️ Nx Cloud last updated this comment at 2025-12-10 21:50:36 UTC

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (1)

packages/davinci-client/src/lib/fido/fido.test.ts (1)

34-36: Consider stricter type guard for GenericError detection.

The current isGenericError only checks for an error property. For stronger validation, consider also checking for the type or code properties that are part of the GenericError structure.

 function isGenericError(result: unknown): result is GenericError {
-  return typeof result === 'object' && result !== null && 'error' in result;
+  return typeof result === 'object' && result !== null && 'error' in result && 'type' in result;
 }

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b6d3630 and ad510b6.

📒 Files selected for processing (8)

• .changeset/fido-error-codes.md (1 hunks)
• packages/davinci-client/src/lib/davinci.utils.test.ts (1 hunks)
• packages/davinci-client/src/lib/davinci.utils.ts (1 hunks)
• packages/davinci-client/src/lib/fido/fido.test.ts (1 hunks)
• packages/davinci-client/src/lib/fido/fido.ts (7 hunks)
• packages/davinci-client/src/lib/fido/fido.types.test.ts (1 hunks)
• packages/davinci-client/src/lib/fido/fido.types.ts (1 hunks)
• packages/davinci-client/src/types.ts (2 hunks)

🧰 Additional context used

🧠 Learnings (3)

📓 Common learnings

Learnt from: ancheetah
Repo: ForgeRock/ping-javascript-sdk PR: 417
File: packages/sdk-effects/storage/src/lib/storage.effects.ts:11-12
Timestamp: 2025-09-23T20:50:26.537Z
Learning: When the storage client API was changed from returning void to GenericError | null in SDKS-4361, call sites in DaVinci client and OIDC client were not updated to handle the returned errors, creating a follow-up task for proper error handling implementation.

📚 Learning: 2025-09-23T20:50:26.537Z

Learnt from: ancheetah
Repo: ForgeRock/ping-javascript-sdk PR: 417
File: packages/sdk-effects/storage/src/lib/storage.effects.ts:11-12
Timestamp: 2025-09-23T20:50:26.537Z
Learning: When the storage client API was changed from returning void to GenericError | null in SDKS-4361, call sites in DaVinci client and OIDC client were not updated to handle the returned errors, creating a follow-up task for proper error handling implementation.

Applied to files:

• .changeset/fido-error-codes.md

📚 Learning: 2025-11-07T21:35:14.799Z

Learnt from: ancheetah
Repo: ForgeRock/ping-javascript-sdk PR: 468
File: packages/davinci-client/src/lib/fido/fido.utils.ts:17-24
Timestamp: 2025-11-07T21:35:14.799Z
Learning: DaVinci FIDO API accepts standard base64 encoding (RFC 4648 §4 with `+`, `/`, `=`) for WebAuthn response fields (rawId, clientDataJSON, authenticatorData, signature, userHandle) in packages/davinci-client, not base64url. This is confirmed by sample payloads from the DaVinci team showing standard base64 format.

Applied to files:

• .changeset/fido-error-codes.md

🧬 Code graph analysis (4)

packages/davinci-client/src/lib/fido/fido.types.test.ts (1)

packages/davinci-client/src/lib/fido/fido.types.ts (1)

• toFidoErrorCode (51-56)

packages/davinci-client/src/lib/fido/fido.test.ts (2)

packages/davinci-client/src/lib/fido/fido.ts (2)

• FidoClientConfig (29-35)
• fido (65-162)

packages/davinci-client/src/lib/davinci.types.ts (2)

• FidoRegistrationOptions (163-183)
• FidoAuthenticationOptions (195-203)

packages/davinci-client/src/lib/davinci.utils.test.ts (2)

packages/davinci-client/src/types.ts (1)

• ContinueNode (28-28)

packages/davinci-client/src/lib/node.types.ts (1)

• ContinueNode (57-80)

packages/davinci-client/src/lib/fido/fido.ts (1)

packages/davinci-client/src/lib/fido/fido.types.ts (2)

• toFidoErrorCode (51-56)
• createFidoError (65-76)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: pr

🔇 Additional comments (14)

packages/davinci-client/src/lib/davinci.utils.test.ts (1)

150-183: LGTM! Test coverage for formData in action requests.

The new test case verifies that formData: {} is included for FIDO error codes, and the existing test is updated to expect this field. This aligns with the API contract changes in transformActionRequest.

packages/davinci-client/src/lib/fido/fido.types.test.ts (1)

10-57: Excellent test coverage for error code mapping.

The test suite comprehensively validates all supported FidoErrorCode values and edge cases including non-Error inputs and unrecognized DOMException names. Good defensive testing for the type guard logic.

packages/davinci-client/src/types.ts (1)

8-9: LGTM! Public type exports properly extended.

The new FidoClientConfig and FidoErrorCode types are correctly exported for consumer access, enabling proper typing for FIDO error handling in downstream applications.

Also applies to: 59-59

packages/davinci-client/src/lib/davinci.utils.ts (1)

99-104: LGTM! API contract consistency improvement.

Adding formData: {} to action requests ensures the payload structure is consistent with submit requests and meets API expectations. The change is minimal and well-tested.

.changeset/fido-error-codes.md (1)

1-13: Well-documented changeset with clear consumer guidance.

The changeset correctly identifies this as a patch release and provides clear documentation of all changes, including the recommended pattern for propagating FIDO errors to DaVinci.

packages/davinci-client/src/lib/fido/fido.test.ts (2)

53-239: Thorough test coverage for registration error scenarios.

The register tests comprehensively cover all FidoErrorCode values including the null credential edge case, and properly validate the GenericError structure (code, error, type, message). Good use of the isGenericError guard for narrowing.

---

242-429: Complete test coverage for authentication error scenarios.

Mirror of registration tests for the authenticate flow. All error codes and edge cases are properly tested with consistent assertions.

packages/davinci-client/src/lib/fido/fido.types.ts (3)

15-31: Well-designed error code type system.

The FidoErrorCode union type and VALID_FIDO_ERROR_CODES set are correctly structured - the set intentionally excludes UnknownError since it's the fallback for unrecognized errors. Clean implementation of the WebAuthn error mapping.

---

33-56: Robust type guards with proper null-safety.

The isErrorWithName guard safely handles null/undefined and validates the name property type. The toFidoErrorCode function provides a safe mapping with UnknownError fallback for unrecognized errors.

---

65-76: Clean GenericError factory function.

createFidoError provides a consistent way to construct FIDO errors with the standardized type: 'fido_error' discriminator, enabling consumers to identify FIDO-specific errors.

packages/davinci-client/src/lib/fido/fido.ts (4)

29-35: Well-designed configuration interface.

The FidoClientConfig interface provides optional logger configuration with support for custom loggers, maintaining backward compatibility by making the entire config optional.

---

65-66: Sensible default log level.

Defaulting to 'error' log level when not configured ensures production deployments aren't noisy while still capturing failure scenarios.

---

82-86: Proper integration of error code mapping.

The catch handler correctly uses toFidoErrorCode to map WebAuthn errors and createFidoError to construct the standardized error object with logging.

---

129-133: Authentication error handling follows the same pattern.

Consistent with registration error handling, properly maps WebAuthn errors and logs them.

[nx-cloud]

Nx Cloud has identified a flaky task in your failed CI:

🔂 Since the failure was identified as flaky, we reran your CI automatically.

View detailed reasoning in Nx Cloud ↗

_{🎓 Learn more about Self-Healing CI on nx.dev}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

packages/davinci-client/src/lib/fido/fido.test.ts (2)

38-240: Consider adding a test for environments without WebAuthn support

Right now all tests assume navigator.credentials exists and is overridable. It might be worth adding one extra test that simulates a runtime with no navigator.credentials (or missing create/get) and asserts that FIDO returns an appropriate GenericError (likely a not-supported flavor), to lock in behavior for non-WebAuthn-capable environments.

---

53-429: Optional: DRY up repeated navigator.credentials mocking

Many tests repeat the same Object.defineProperty(navigator, 'credentials', { value: { create|get: mockFn }, ... }) setup. If this suite grows further, you may want to factor that into small helpers (e.g., mockNavigatorCreate(mock) / mockNavigatorGet(mock)) to reduce duplication and make individual test intent even clearer.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9198a76 and b975a8b.

📒 Files selected for processing (8)

• .changeset/fido-error-codes.md (1 hunks)
• packages/davinci-client/src/lib/davinci.utils.test.ts (1 hunks)
• packages/davinci-client/src/lib/davinci.utils.ts (1 hunks)
• packages/davinci-client/src/lib/fido/fido.test.ts (1 hunks)
• packages/davinci-client/src/lib/fido/fido.ts (7 hunks)
• packages/davinci-client/src/lib/fido/fido.types.test.ts (1 hunks)
• packages/davinci-client/src/lib/fido/fido.types.ts (1 hunks)
• packages/davinci-client/src/types.ts (2 hunks)

🚧 Files skipped from review as they are similar to previous changes (6)

• packages/davinci-client/src/lib/davinci.utils.test.ts
• packages/davinci-client/src/lib/fido/fido.ts
• packages/davinci-client/src/lib/fido/fido.types.ts
• packages/davinci-client/src/lib/davinci.utils.ts
• packages/davinci-client/src/lib/fido/fido.types.test.ts
• .changeset/fido-error-codes.md

🧰 Additional context used

🧠 Learnings (1)

📓 Common learnings

Learnt from: ancheetah
Repo: ForgeRock/ping-javascript-sdk PR: 417
File: packages/sdk-effects/storage/src/lib/storage.effects.ts:11-12
Timestamp: 2025-09-23T20:50:26.537Z
Learning: When the storage client API was changed from returning void to GenericError | null in SDKS-4361, call sites in DaVinci client and OIDC client were not updated to handle the returned errors, creating a follow-up task for proper error handling implementation.

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: pr
• GitHub Check: Mend Code Security Check
• GitHub Check: Mend Security Check

🔇 Additional comments (7)

packages/davinci-client/src/types.ts (1)

8-9: FIDO type imports/exports align with public API design

Re-exporting FidoClient, FidoClientConfig, and FidoErrorCode via the root types entrypoint is consistent with the rest of this module and cleanly exposes the new FIDO surface to consumers. No issues from a typing/API standpoint.

Also applies to: 59-59

packages/davinci-client/src/lib/fido/fido.test.ts (6)

14-36: Helper setup and type guard are appropriate

silentConfig, the shared FIDO options fixtures, and isGenericError provide a clear structure for the suite and correctly model the GenericError shape for these tests. This keeps individual test bodies focused on behavior instead of boilerplate.

---

38-52: Navigator credentials mocking/restoration is safe and contained

Capturing originalCredentials and restoring it in afterEach via Object.defineProperty keeps the navigator.credentials mocking isolated per test and avoids cross-test leakage. This is a solid pattern for these WebAuthn-style tests.

---

53-240: Registration error/success coverage looks complete

The register suite exercises all key WebAuthn error names plus unknown-error and null-credential cases, and verifies both the code and FIDO-specific error/type fields, along with the success path (attestationValue). Behavior matches the intended FidoErrorCode mapping and union return type.

---

242-429: Authentication error/success coverage is symmetrical and consistent

The authenticate tests mirror the registration coverage for the same WebAuthn error names, unknown errors, null assertions, and success (assertionValue), which should keep the two flows in sync as the error surface evolves.

---

431-455: Error-detection pattern test nicely encodes the GenericError union contract

The "error" in result pattern plus the comments about TypeScript narrowing give consumers a clear, simple way to work with the GenericError | success union returned by FIDO operations, reducing the risk of ignored errors we’ve seen with other APIs returning GenericError | null. Based on learnings, this is exactly the kind of explicit pattern that helps downstream call sites handle errors correctly.

---

457-490: Logger configuration tests validate both explicit and default paths

The two logger tests confirm that:

• providing silentConfig doesn’t throw and still yields a GenericError, and
• calling fido() with no config also works and returns a GenericError for WebAuthn failures.

This correctly exercises both the optional logger configuration and default behavior.

[codecov-commenter]

Codecov Report

❌ Patch coverage is 90.16393% with 6 lines in your changes missing coverage. Please review.
✅ Project coverage is 19.23%. Comparing base (b89ad58) to head (b975a8b).
⚠️ Report is 17 commits behind head on main.

Files with missing lines	Patch %	Lines
packages/davinci-client/src/lib/fido/fido.ts	75.00%	6 Missing ⚠️

❌ Your project status has failed because the head coverage (19.23%) is below the target coverage (40.00%). You can increase the head coverage or adjust the target coverage.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #503      +/-   ##
==========================================
+ Coverage   18.79%   19.23%   +0.43%     
==========================================
  Files         140      141       +1     
  Lines       27640    27674      +34     
  Branches      980     1011      +31     
==========================================
+ Hits         5195     5322     +127     
+ Misses      22445    22352      -93     

Files with missing lines	Coverage Δ
packages/davinci-client/src/lib/davinci.utils.ts	87.74% <100.00%> (+0.07%)	⬆️
packages/davinci-client/src/lib/fido/fido.types.ts	100.00% <100.00%> (ø)
packages/davinci-client/src/types.ts	50.00% <ø> (ø)
packages/davinci-client/src/lib/fido/fido.ts	91.30% <75.00%> (+90.32%)	⬆️

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[pkg-pr-new]

Open in StackBlitz

@forgerock/davinci-client

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/davinci-client@503

@forgerock/device-client

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/device-client@503

@forgerock/journey-client

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/journey-client@503

@forgerock/oidc-client

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/oidc-client@503

@forgerock/protect

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/protect@503

@forgerock/sdk-types

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/sdk-types@503

@forgerock/sdk-utilities

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/sdk-utilities@503

@forgerock/iframe-manager

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/iframe-manager@503

@forgerock/sdk-logger

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/sdk-logger@503

@forgerock/sdk-oidc

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/sdk-oidc@503

@forgerock/sdk-request-middleware

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/sdk-request-middleware@503

@forgerock/storage

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/storage@503

commit: b975a8b

[github-actions]

Deployed 2b97c43 to https://ForgeRock.github.io/ping-javascript-sdk/pr-503/2b97c43ee5fb09303a6eabae7d888eb76f0184ba branch gh-pages in ForgeRock/ping-javascript-sdk

[github-actions]

📦 Bundle Size Analysis

📦 Bundle Size Analysis

🚨 Significant Changes

🔻 @forgerock/journey-client - 0.0 KB (-82.4 KB, -100.0%)
🔺 @forgerock/davinci-client - 41.1 KB (+1.5 KB, +3.9%)

📊 Minor Changes

📉 @forgerock/journey-client - 82.4 KB (-0.0 KB)

➖ No Changes

➖ @forgerock/device-client - 9.2 KB
➖ @forgerock/oidc-client - 23.4 KB
➖ @forgerock/protect - 150.1 KB
➖ @forgerock/sdk-utilities - 7.5 KB
➖ @forgerock/sdk-types - 8.0 KB
➖ @forgerock/storage - 1.4 KB
➖ @forgerock/sdk-logger - 1.6 KB
➖ @forgerock/iframe-manager - 2.4 KB
➖ @forgerock/sdk-request-middleware - 4.5 KB
➖ @forgerock/sdk-oidc - 2.6 KB

---

13 packages analyzed • Baseline from latest main build

Legend

🆕 New package
🔺 Size increased
🔻 Size decreased
➖ No change

ℹ️ How bundle sizes are calculated

• Current Size: Total gzipped size of all files in the package's dist directory
• Baseline: Comparison against the latest build from the main branch
• Files included: All build outputs except source maps and TypeScript build cache
• Exclusions: .map, .tsbuildinfo, and .d.ts.map files

---

_{🔄 Updated automatically on each push to this PR}