🐛 server: fix multi-device passkey auth

[cruzdanilo]

closes #1037

Summary by CodeRabbit

• Bug Fixes

  • Fixed multi-device passkey authentication to work correctly across multiple registered authentication methods.

• Chores

  • Simplified passkey credential management by removing internal counter tracking, reducing complexity while maintaining security.

[changeset-bot]

🦋 Changeset detected

Latest commit: 3210782

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
@exactly/server	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 4c62f435-064b-4eca-b9f5-eb87ec15b6f8

📥 Commits

Reviewing files that changed from the base of the PR and between 204a4cf and 3210782.

📒 Files selected for processing (9)

• .changeset/brave-hounds-verify.md
• .changeset/sharp-webs-eat.md
• server/api/auth/authentication.ts
• server/api/card.ts
• server/database/schema.ts
• server/test/api/auth.test.ts
• server/test/api/card.test.ts
• server/utils/createCredential.ts
• server/utils/panda.ts

💤 Files with no reviewable changes (3)

• server/utils/createCredential.ts
• server/database/schema.ts
• server/utils/panda.ts

---

Walkthrough

This PR removes WebAuthn counter validation from the server's credential authentication and card update flows, and drops the counter column from the database schema to support multi-device passkeys that may not increment counters reliably.

Changes

WebAuthn counter removal

Layer / File(s)	Summary
Credentials table schema and Panda type contracts server/database/schema.ts, server/utils/panda.ts	The credentials table removes the counter column and adds credential linking fields (kycId, pandaId, bridgeId, source); the Panda service type removes counter from the WebAuthn payload credential shape.
Authentication endpoint: remove counter tracking server/api/auth/authentication.ts	The POST / authenticate endpoint no longer fetches the stored counter from the database, passes a hard-coded counter: 0 to verifyAuthenticationResponse, or persists the computed newCounter back to storage.
Card endpoint: remove counter from verification server/api/card.ts	The PATCH / card endpoint removes the counter field from the credentials database query and from the credential object passed to panda.verify().
Credential creation: stop persisting counter server/utils/createCredential.ts	The createCredential utility no longer writes the WebAuthn counter value when inserting a new credential record.
Authentication tests: update mocks and assertions server/test/api/auth.test.ts	Test fixtures remove the counter field from credential objects and mock return shapes; SimpleWebAuthn mocks no longer return newCounter from verifyAuthenticationResponse.
Card tests: update verification assertions server/test/api/card.test.ts	Card verification tests update expected panda.verify() call arguments to remove the counter field across all test scenarios.
Changelog entries .changeset/brave-hounds-verify.md, .changeset/sharp-webs-eat.md	Two changesets document the patch release that removes counter validation and the passkey counter column.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• exactly/exa#991: Introduces the WebAuthn credential.counter field in the Panda service payload that this PR now removes.
• exactly/exa#896: Modifies the credentials table schema by introducing bridgeId indexing alongside the credential linking fields added in this PR.
• exactly/exa#674: Threads credential persistence through createCredential and adds the source column that accompanies the counter removal in this PR.

Suggested reviewers

• nfmelendez
• dieguezguille

🚥 Pre-merge checks | ✅ 3 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Out of Scope Changes check	⚠️ Warning	All changes directly relate to removing WebAuthn counter validation. The addition of credential identity fields (kycId, pandaId, bridgeId, source) in the schema appears unrelated to counter removal and may be out of scope.	Clarify whether the credential identity fields (kycId, pandaId, bridgeId, source) added to the schema are necessary for this counter-removal work or if they should be addressed in a separate PR.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title mentions the main change (fixing multi-device passkey auth) but uses an emoji and informal phrasing. It's partially related but not optimally clear compared to the actual implementation of removing counter validation.
Linked Issues check	✅ Passed	The changes fully address the objective to disable passkey counter validation by removing counter tracking and validation throughout the codebase for multi-device credential support.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch counter

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 14fdc0272a

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[gemini-code-assist]

Code Review

This pull request modifies the WebAuthn authentication flow to support multi-device passkeys by hardcoding the authenticator counter to zero and removing the counter field from database queries in authentication and card management modules. While this change enables compatibility with synchronized passkeys, feedback highlights that it disables clone detection for hardware authenticators. It is also recommended to remove the now-redundant database update logic for the counter to avoid unnecessary writes.

[sentry]

Codecov Report

❌ Patch coverage is 0% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 73.00%. Comparing base (204a4cf) to head (3210782).
⚠️ Report is 4 commits behind head on main.
✅ All tests successful. No failed tests found.

Files with missing lines	Patch %	Lines
server/api/auth/authentication.ts	0.00%	0 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1038      +/-   ##
==========================================
+ Coverage   72.89%   73.00%   +0.10%     
==========================================
  Files         243      243              
  Lines       10343    10421      +78     
  Branches     3406     3437      +31     
==========================================
+ Hits         7540     7608      +68     
- Misses       2499     2506       +7     
- Partials      304      307       +3     

Flag	Coverage Δ
e2e	72.82% <0.00%> (-0.08%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.