add Embedded Wallet PASSKEY reauth#377
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
✱ Stainless preview buildsThis PR will update the kotlin openapi python typescript Edit this comment to update them. They will appear in their respective SDK's changelogs. ✅ grid-python studio · code · diff
|
| 💡 Model/Recommended: We recommend you use a model for `#/components/schemas/AuthMethod` |
| 💡 Model/Recommended: We recommend you use a model for `#/components/schemas/PasskeyAuthChallenge` |
✅ grid-openapi studio · code · diff
Your SDK build had at least one new note diagnostic, which is a regression from the base state.
generate ❗New diagnostics (2 note)
💡 Model/Recommended: We recommend you use a model for `#/components/schemas/AuthMethod` 💡 Model/Recommended: We recommend you use a model for `#/components/schemas/PasskeyAuthChallenge`
⏳ grid-kotlin studio · code · diff
generate ❗→build ⏳→lint ✅→test ⏳New diagnostics (2 note)
💡 Model/Recommended: We recommend you use a model for `#/components/schemas/AuthMethod` 💡 Model/Recommended: We recommend you use a model for `#/components/schemas/PasskeyAuthChallenge`
⏳ These are partial results; builds are still running.
This comment is auto-generated by GitHub Actions and is automatically kept up to date as you push.
If you push custom code to the preview branch, re-run this workflow to update the comment.
Last updated: 2026-04-23 03:36:41 UTC
DhruvPareek
force-pushed
the
04-21-feat_add_passkey_branch_to_additional-credential_challenge_flow
branch
from
60db230 to
ad00ec4
Compare
DhruvPareek
force-pushed
the
04-22-feat_add_passkey_branch_to__challenge_reauthentication_flow
branch
from
0befdbb to
6055a9c
Compare
Greptile SummaryExtends Confidence Score: 5/5Safe to merge — the only finding is a cosmetic typo in an example value. All three changed files are OpenAPI spec/bundle updates with no logic code. The schema wiring correctly references the AuthCredentialResponseOneOf discriminated union and its constituent schemas. The sole issue is a capitalisation typo in an example nickname ("Iphone Face-Id"), which is P2 and does not affect correctness, validation, or runtime behaviour. No files require special attention beyond the minor typo in the passkey example in openapi/paths/auth/auth_credentials_{id}_challenge.yaml.
|
| Filename | Overview |
|---|---|
| openapi/paths/auth/auth_credentials_{id}_challenge.yaml | Source endpoint definition updated: schema ref swapped to AuthCredentialResponseOneOf, description expanded for both EMAIL_OTP and PASSKEY branches, per-type examples added. Minor typo in passkey example nickname ("Iphone Face-Id" → "iPhone Face-ID"). |
| openapi.yaml | Generated bundle — identical change as the source YAML; regenerated via make build as described. No independent issues beyond the typo mirrored from the source. |
| mintlify/openapi.yaml | Mintlify-specific generated bundle — same delta as openapi.yaml, regenerated correctly via make build. |
Sequence Diagram
sequenceDiagram
participant Client
participant Grid API
Note over Client,Grid API: PASSKEY reauthentication flow
Client->>Grid API: POST /auth/credentials/{id}/challenge
Grid API-->>Client: 200 PasskeyAuthChallenge<br/>(challenge, requestId, expiresAt)
Client->>Client: navigator.credentials.get(challenge)
Client->>Grid API: POST /auth/credentials/{id}/verify<br/>Request-Id: requestId
Grid API-->>Client: 200 Session
Note over Client,Grid API: EMAIL_OTP reauthentication flow
Client->>Grid API: POST /auth/credentials/{id}/challenge
Grid API-->>Client: 200 AuthMethod (OTP sent out-of-band)
Note right of Client: User receives OTP via email
Client->>Grid API: POST /auth/credentials/{id}/verify<br/>(OTP in request body)
Grid API-->>Client: 200 Session
Prompt To Fix All With AI
This is a comment left during a code review.
Path: openapi/paths/auth/auth_credentials_{id}_challenge.yaml
Line: 65
Comment:
**Typo in passkey example `nickname`**
`Iphone Face-Id` should use Apple's official product naming: `iPhone Face-ID`. The incorrect capitalisation ("Iphone", "Face-Id") will be shown verbatim in generated docs/SDKs and looks like an error to developers who know the trademark.
```suggestion
nickname: iPhone Face-ID
```
How can I resolve this? If you propose a fix, please make it concise.Reviews (1): Last reviewed commit: "feat: add PASSKEY branch to /challenge r..." | Re-trigger Greptile
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
Extends `POST /auth/credentials/{id}/challenge` to cover `PASSKEY` reauthentication. Previously the endpoint only covered `EMAIL_OTP` (re-send OTP email → plain `AuthMethod` response). The `PASSKEY` flow needs a fresh Grid-issued WebAuthn challenge on each reauth — this PR surfaces that challenge in the 200 response via the discriminated `AuthCredentialResponseOneOf` shape introduced earlier in the stack.
**Flow (PASSKEY)**
1. `POST /auth/credentials/{id}/challenge` → 200 `PasskeyAuthChallenge` (`AuthMethod` fields + `challenge`, `requestId`, `expiresAt`).
2. Client runs `navigator.credentials.get()` against the Grid-issued `challenge`.
3. Client submits the assertion to `POST /auth/credentials/{id}/verify` with `Request-Id: <requestId>`.
4. Verify returns a session.
**Wire-up**
- `openapi/paths/auth/auth_credentials_{id}_challenge.yaml` — 200 response `$ref` swapped from `AuthMethod` to `AuthCredentialResponseOneOf`. Added per-type examples (EMAIL_OTP plain `AuthMethod`; PASSKEY `PasskeyAuthChallenge`).
- Endpoint description expanded to cover both branches: EMAIL_OTP triggers a new OTP email (no challenge body — OTP is out-of-band), PASSKEY issues a fresh Grid-generated challenge inline.
- Summary updated from "Resend an authentication credential challenge" to "Re-issue an authentication credential challenge" — more accurate across both branches.
- No new schemas introduced; the oneOf and `PasskeyAuthChallenge` both come from the create-endpoint PR earlier in the stack.
- No `.stainless/stainless.yml` change: the `challenge` method is already registered on `auth.credentials`, and the two models it now references (`AuthCredentialResponseOneOf`, `PasskeyAuthChallenge`) are registered by the create PR.
**Notes**
- Rate limiting (429 `RATE_LIMITED`) still applies equally to both branches.
- Prior PR in the stack documents "only one PASSKEY credential per internal account in v1"; this endpoint just re-challenges an existing credential, so the v1 cardinality restriction is a no-op here.
- Bundled `openapi.yaml` + `mintlify/openapi.yaml` regenerated via `make build`.
DhruvPareek
force-pushed
the
04-21-feat_add_passkey_branch_to_additional-credential_challenge_flow
branch
from
ad00ec4 to
9fed23b
Compare
DhruvPareek
force-pushed
the
04-22-feat_add_passkey_branch_to__challenge_reauthentication_flow
branch
from
6055a9c to
0cc02bd
Compare
DhruvPareek
changed the title
1 participant
Extends
POST /auth/credentials/{id}/challengeto coverPASSKEYreauthentication. Previously the endpoint only coveredEMAIL_OTP(re-send OTP email → plainAuthMethodresponse). ThePASSKEYflow needs a fresh Grid-issued WebAuthn challenge on each reauth — this PR returns that challenge in the 200 response via the discriminatedAuthCredentialResponseOneOfshape introduced earlier in the stack.Flow (PASSKEY)
POST /auth/credentials/{id}/challenge→ 200PasskeyAuthChallenge(AuthMethodfields +challenge,requestId,expiresAt).navigator.credentials.get()against the Grid-issuedchallenge.POST /auth/credentials/{id}/verifywithRequest-Id: <requestId>.Wire-up
openapi/paths/auth/auth_credentials_{id}_challenge.yaml— 200 response$refswapped fromAuthMethodtoAuthCredentialResponseOneOf. Added per-type examples (EMAIL_OTP plainAuthMethod; PASSKEYPasskeyAuthChallenge).PasskeyAuthChallengeboth come from the create-endpoint PR earlier in the stack.