From c5e76d62f5426d86b44db92913b16a00b4daf61b Mon Sep 17 00:00:00 2001
From: Vaggelis Yfantis <me@octoper.me>
Date: Thu, 27 Feb 2025 14:41:48 +0200
Subject: [PATCH 1/9] feat(clerk-js,localization,types): Support passkeys for
 first factor re-verification

---
 .../clerk-js/src/core/resources/Session.ts    |  80 ++++++++++++-
 .../UserVerification/AlternativeMethods.tsx   |   6 +-
 .../UVFactorOnePasskeysCard.tsx               | 105 ++++++++++++++++++
 .../UserVerificationFactorOne.tsx             |  14 ++-
 packages/localizations/src/en-US.ts           |   5 +
 packages/types/src/localization.ts            |   5 +
 packages/types/src/session.ts                 |  18 ++-
 packages/types/src/sessionVerification.ts     |  11 +-
 8 files changed, 231 insertions(+), 13 deletions(-)
 create mode 100644 packages/clerk-js/src/ui/components/UserVerification/UVFactorOnePasskeysCard.tsx

diff --git a/packages/clerk-js/src/core/resources/Session.ts b/packages/clerk-js/src/core/resources/Session.ts
index ea7739f8bee..d63c27ff2db 100644
--- a/packages/clerk-js/src/core/resources/Session.ts
+++ b/packages/clerk-js/src/core/resources/Session.ts
@@ -14,6 +14,7 @@ import type {
   SessionStatus,
   SessionTask,
   SessionVerificationJSON,
+  SessionVerificationLevel,
   SessionVerificationResource,
   SessionVerifyAttemptFirstFactorParams,
   SessionVerifyAttemptSecondFactorParams,
@@ -25,7 +26,12 @@ import type {
 } from '@clerk/types';
 
 import { unixEpochToDate } from '../../utils/date';
-import { clerkInvalidStrategy } from '../errors';
+import {
+  convertJSONToPublicKeyRequestOptions,
+  serializePublicKeyCredentialAssertion,
+  webAuthnGetCredential,
+} from '../../utils/passkeys';
+import { clerkInvalidStrategy, clerkMissingWebAuthnPublicKeyOptions } from '../errors';
 import { eventBus, events } from '../events';
 import { SessionTokenCache } from '../tokenCache';
 import { BaseResource, PublicUserData, Token, User } from './internal';
@@ -150,6 +156,9 @@ export class Session extends BaseResource implements SessionResource {
           default: factor.default,
         } as PhoneCodeConfig;
         break;
+      case 'passkey':
+        config = {};
+        break;
       default:
         clerkInvalidStrategy('Session.prepareFirstFactorVerification', (factor as any).strategy);
     }
@@ -171,17 +180,69 @@ export class Session extends BaseResource implements SessionResource {
   attemptFirstFactorVerification = async (
     attemptFactor: SessionVerifyAttemptFirstFactorParams,
   ): Promise<SessionVerificationResource> => {
+    let config;
+    switch (attemptFactor.strategy) {
+      case 'passkey':
+        config = {
+          publicKeyCredential: JSON.stringify(serializePublicKeyCredentialAssertion(attemptFactor.publicKeyCredential)),
+        };
+        break;
+      default:
+        config = { ...attemptFactor };
+    }
+
     const json = (
       await BaseResource._fetch({
         method: 'POST',
         path: `/client/sessions/${this.id}/verify/attempt_first_factor`,
-        body: { ...attemptFactor, strategy: attemptFactor.strategy } as any,
+        body: { ...config, strategy: attemptFactor.strategy } as any,
       })
     )?.response as unknown as SessionVerificationJSON;
 
     return new SessionVerification(json);
   };
 
+  attemptFirstFactorPasskeyVerification = async (nonce: string | null): Promise<SessionVerificationResource> => {
+    return this.#attemptPasskeyVerification(nonce, 'first_factor');
+  };
+
+  attemptSecondFactorPasskeyVerification = async (nonce: string | null): Promise<SessionVerificationResource> => {
+    return this.#attemptPasskeyVerification(nonce, 'second_factor');
+  };
+
+  #attemptPasskeyVerification = async (
+    nonce: string | null,
+    level: Omit<SessionVerificationLevel, 'SessionVerificationLevel'>,
+  ): Promise<SessionVerificationResource> => {
+    const publicKeyOptions = nonce ? convertJSONToPublicKeyRequestOptions(JSON.parse(nonce)) : null;
+
+    if (!publicKeyOptions) {
+      clerkMissingWebAuthnPublicKeyOptions('get');
+    }
+
+    // Invoke the navigator.create.get() method.
+    const { publicKeyCredential, error } = await webAuthnGetCredential({
+      publicKeyOptions,
+      conditionalUI: false,
+    });
+
+    if (!publicKeyCredential) {
+      throw error;
+    }
+
+    if (level === 'first_factor') {
+      return this.attemptFirstFactorVerification({
+        strategy: 'passkey',
+        publicKeyCredential,
+      });
+    }
+
+    return this.attemptSecondFactorVerification({
+      strategy: 'passkey',
+      publicKeyCredential,
+    });
+  };
+
   prepareSecondFactorVerification = async (
     params: SessionVerifyPrepareSecondFactorParams,
   ): Promise<SessionVerificationResource> => {
@@ -197,13 +258,24 @@ export class Session extends BaseResource implements SessionResource {
   };
 
   attemptSecondFactorVerification = async (
-    params: SessionVerifyAttemptSecondFactorParams,
+    attemptFactor: SessionVerifyAttemptSecondFactorParams,
   ): Promise<SessionVerificationResource> => {
+    let config;
+    switch (attemptFactor.strategy) {
+      case 'passkey':
+        config = {
+          publicKeyCredential: JSON.stringify(serializePublicKeyCredentialAssertion(attemptFactor.publicKeyCredential)),
+        };
+        break;
+      default:
+        config = { ...attemptFactor };
+    }
+
     const json = (
       await BaseResource._fetch({
         method: 'POST',
         path: `/client/sessions/${this.id}/verify/attempt_second_factor`,
-        body: params as any,
+        body: { ...config, strategy: attemptFactor.strategy } as any,
       })
     )?.response as unknown as SessionVerificationJSON;
 
diff --git a/packages/clerk-js/src/ui/components/UserVerification/AlternativeMethods.tsx b/packages/clerk-js/src/ui/components/UserVerification/AlternativeMethods.tsx
index 7bf5bf65a75..d86534994c7 100644
--- a/packages/clerk-js/src/ui/components/UserVerification/AlternativeMethods.tsx
+++ b/packages/clerk-js/src/ui/components/UserVerification/AlternativeMethods.tsx
@@ -5,7 +5,8 @@ import type { LocalizationKey } from '../../customizables';
 import { Col, descriptors, Flex, Flow, localizationKeys } from '../../customizables';
 import { ArrowBlockButton, BackLink, Card, Header } from '../../elements';
 import { useCardState } from '../../elements/contexts';
-import { ChatAltIcon, Email, LockClosedIcon } from '../../icons';
+import { useAlternativeStrategies } from '../../hooks/useAlternativeStrategies';
+import { ChatAltIcon, Email, Fingerprint, LockClosedIcon } from '../../icons';
 import { formatSafeIdentifier } from '../../utils';
 import { useReverificationAlternativeStrategies } from './useReverificationAlternativeStrategies';
 import { useUserVerificationSession } from './useUserVerificationSession';
@@ -111,6 +112,8 @@ export function getButtonLabel(factor: SessionVerificationFirstFactor): Localiza
       });
     case 'password':
       return localizationKeys('reverification.alternativeMethods.blockButton__password');
+    case 'passkey':
+      return localizationKeys('reverification.alternativeMethods.blockButton__passkey');
     default:
       throw new Error(`Invalid sign in strategy: "${(factor as any).strategy}"`);
   }
@@ -121,6 +124,7 @@ export function getButtonIcon(factor: SessionVerificationFirstFactor) {
     email_code: Email,
     phone_code: ChatAltIcon,
     password: LockClosedIcon,
+    passkey: Fingerprint,
   } as const;
 
   return icons[factor.strategy];
diff --git a/packages/clerk-js/src/ui/components/UserVerification/UVFactorOnePasskeysCard.tsx b/packages/clerk-js/src/ui/components/UserVerification/UVFactorOnePasskeysCard.tsx
new file mode 100644
index 00000000000..1b23816be58
--- /dev/null
+++ b/packages/clerk-js/src/ui/components/UserVerification/UVFactorOnePasskeysCard.tsx
@@ -0,0 +1,105 @@
+import { ClerkWebAuthnError } from '@clerk/shared/error';
+import { useClerk, useSession } from '@clerk/shared/react';
+import { isWebAuthnSupported as isWebAuthnSupportedOnWindow } from '@clerk/shared/webauthn';
+import type { SessionVerificationResource } from '@clerk/types';
+import React, { useEffect } from 'react';
+
+import { Button, Col, descriptors, localizationKeys } from '../../customizables';
+import { Card, Form, Header, useCardState } from '../../elements';
+import { handleError } from '../../utils';
+import { useAfterVerification } from './use-after-verification';
+
+type UVFactorOnePasskeysCard = {
+  onShowAlternativeMethodsClicked?: React.MouseEventHandler;
+};
+
+export const UVFactorOnePasskeysCard = (props: UVFactorOnePasskeysCard) => {
+  const { onShowAlternativeMethodsClicked } = props;
+  const { session } = useSession();
+  const { handleVerificationResponse } = useAfterVerification();
+  // @ts-expect-error - This is not a public API
+  const { __internal_isWebAuthnSupported } = useClerk();
+  const [prepareResponse, setPrepareResponse] = React.useState<SessionVerificationResource | null>(null);
+
+  const card = useCardState();
+
+  const isWebAuthnSupported = __internal_isWebAuthnSupported || isWebAuthnSupportedOnWindow;
+
+  const prepare = async () => {
+    // TODO: This should be moved when checking if we will show the strategy
+    if (!isWebAuthnSupported()) {
+      throw new ClerkWebAuthnError('Passkeys are not supported', {
+        code: 'passkey_not_supported',
+      });
+    }
+
+    const response = await session?.prepareFirstFactorVerification({ strategy: 'passkey' });
+
+    if (response) {
+      setPrepareResponse(response);
+    }
+  };
+
+  useEffect(() => {
+    prepare().catch(err => handleError(err, [], card.setError));
+  }, []);
+
+  const handlePasskeysAttempt = () => {
+    if (!prepareResponse) {
+      return;
+    }
+
+    const { nonce = null } = prepareResponse.firstFactorVerification;
+
+    if (!nonce) {
+      return;
+    }
+
+    session!
+      .attemptFirstFactorPasskeyVerification(nonce)
+      .then(handleVerificationResponse)
+      .catch(err => handleError(err, [], card.setError));
+
+    return;
+  };
+
+  return (
+    <Card.Root>
+      <Card.Content>
+        <Header.Root showLogo>
+          <Header.Title localizationKey={localizationKeys('reverification.passkey.title')} />
+          <Header.Subtitle localizationKey={localizationKeys('reverification.passkey.subtitle')} />
+        </Header.Root>
+        <Card.Alert>{card.error}</Card.Alert>
+        <Col
+          elementDescriptor={descriptors.main}
+          gap={8}
+        >
+          <Form.Root>
+            <Col gap={3}>
+              <Button
+                type='button'
+                onClick={e => {
+                  e.preventDefault();
+                  handlePasskeysAttempt();
+                }}
+                localizationKey={'Use your passkeys'}
+                hasArrow
+              />
+              <Card.Action elementId='alternativeMethods'>
+                {onShowAlternativeMethodsClicked && (
+                  <Card.ActionLink
+                    localizationKey={localizationKeys('footerActionLink__useAnotherMethod')}
+                    onClick={onShowAlternativeMethodsClicked}
+                  />
+                )}
+              </Card.Action>
+            </Col>
+          </Form.Root>
+        </Col>
+      </Card.Content>
+
+      <Card.Footer />
+    </Card.Root>
+  );
+};
diff --git a/packages/clerk-js/src/ui/components/UserVerification/UserVerificationFactorOne.tsx b/packages/clerk-js/src/ui/components/UserVerification/UserVerificationFactorOne.tsx
index 38ea9164289..e0193b8a303 100644
--- a/packages/clerk-js/src/ui/components/UserVerification/UserVerificationFactorOne.tsx
+++ b/packages/clerk-js/src/ui/components/UserVerification/UserVerificationFactorOne.tsx
@@ -11,6 +11,7 @@ import { useReverificationAlternativeStrategies } from './useReverificationAlter
 import { UserVerificationFactorOnePasswordCard } from './UserVerificationFactorOnePassword';
 import { useUserVerificationSession, withUserVerificationSessionGuard } from './useUserVerificationSession';
 import { UVFactorOneEmailCodeCard } from './UVFactorOneEmailCodeCard';
+import { UVFactorOnePasskeysCard } from './UVFactorOnePasskeysCard';
 import { UVFactorOnePhoneCodeCard } from './UVFactorOnePhoneCodeCard';
 
 const factorKey = (factor: SignInFactor | null | undefined) => {
@@ -27,7 +28,7 @@ const factorKey = (factor: SignInFactor | null | undefined) => {
   return key;
 };
 
-export function _UserVerificationFactorOne(): JSX.Element | null {
+export function UserVerificationFactorOneComponent(): JSX.Element | null {
   const { data } = useUserVerificationSession();
   const card = useCardState();
   const { navigate } = useRouter();
@@ -55,7 +56,12 @@ export function _UserVerificationFactorOne(): JSX.Element | null {
     () => !currentFactor || !factorHasLocalStrategy(currentFactor),
   );
 
-  const toggleAllStrategies = hasAnyStrategy ? () => setShowAllStrategies(s => !s) : undefined;
+  const toggleAllStrategies = hasAnyStrategy
+    ? () => {
+        card.setError(undefined);
+        setShowAllStrategies(s => !s);
+      }
+    : undefined;
 
   const handleFactorPrepare = () => {
     lastPreparedFactorKeyRef.current = factorKey(currentFactor);
@@ -129,11 +135,13 @@ export function _UserVerificationFactorOne(): JSX.Element | null {
           showAlternativeMethods={hasFirstParty}
         />
       );
+    case 'passkey':
+      return <UVFactorOnePasskeysCard onShowAlternativeMethodsClicked={toggleAllStrategies} />;
     default:
       return <LoadingCard />;
   }
 }
 
 export const UserVerificationFactorOne = withUserVerificationSessionGuard(
-  withCardStateProvider(_UserVerificationFactorOne),
+  withCardStateProvider(UserVerificationFactorOneComponent),
 );
diff --git a/packages/localizations/src/en-US.ts b/packages/localizations/src/en-US.ts
index 7730c14b1b8..0669a193afa 100644
--- a/packages/localizations/src/en-US.ts
+++ b/packages/localizations/src/en-US.ts
@@ -265,6 +265,7 @@ export const enUS: LocalizationResource = {
       actionLink: 'Get help',
       actionText: 'Don’t have any of these?',
       blockButton__backupCode: 'Use a backup code',
+      blockButton__passkey: 'Use your passkey',
       blockButton__emailCode: 'Email code to {{identifier}}',
       blockButton__password: 'Continue with your password',
       blockButton__phoneCode: 'Send SMS code to {{identifier}}',
@@ -282,6 +283,10 @@ export const enUS: LocalizationResource = {
       subtitle: 'Enter the backup code you received when setting up two-step authentication',
       title: 'Enter a backup code',
     },
+    passkey: {
+      subtitle: 'Using your passkey confirms it’s you. Your device may ask for your fingerprint, face, or screen lock.',
+      title: 'Use your passkey',
+    },
     emailCode: {
       formTitle: 'Verification code',
       resendButton: "Didn't receive a code? Resend",
diff --git a/packages/types/src/localization.ts b/packages/types/src/localization.ts
index d19932cbee1..8154f869fbf 100644
--- a/packages/types/src/localization.ts
+++ b/packages/types/src/localization.ts
@@ -346,6 +346,10 @@ type _LocalizationResource = {
       title: LocalizationValue;
       subtitle: LocalizationValue;
     };
+    passkey: {
+      title: LocalizationValue;
+      subtitle: LocalizationValue;
+    };
     alternativeMethods: {
       title: LocalizationValue;
       subtitle: LocalizationValue;
@@ -355,6 +359,7 @@ type _LocalizationResource = {
       blockButton__phoneCode: LocalizationValue;
       blockButton__password: LocalizationValue;
       blockButton__totp: LocalizationValue;
+      blockButton__passkey: LocalizationValue;
       blockButton__backupCode: LocalizationValue;
       getHelp: {
         title: LocalizationValue;
diff --git a/packages/types/src/session.ts b/packages/types/src/session.ts
index 8e831053712..976229e02b8 100644
--- a/packages/types/src/session.ts
+++ b/packages/types/src/session.ts
@@ -2,6 +2,8 @@ import type {
   BackupCodeAttempt,
   EmailCodeAttempt,
   EmailCodeConfig,
+  PasskeyAttempt,
+  PassKeyConfig,
   PasswordAttempt,
   PhoneCodeAttempt,
   PhoneCodeConfig,
@@ -152,6 +154,8 @@ export interface SessionResource extends ClerkResource {
   attemptSecondFactorVerification: (
     params: SessionVerifyAttemptSecondFactorParams,
   ) => Promise<SessionVerificationResource>;
+  attemptFirstFactorPasskeyVerification: (nonce: string | null) => Promise<SessionVerificationResource>;
+  attemptSecondFactorPasskeyVerification: (nonce: string | null) => Promise<SessionVerificationResource>;
   __internal_toSnapshot: () => SessionJSONSnapshot;
 }
 
@@ -236,8 +240,16 @@ export type SessionVerifyCreateParams = {
   level: SessionVerificationLevel;
 };
 
-export type SessionVerifyPrepareFirstFactorParams = EmailCodeConfig | PhoneCodeConfig;
-export type SessionVerifyAttemptFirstFactorParams = EmailCodeAttempt | PhoneCodeAttempt | PasswordAttempt;
+export type SessionVerifyPrepareFirstFactorParams = EmailCodeConfig | PhoneCodeConfig | PassKeyConfig;
+export type SessionVerifyAttemptFirstFactorParams =
+  | EmailCodeAttempt
+  | PhoneCodeAttempt
+  | PasswordAttempt
+  | PasskeyAttempt;
 
 export type SessionVerifyPrepareSecondFactorParams = PhoneCodeSecondFactorConfig;
-export type SessionVerifyAttemptSecondFactorParams = PhoneCodeAttempt | TOTPAttempt | BackupCodeAttempt;
+export type SessionVerifyAttemptSecondFactorParams =
+  | PhoneCodeAttempt
+  | TOTPAttempt
+  | BackupCodeAttempt
+  | PasskeyAttempt;
diff --git a/packages/types/src/sessionVerification.ts b/packages/types/src/sessionVerification.ts
index c5ebdbaa0b5..999be97303d 100644
--- a/packages/types/src/sessionVerification.ts
+++ b/packages/types/src/sessionVerification.ts
@@ -1,4 +1,11 @@
-import type { BackupCodeFactor, EmailCodeFactor, PasswordFactor, PhoneCodeFactor, TOTPFactor } from './factors';
+import type {
+  BackupCodeFactor,
+  EmailCodeFactor,
+  PasskeyFactor,
+  PasswordFactor,
+  PhoneCodeFactor,
+  TOTPFactor,
+} from './factors';
 import type { ClerkResource } from './resource';
 import type { SessionResource } from './session';
 import type { VerificationResource } from './verification';
@@ -27,5 +34,5 @@ export type ReverificationConfig =
 export type SessionVerificationLevel = 'first_factor' | 'second_factor' | 'multi_factor';
 export type SessionVerificationAfterMinutes = number;
 
-export type SessionVerificationFirstFactor = EmailCodeFactor | PhoneCodeFactor | PasswordFactor;
+export type SessionVerificationFirstFactor = EmailCodeFactor | PhoneCodeFactor | PasswordFactor | PasskeyFactor;
 export type SessionVerificationSecondFactor = PhoneCodeFactor | TOTPFactor | BackupCodeFactor;

From 95fa362618e14714183e39a4fb8244b9188b2218 Mon Sep 17 00:00:00 2001
From: Vaggelis Yfantis <me@octoper.me>
Date: Thu, 6 Mar 2025 16:30:24 +0200
Subject: [PATCH 2/9] chore(repo): Add changeset

---
 .changeset/purple-hounds-tie.md | 7 +++++++
 1 file changed, 7 insertions(+)
 create mode 100644 .changeset/purple-hounds-tie.md

diff --git a/.changeset/purple-hounds-tie.md b/.changeset/purple-hounds-tie.md
new file mode 100644
index 00000000000..fd8ab1f8b2e
--- /dev/null
+++ b/.changeset/purple-hounds-tie.md
@@ -0,0 +1,7 @@
+---
+"@clerk/clerk-js": patch
+"@clerk/localizations": patch
+"@clerk/types": patch
+---
+
+Support passkeys as a first factor strategy for reverification

From ac53be2063dd6a9c2e2026e5781f6f2fc99214b3 Mon Sep 17 00:00:00 2001
From: Vaggelis Yfantis <me@octoper.me>
Date: Thu, 6 Mar 2025 18:28:23 +0200
Subject: [PATCH 3/9] chore(clerk-js,localization,types): Added localization
 for passkeys action button

---
 .../UserVerification/UVFactorOnePasskeysCard.tsx    | 13 +------------
 packages/localizations/src/en-US.ts                 |  1 +
 packages/types/src/localization.ts                  |  1 +
 3 files changed, 3 insertions(+), 12 deletions(-)

diff --git a/packages/clerk-js/src/ui/components/UserVerification/UVFactorOnePasskeysCard.tsx b/packages/clerk-js/src/ui/components/UserVerification/UVFactorOnePasskeysCard.tsx
index 1b23816be58..1e2613d0511 100644
--- a/packages/clerk-js/src/ui/components/UserVerification/UVFactorOnePasskeysCard.tsx
+++ b/packages/clerk-js/src/ui/components/UserVerification/UVFactorOnePasskeysCard.tsx
@@ -1,6 +1,4 @@
-import { ClerkWebAuthnError } from '@clerk/shared/error';
 import { useClerk, useSession } from '@clerk/shared/react';
-import { isWebAuthnSupported as isWebAuthnSupportedOnWindow } from '@clerk/shared/webauthn';
 import type { SessionVerificationResource } from '@clerk/types';
 import React, { useEffect } from 'react';
 
@@ -23,16 +21,7 @@ export const UVFactorOnePasskeysCard = (props: UVFactorOnePasskeysCard) => {
 
   const card = useCardState();
 
-  const isWebAuthnSupported = __internal_isWebAuthnSupported || isWebAuthnSupportedOnWindow;
-
   const prepare = async () => {
-    // TODO: This should be moved when checking if we will show the strategy
-    if (!isWebAuthnSupported()) {
-      throw new ClerkWebAuthnError('Passkeys are not supported', {
-        code: 'passkey_not_supported',
-      });
-    }
-
     const response = await session?.prepareFirstFactorVerification({ strategy: 'passkey' });
 
     if (response) {
@@ -83,7 +72,7 @@ export const UVFactorOnePasskeysCard = (props: UVFactorOnePasskeysCard) => {
                   e.preventDefault();
                   handlePasskeysAttempt();
                 }}
-                localizationKey={'Use your passkeys'}
+                localizationKey={localizationKeys('reverification.passkey.blockButton__passkey')}
                 hasArrow
               />
               <Card.Action elementId='alternativeMethods'>
diff --git a/packages/localizations/src/en-US.ts b/packages/localizations/src/en-US.ts
index 0669a193afa..18cc611f04d 100644
--- a/packages/localizations/src/en-US.ts
+++ b/packages/localizations/src/en-US.ts
@@ -286,6 +286,7 @@ export const enUS: LocalizationResource = {
     passkey: {
       subtitle: 'Using your passkey confirms it’s you. Your device may ask for your fingerprint, face, or screen lock.',
       title: 'Use your passkey',
+      blockButton__passkey: 'Use your passkey',
     },
     emailCode: {
       formTitle: 'Verification code',
diff --git a/packages/types/src/localization.ts b/packages/types/src/localization.ts
index 8154f869fbf..3fc1c6fcf33 100644
--- a/packages/types/src/localization.ts
+++ b/packages/types/src/localization.ts
@@ -349,6 +349,7 @@ type _LocalizationResource = {
     passkey: {
       title: LocalizationValue;
       subtitle: LocalizationValue;
+      blockButton__passkey: LocalizationValue;
     };
     alternativeMethods: {
       title: LocalizationValue;

From 3db9ff2b972bb3377f90896566152b0ec4582f63 Mon Sep 17 00:00:00 2001
From: Vaggelis Yfantis <me@octoper.me>
Date: Fri, 7 Mar 2025 10:57:08 +0200
Subject: [PATCH 4/9] fix(clerk-js,types): Remove passkeys from second factor

---
 .../clerk-js/src/core/resources/Session.ts    | 54 +++++++------------
 packages/types/src/session.ts                 |  7 +--
 2 files changed, 20 insertions(+), 41 deletions(-)

diff --git a/packages/clerk-js/src/core/resources/Session.ts b/packages/clerk-js/src/core/resources/Session.ts
index d63c27ff2db..befa21b24cf 100644
--- a/packages/clerk-js/src/core/resources/Session.ts
+++ b/packages/clerk-js/src/core/resources/Session.ts
@@ -1,6 +1,7 @@
 import { createCheckAuthorization } from '@clerk/shared/authorization';
-import { is4xxError } from '@clerk/shared/error';
+import { ClerkWebAuthnError, is4xxError } from '@clerk/shared/error';
 import { retry } from '@clerk/shared/retry';
+import { isWebAuthnSupported as isWebAuthnSupportedOnWindow } from '@clerk/shared/webauthn';
 import type {
   ActJWTClaim,
   CheckAuthorization,
@@ -14,7 +15,6 @@ import type {
   SessionStatus,
   SessionTask,
   SessionVerificationJSON,
-  SessionVerificationLevel,
   SessionVerificationResource,
   SessionVerifyAttemptFirstFactorParams,
   SessionVerifyAttemptSecondFactorParams,
@@ -29,7 +29,7 @@ import { unixEpochToDate } from '../../utils/date';
 import {
   convertJSONToPublicKeyRequestOptions,
   serializePublicKeyCredentialAssertion,
-  webAuthnGetCredential,
+  webAuthnGetCredential as webAuthnGetCredentialOnWindow,
 } from '../../utils/passkeys';
 import { clerkInvalidStrategy, clerkMissingWebAuthnPublicKeyOptions } from '../errors';
 import { eventBus, events } from '../events';
@@ -182,11 +182,12 @@ export class Session extends BaseResource implements SessionResource {
   ): Promise<SessionVerificationResource> => {
     let config;
     switch (attemptFactor.strategy) {
-      case 'passkey':
+      case 'passkey': {
         config = {
           publicKeyCredential: JSON.stringify(serializePublicKeyCredentialAssertion(attemptFactor.publicKeyCredential)),
         };
         break;
+      }
       default:
         config = { ...attemptFactor };
     }
@@ -203,24 +204,25 @@ export class Session extends BaseResource implements SessionResource {
   };
 
   attemptFirstFactorPasskeyVerification = async (nonce: string | null): Promise<SessionVerificationResource> => {
-    return this.#attemptPasskeyVerification(nonce, 'first_factor');
-  };
-
-  attemptSecondFactorPasskeyVerification = async (nonce: string | null): Promise<SessionVerificationResource> => {
-    return this.#attemptPasskeyVerification(nonce, 'second_factor');
-  };
+    /**
+     * The UI should always prevent from this method being called if WebAuthn is not supported.
+     * As a precaution we need to check if WebAuthn is supported.
+     */
+    const isWebAuthnSupported = Session.clerk.__internal_isWebAuthnSupported || isWebAuthnSupportedOnWindow;
+    const webAuthnGetCredential = Session.clerk.__internal_getPublicCredentials || webAuthnGetCredentialOnWindow;
+
+    if (!isWebAuthnSupported()) {
+      throw new ClerkWebAuthnError('Passkeys are not supported', {
+        code: 'passkey_not_supported',
+      });
+    }
 
-  #attemptPasskeyVerification = async (
-    nonce: string | null,
-    level: Omit<SessionVerificationLevel, 'SessionVerificationLevel'>,
-  ): Promise<SessionVerificationResource> => {
     const publicKeyOptions = nonce ? convertJSONToPublicKeyRequestOptions(JSON.parse(nonce)) : null;
 
     if (!publicKeyOptions) {
       clerkMissingWebAuthnPublicKeyOptions('get');
     }
 
-    // Invoke the navigator.create.get() method.
     const { publicKeyCredential, error } = await webAuthnGetCredential({
       publicKeyOptions,
       conditionalUI: false,
@@ -230,14 +232,7 @@ export class Session extends BaseResource implements SessionResource {
       throw error;
     }
 
-    if (level === 'first_factor') {
-      return this.attemptFirstFactorVerification({
-        strategy: 'passkey',
-        publicKeyCredential,
-      });
-    }
-
-    return this.attemptSecondFactorVerification({
+    return this.attemptFirstFactorVerification({
       strategy: 'passkey',
       publicKeyCredential,
     });
@@ -260,22 +255,11 @@ export class Session extends BaseResource implements SessionResource {
   attemptSecondFactorVerification = async (
     attemptFactor: SessionVerifyAttemptSecondFactorParams,
   ): Promise<SessionVerificationResource> => {
-    let config;
-    switch (attemptFactor.strategy) {
-      case 'passkey':
-        config = {
-          publicKeyCredential: JSON.stringify(serializePublicKeyCredentialAssertion(attemptFactor.publicKeyCredential)),
-        };
-        break;
-      default:
-        config = { ...attemptFactor };
-    }
-
     const json = (
       await BaseResource._fetch({
         method: 'POST',
         path: `/client/sessions/${this.id}/verify/attempt_second_factor`,
-        body: { ...config, strategy: attemptFactor.strategy } as any,
+        body: attemptFactor as any,
       })
     )?.response as unknown as SessionVerificationJSON;
 
diff --git a/packages/types/src/session.ts b/packages/types/src/session.ts
index 976229e02b8..3fe358398e7 100644
--- a/packages/types/src/session.ts
+++ b/packages/types/src/session.ts
@@ -155,7 +155,6 @@ export interface SessionResource extends ClerkResource {
     params: SessionVerifyAttemptSecondFactorParams,
   ) => Promise<SessionVerificationResource>;
   attemptFirstFactorPasskeyVerification: (nonce: string | null) => Promise<SessionVerificationResource>;
-  attemptSecondFactorPasskeyVerification: (nonce: string | null) => Promise<SessionVerificationResource>;
   __internal_toSnapshot: () => SessionJSONSnapshot;
 }
 
@@ -248,8 +247,4 @@ export type SessionVerifyAttemptFirstFactorParams =
   | PasskeyAttempt;
 
 export type SessionVerifyPrepareSecondFactorParams = PhoneCodeSecondFactorConfig;
-export type SessionVerifyAttemptSecondFactorParams =
-  | PhoneCodeAttempt
-  | TOTPAttempt
-  | BackupCodeAttempt
-  | PasskeyAttempt;
+export type SessionVerifyAttemptSecondFactorParams = PhoneCodeAttempt | TOTPAttempt | BackupCodeAttempt;

From 050cbaab96d60a790237f0061eba71c00634238d Mon Sep 17 00:00:00 2001
From: Vaggelis Yfantis <me@octoper.me>
Date: Fri, 7 Mar 2025 11:16:13 +0200
Subject: [PATCH 5/9] chore(clerk-js): Remove unused hook

---
 .../src/ui/components/UserVerification/AlternativeMethods.tsx    | 1 -
 1 file changed, 1 deletion(-)

diff --git a/packages/clerk-js/src/ui/components/UserVerification/AlternativeMethods.tsx b/packages/clerk-js/src/ui/components/UserVerification/AlternativeMethods.tsx
index d86534994c7..937602668fe 100644
--- a/packages/clerk-js/src/ui/components/UserVerification/AlternativeMethods.tsx
+++ b/packages/clerk-js/src/ui/components/UserVerification/AlternativeMethods.tsx
@@ -5,7 +5,6 @@ import type { LocalizationKey } from '../../customizables';
 import { Col, descriptors, Flex, Flow, localizationKeys } from '../../customizables';
 import { ArrowBlockButton, BackLink, Card, Header } from '../../elements';
 import { useCardState } from '../../elements/contexts';
-import { useAlternativeStrategies } from '../../hooks/useAlternativeStrategies';
 import { ChatAltIcon, Email, Fingerprint, LockClosedIcon } from '../../icons';
 import { formatSafeIdentifier } from '../../utils';
 import { useReverificationAlternativeStrategies } from './useReverificationAlternativeStrategies';

From 966f15ad2f19ece0a5d40c6b180f03d2fd9a8760 Mon Sep 17 00:00:00 2001
From: Vaggelis Yfantis <me@octoper.me>
Date: Tue, 11 Mar 2025 13:42:24 +0200
Subject: [PATCH 6/9] refactor(clerk-js): Introduced verifyWithPasskey to
 handle passkeys verification easier

---
 .../clerk-js/src/core/resources/Session.ts    | 13 ++++++-
 .../UVFactorOnePasskeysCard.tsx               | 36 ++++---------------
 .../useReverificationAlternativeStrategies.ts |  1 +
 packages/types/src/session.ts                 |  2 +-
 4 files changed, 21 insertions(+), 31 deletions(-)

diff --git a/packages/clerk-js/src/core/resources/Session.ts b/packages/clerk-js/src/core/resources/Session.ts
index befa21b24cf..359f72101bf 100644
--- a/packages/clerk-js/src/core/resources/Session.ts
+++ b/packages/clerk-js/src/core/resources/Session.ts
@@ -203,7 +203,18 @@ export class Session extends BaseResource implements SessionResource {
     return new SessionVerification(json);
   };
 
-  attemptFirstFactorPasskeyVerification = async (nonce: string | null): Promise<SessionVerificationResource> => {
+  verifyWithPasskey = async (): Promise<SessionVerificationResource> => {
+    const prepareResponse = await this.prepareFirstFactorVerification({ strategy: 'passkey' });
+
+    const { nonce = null } = prepareResponse.firstFactorVerification;
+
+    if (!nonce) {
+      // Throw an error if the nonce is not present
+      throw new ClerkWebAuthnError('Passkeys are not supported', {
+        code: 'passkey_not_supported',
+      });
+    }
+
     /**
      * The UI should always prevent from this method being called if WebAuthn is not supported.
      * As a precaution we need to check if WebAuthn is supported.
diff --git a/packages/clerk-js/src/ui/components/UserVerification/UVFactorOnePasskeysCard.tsx b/packages/clerk-js/src/ui/components/UserVerification/UVFactorOnePasskeysCard.tsx
index 1e2613d0511..11ade66d567 100644
--- a/packages/clerk-js/src/ui/components/UserVerification/UVFactorOnePasskeysCard.tsx
+++ b/packages/clerk-js/src/ui/components/UserVerification/UVFactorOnePasskeysCard.tsx
@@ -1,6 +1,5 @@
 import { useClerk, useSession } from '@clerk/shared/react';
-import type { SessionVerificationResource } from '@clerk/types';
-import React, { useEffect } from 'react';
+import React from 'react';
 
 import { Button, Col, descriptors, localizationKeys } from '../../customizables';
 import { Card, Form, Header, useCardState } from '../../elements';
@@ -14,39 +13,18 @@ type UVFactorOnePasskeysCard = {
 export const UVFactorOnePasskeysCard = (props: UVFactorOnePasskeysCard) => {
   const { onShowAlternativeMethodsClicked } = props;
   const { session } = useSession();
-  const { handleVerificationResponse } = useAfterVerification();
   // @ts-expect-error - This is not a public API
   const { __internal_isWebAuthnSupported } = useClerk();
-  const [prepareResponse, setPrepareResponse] = React.useState<SessionVerificationResource | null>(null);
+  const { handleVerificationResponse } = useAfterVerification();
 
   const card = useCardState();
 
-  const prepare = async () => {
-    const response = await session?.prepareFirstFactorVerification({ strategy: 'passkey' });
-
-    if (response) {
-      setPrepareResponse(response);
-    }
-  };
-
-  useEffect(() => {
-    prepare().catch(err => handleError(err, [], card.setError));
-  }, []);
-
   const handlePasskeysAttempt = () => {
-    if (!prepareResponse) {
-      return;
-    }
-
-    const { nonce = null } = prepareResponse.firstFactorVerification;
-
-    if (!nonce) {
-      return;
-    }
-
-    session!
-      .attemptFirstFactorPasskeyVerification(nonce)
-      .then(handleVerificationResponse)
+    session
+      ?.verifyWithPasskey()
+      .then(response => {
+        return handleVerificationResponse(response);
+      })
       .catch(err => handleError(err, [], card.setError));
 
     return;
diff --git a/packages/clerk-js/src/ui/components/UserVerification/useReverificationAlternativeStrategies.ts b/packages/clerk-js/src/ui/components/UserVerification/useReverificationAlternativeStrategies.ts
index 9184ae8e8fc..e6defec9ac9 100644
--- a/packages/clerk-js/src/ui/components/UserVerification/useReverificationAlternativeStrategies.ts
+++ b/packages/clerk-js/src/ui/components/UserVerification/useReverificationAlternativeStrategies.ts
@@ -1,3 +1,4 @@
+import { isWebAuthnSupported } from '@clerk/shared/webauthn';
 import type { SignInFactor, SignInFirstFactor, SignInSecondFactor } from '@clerk/types';
 import { useMemo } from 'react';
 
diff --git a/packages/types/src/session.ts b/packages/types/src/session.ts
index 3fe358398e7..6f40a118250 100644
--- a/packages/types/src/session.ts
+++ b/packages/types/src/session.ts
@@ -154,7 +154,7 @@ export interface SessionResource extends ClerkResource {
   attemptSecondFactorVerification: (
     params: SessionVerifyAttemptSecondFactorParams,
   ) => Promise<SessionVerificationResource>;
-  attemptFirstFactorPasskeyVerification: (nonce: string | null) => Promise<SessionVerificationResource>;
+  verifyWithPasskey: () => Promise<SessionVerificationResource>;
   __internal_toSnapshot: () => SessionJSONSnapshot;
 }
 

From 0b0244f302b036fe5066e8d0547bc7d13c68eeea Mon Sep 17 00:00:00 2001
From: Vaggelis Yfantis <me@octoper.me>
Date: Tue, 11 Mar 2025 15:38:21 +0200
Subject: [PATCH 7/9] Update packages/localizations/src/en-US.ts

Co-authored-by: panteliselef <panteliselef@outlook.com>
---
 packages/localizations/src/en-US.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/localizations/src/en-US.ts b/packages/localizations/src/en-US.ts
index 18cc611f04d..c260f777fad 100644
--- a/packages/localizations/src/en-US.ts
+++ b/packages/localizations/src/en-US.ts
@@ -284,7 +284,7 @@ export const enUS: LocalizationResource = {
       title: 'Enter a backup code',
     },
     passkey: {
-      subtitle: 'Using your passkey confirms it’s you. Your device may ask for your fingerprint, face, or screen lock.',
+      subtitle: 'Using your passkey confirms your identity. Your device may ask for your fingerprint, face, or screen lock.',
       title: 'Use your passkey',
       blockButton__passkey: 'Use your passkey',
     },

From 8df8c554137c921cc1758c8c782f4dff0719dc81 Mon Sep 17 00:00:00 2001
From: Vaggelis Yfantis <me@octoper.me>
Date: Tue, 11 Mar 2025 15:55:22 +0200
Subject: [PATCH 8/9] fix(clerk-js): Remove not needed error from
 verifiWithPasskey

---
 .changeset/purple-hounds-tie.md                            | 6 +++---
 packages/clerk-js/src/core/resources/Session.ts            | 7 -------
 .../UserVerification/UserVerificationFactorOne.tsx         | 4 ++--
 3 files changed, 5 insertions(+), 12 deletions(-)

diff --git a/.changeset/purple-hounds-tie.md b/.changeset/purple-hounds-tie.md
index fd8ab1f8b2e..433d99f4e2c 100644
--- a/.changeset/purple-hounds-tie.md
+++ b/.changeset/purple-hounds-tie.md
@@ -1,7 +1,7 @@
 ---
-"@clerk/clerk-js": patch
-"@clerk/localizations": patch
-"@clerk/types": patch
+"@clerk/clerk-js": minor
+"@clerk/localizations": minor
+"@clerk/types": minor
 ---
 
 Support passkeys as a first factor strategy for reverification
diff --git a/packages/clerk-js/src/core/resources/Session.ts b/packages/clerk-js/src/core/resources/Session.ts
index 359f72101bf..d3972d75327 100644
--- a/packages/clerk-js/src/core/resources/Session.ts
+++ b/packages/clerk-js/src/core/resources/Session.ts
@@ -208,13 +208,6 @@ export class Session extends BaseResource implements SessionResource {
 
     const { nonce = null } = prepareResponse.firstFactorVerification;
 
-    if (!nonce) {
-      // Throw an error if the nonce is not present
-      throw new ClerkWebAuthnError('Passkeys are not supported', {
-        code: 'passkey_not_supported',
-      });
-    }
-
     /**
      * The UI should always prevent from this method being called if WebAuthn is not supported.
      * As a precaution we need to check if WebAuthn is supported.
diff --git a/packages/clerk-js/src/ui/components/UserVerification/UserVerificationFactorOne.tsx b/packages/clerk-js/src/ui/components/UserVerification/UserVerificationFactorOne.tsx
index e0193b8a303..e3d4da4c410 100644
--- a/packages/clerk-js/src/ui/components/UserVerification/UserVerificationFactorOne.tsx
+++ b/packages/clerk-js/src/ui/components/UserVerification/UserVerificationFactorOne.tsx
@@ -28,7 +28,7 @@ const factorKey = (factor: SignInFactor | null | undefined) => {
   return key;
 };
 
-export function UserVerificationFactorOneComponent(): JSX.Element | null {
+export function UserVerificationFactorOneInternal(): JSX.Element | null {
   const { data } = useUserVerificationSession();
   const card = useCardState();
   const { navigate } = useRouter();
@@ -143,5 +143,5 @@ export function UserVerificationFactorOneComponent(): JSX.Element | null {
 }
 
 export const UserVerificationFactorOne = withUserVerificationSessionGuard(
-  withCardStateProvider(UserVerificationFactorOneComponent),
+  withCardStateProvider(UserVerificationFactorOneInternal),
 );

From d70b94924939cbe05afd775ed3808c97e921d7fb Mon Sep 17 00:00:00 2001
From: Vaggelis Yfantis <me@octoper.me>
Date: Tue, 11 Mar 2025 15:59:29 +0200
Subject: [PATCH 9/9] chore(repo): Run prettier

---
 packages/localizations/src/en-US.ts | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/packages/localizations/src/en-US.ts b/packages/localizations/src/en-US.ts
index c260f777fad..bfc84567c80 100644
--- a/packages/localizations/src/en-US.ts
+++ b/packages/localizations/src/en-US.ts
@@ -284,7 +284,8 @@ export const enUS: LocalizationResource = {
       title: 'Enter a backup code',
     },
     passkey: {
-      subtitle: 'Using your passkey confirms your identity. Your device may ask for your fingerprint, face, or screen lock.',
+      subtitle:
+        'Using your passkey confirms your identity. Your device may ask for your fingerprint, face, or screen lock.',
       title: 'Use your passkey',
       blockButton__passkey: 'Use your passkey',
     },