Skip to content

feat: add Passwordless OTP for database connections#1585

Open
subhankarmaiti wants to merge 2 commits into
masterfrom
feat/passwordless-otp-database-connections
Open

feat: add Passwordless OTP for database connections#1585
subhankarmaiti wants to merge 2 commits into
masterfrom
feat/passwordless-otp-database-connections

Conversation

@subhankarmaiti

@subhankarmaiti subhankarmaiti commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Adds support for Passwordless OTP on database connections — an embedded (non-redirect) flow where a user authenticates with a one-time code sent to their email or phone, against a standard database connection that has email_otp / phone_otp enabled.

This is distinct from the existing /passwordless/start flow (which only works with dedicated email/sms strategy connections). It is delegated to the native SDKs (Auth0.swift ≥ 2.23.0, Auth0.Android ≥ 3.20.0) and exposed through a new auth0.passwordless namespace.

Note: Not supported on web — calls reject with UnsupportedOperation.

Public API

A new passwordless client, available on both the Auth0 instance and the useAuth0 hook:

passwordless.challengeWithEmail(params): Promise<PasswordlessChallenge>                                                            
passwordless.challengeWithPhoneNumber(params): Promise<PasswordlessChallenge>                                                                          
passwordless.loginWithOTP(params): Promise<Credentials>                                                                                                
  • connection is required (the database connection name).
  • deliveryMethod (phone only) is 'text' | 'voice', defaults to 'text'.
  • allowSignup defaults to false.
  • The PasswordlessChallenge returned by a challenge is opaque — pass it straight into loginWithOTP.

Example

import { useAuth0 } from 'react-native-auth0';                                                                                     
                                                                                                                                                       
const { passwordless } = useAuth0();
                                                                                                                                                       
// 1. Request a code                                                                                                               
const challenge = await passwordless.challengeWithEmail({
  email: 'user@example.com',                                                                                                                           
  connection: 'Username-Password-Authentication',                                                                                                      
});                                                                                                                                                    
                                                                                                                                                       
// 2. Verify the code the user received                                                                                                                
const credentials = await passwordless.loginWithOTP({
  challenge,                                                                                                                                           
  otp: '123456',                                                                                                                   
});                                                                                                                                                    

Class-based usage is identical via auth0.passwordless.*.

Summary by CodeRabbit

  • New Features
    • Added native-only passwordless OTP flows for database connections: request challenges via email/phone and complete login with an OTP.
    • Exposed a new passwordless API across the public SDK and native bridges (including TurboModule bindings).
    • Updated native example screens to demonstrate requesting codes and signing in with OTP.
  • Documentation
    • Expanded examples documentation with an “Login with Passwordless OTP (Database Connections)” section and flow details.
  • Tests
    • Added unit tests covering native passwordless client and web “not supported” behavior.
  • Chores
    • Updated Auth0 dependency versions for iOS/Android.

@subhankarmaiti subhankarmaiti requested a review from a team as a code owner July 1, 2026 12:53
@coderabbitai

coderabbitai Bot commented Jul 1, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: b574f881-ec63-4525-b7fc-0a91d750c6d6

📥 Commits

Reviewing files that changed from the base of the PR and between 25a5ec4 and b96c00b.

📒 Files selected for processing (2)
  • src/platforms/native/adapters/NativePasswordlessClient.ts
  • src/platforms/web/adapters/__tests__/WebPasswordlessClient.spec.ts
🚧 Files skipped from review as they are similar to previous changes (2)
  • src/platforms/web/adapters/tests/WebPasswordlessClient.spec.ts
  • src/platforms/native/adapters/NativePasswordlessClient.ts

📝 Walkthrough

Walkthrough

Adds a native-only passwordless OTP flow for database connections across the SDK surface, native bridge layers, Android and iOS implementations, web stubs, example screens, documentation, and native dependency versions.

Changes

Passwordless OTP Feature

Layer / File(s) Summary
Type and parameter contracts
src/types/common.ts, src/types/parameters.ts
Adds PasswordlessChallenge, delivery method constants/types, and OTP challenge/login parameter interfaces.
Core client interface contract
src/core/interfaces/IPasswordlessClient.ts, src/core/interfaces/IAuth0Client.ts, src/core/interfaces/index.ts
Defines IPasswordlessClient and exposes it through the core interface surface.
Native bridge contract and manager
src/platforms/native/bridge/INativeBridge.ts, src/platforms/native/bridge/NativeBridgeManager.ts, src/specs/NativeA0Auth0.ts, src/platforms/native/bridge/__tests__/NativeBridgeManager.spec.ts
Adds native bridge and TurboModule methods for passwordless challenge and OTP login, with manager tests.
Native passwordless client adapter
src/platforms/native/adapters/NativePasswordlessClient.ts, src/platforms/native/adapters/NativeAuth0Client.ts, src/platforms/native/adapters/__tests__/NativePasswordlessClient.spec.ts
Implements the native client adapter, wires it into NativeAuth0Client, and adds adapter tests.
Web unsupported stub
src/platforms/web/adapters/WebPasswordlessClient.ts, src/platforms/web/adapters/WebAuth0Client.ts, src/platforms/web/adapters/__tests__/WebPasswordlessClient.spec.ts
Adds the web client stub that rejects passwordless calls and wires it into the web client.
Public Auth0 facade, hooks, and context wiring
src/Auth0.ts, src/hooks/Auth0Context.ts, src/hooks/Auth0Provider.tsx
Exposes passwordless on the public facade and context, and implements provider actions for the new flow.
Android native implementation
android/build.gradle, android/src/main/java/com/auth0/react/Passwordless.kt, android/src/main/java/com/auth0/react/A0Auth0Module.kt
Adds the Android passwordless helper, module wiring, and Auth0 Android dependency update.
iOS native implementation
A0Auth0.podspec, ios/Passwordless.swift, ios/A0Auth0.mm
Adds the iOS passwordless helper, bridge wiring, and Auth0 CocoaPods dependency update.
Example app UI and docs
example/src/screens/class-based/ClassLogin.tsx, example/src/screens/hooks/Home.tsx, EXAMPLES.md
Adds passwordless OTP UI, handlers, and documentation for the example apps.

Estimated code review effort: 4 (Complex) | ~60 minutes

Sequence Diagram(s)

sequenceDiagram
  participant ExampleApp
  participant Auth0Provider
  participant NativePasswordlessClient
  participant NativeBridgeManager
  participant NativeModule

  ExampleApp->>Auth0Provider: passwordless.challengeWithEmail(...)
  Auth0Provider->>NativePasswordlessClient: challengeWithEmail(parameters)
  NativePasswordlessClient->>NativeBridgeManager: passwordlessChallengeWithEmail(email, connection, allowSignup)
  NativeBridgeManager->>NativeModule: passwordlessChallengeWithEmail(...)
  NativeModule-->>NativeBridgeManager: { authSession }
  NativeBridgeManager-->>NativePasswordlessClient: { authSession }
  NativePasswordlessClient-->>Auth0Provider: PasswordlessChallenge
  Auth0Provider-->>ExampleApp: challenge stored

  ExampleApp->>Auth0Provider: passwordless.loginWithOTP(...)
  Auth0Provider->>NativePasswordlessClient: loginWithOTP(parameters)
  NativePasswordlessClient->>NativeBridgeManager: passwordlessLoginWithOTP(authSession, otp, audience, scope)
  NativeBridgeManager->>NativeModule: passwordlessLoginWithOTP(...)
  NativeModule-->>NativeBridgeManager: Credentials
  NativeBridgeManager-->>NativePasswordlessClient: Credentials
  NativePasswordlessClient-->>Auth0Provider: Credentials
  Auth0Provider-->>ExampleApp: login complete
Loading

Suggested reviewers: pmathew92

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the main change: adding Passwordless OTP support for database connections.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/passwordless-otp-database-connections

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

ESLint install failed. For unrecoverable errors, disable the tool in CodeRabbit configuration.


Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🧹 Nitpick comments (3)
src/types/common.ts (1)

46-51: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Avoid any in the index signature.

[key: string]: any disables type checking for every extra property on this object, including authSession narrowing at call sites. Prefer unknown to preserve the opaque/extensible intent while keeping type safety; consumers can narrow if they need to inspect a specific key. As per coding guidelines, "Avoid using any types; use strict TypeScript typing instead."

♻️ Proposed fix
 export type PasswordlessChallenge = {
   /** The opaque auth session token used to complete the OTP login. */
   authSession: string;
   /** Allows for additional, non-standard properties returned from the server. */
-  [key: string]: any;
+  [key: string]: unknown;
 };
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/types/common.ts` around lines 46 - 51, Replace the
`PasswordlessChallenge` index signature’s `any` with `unknown` so extra
server-returned properties remain extensible without disabling type safety.
Update the `[key: string]: any` member in `PasswordlessChallenge` to use
`unknown`, and keep `authSession` unchanged so callers can still narrow specific
optional keys when needed.

Source: Coding guidelines

src/platforms/native/bridge/__tests__/NativeBridgeManager.spec.ts (1)

479-502: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Add an error-wrapping test for passwordlessChallengeWithPhoneNumber.

Unlike the sibling passwordlessChallengeWithEmail and passwordlessLoginWithOTP suites, this block doesn't verify that a native rejection is wrapped in AuthError.

As per coding guidelines: "All test files must maintain minimum 80% code coverage."

✅ Suggested additional test
     it('forwards all parameters including delivery method to the native module', async () => {
       ...
     });
+
+    it('wraps a native error in an AuthError', async () => {
+      MockedAuth0NativeModule.passwordlessChallengeWithPhoneNumber.mockRejectedValue({
+        code: 'a0.passwordless.challenge_failed',
+        message: 'boom',
+      });
+
+      await expect(
+        bridge.passwordlessChallengeWithPhoneNumber(
+          '+15555550123',
+          'Username-Password-Authentication',
+          'voice',
+          true
+        )
+      ).rejects.toThrow(AuthError);
+    });
   });
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/platforms/native/bridge/__tests__/NativeBridgeManager.spec.ts` around
lines 479 - 502, Add a rejection-path test for
passwordlessChallengeWithPhoneNumber in NativeBridgeManager.spec.ts: mirror the
existing passwordlessChallengeWithEmail/passwordlessLoginWithOTP error-wrapping
coverage by making MockedAuth0NativeModule.passwordlessChallengeWithPhoneNumber
reject and asserting bridge.passwordlessChallengeWithPhoneNumber throws an
AuthError. Keep the current success-path parameter-forwarding test, and ensure
the new test verifies the native error is wrapped rather than returned directly.

Source: Coding guidelines

src/platforms/native/bridge/INativeBridge.ts (1)

293-313: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Consider reusing the shared PasswordlessChallenge type.

Both challenge methods return an anonymous { authSession: string } object, but PasswordlessChallenge (in src/types/common.ts) already models this exact shape and includes the extensible index signature. Reusing it here keeps bridge, adapter, and public-facing types aligned.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/platforms/native/bridge/INativeBridge.ts` around lines 293 - 313, Both
passwordless challenge methods in INativeBridge currently return an inline {
authSession: string } shape instead of the shared PasswordlessChallenge type.
Update passwordlessChallengeWithEmail and passwordlessChallengeWithPhoneNumber
to return PasswordlessChallenge from src/types/common.ts so the bridge stays
aligned with the adapter and public API types while preserving the extensible
index signature.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/platforms/native/adapters/NativePasswordlessClient.ts`:
- Around line 18-51: Add JSDoc comments to the public API methods in
NativePasswordlessClient: challengeWithEmail, challengeWithPhoneNumber, and
loginWithOTP. Document each method’s purpose and key parameters/return value so
the class methods conform to the public API documentation guideline without
changing their behavior.

In `@src/platforms/web/adapters/__tests__/WebPasswordlessClient.spec.ts`:
- Around line 11-27: The test cases in WebPasswordlessClient.spec.ts are calling
challengeWithEmail and challengeWithPhoneNumber without the required connection
field, which breaks strict TypeScript checks. Update the
client.challengeWithEmail and client.challengeWithPhoneNumber calls to pass a
valid connection string alongside email/phoneNumber so the test inputs match
PasswordlessChallengeEmailParameters and PasswordlessChallengePhoneParameters.
Keep the assertions unchanged; just fix the parameter objects used in these two
tests.

---

Nitpick comments:
In `@src/platforms/native/bridge/__tests__/NativeBridgeManager.spec.ts`:
- Around line 479-502: Add a rejection-path test for
passwordlessChallengeWithPhoneNumber in NativeBridgeManager.spec.ts: mirror the
existing passwordlessChallengeWithEmail/passwordlessLoginWithOTP error-wrapping
coverage by making MockedAuth0NativeModule.passwordlessChallengeWithPhoneNumber
reject and asserting bridge.passwordlessChallengeWithPhoneNumber throws an
AuthError. Keep the current success-path parameter-forwarding test, and ensure
the new test verifies the native error is wrapped rather than returned directly.

In `@src/platforms/native/bridge/INativeBridge.ts`:
- Around line 293-313: Both passwordless challenge methods in INativeBridge
currently return an inline { authSession: string } shape instead of the shared
PasswordlessChallenge type. Update passwordlessChallengeWithEmail and
passwordlessChallengeWithPhoneNumber to return PasswordlessChallenge from
src/types/common.ts so the bridge stays aligned with the adapter and public API
types while preserving the extensible index signature.

In `@src/types/common.ts`:
- Around line 46-51: Replace the `PasswordlessChallenge` index signature’s `any`
with `unknown` so extra server-returned properties remain extensible without
disabling type safety. Update the `[key: string]: any` member in
`PasswordlessChallenge` to use `unknown`, and keep `authSession` unchanged so
callers can still narrow specific optional keys when needed.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 11863ecc-04de-4321-bf49-5acc8679fc6c

📥 Commits

Reviewing files that changed from the base of the PR and between 1a6df06 and 25a5ec4.

⛔ Files ignored due to path filters (1)
  • example/ios/Podfile.lock is excluded by !**/*.lock
📒 Files selected for processing (27)
  • A0Auth0.podspec
  • EXAMPLES.md
  • android/build.gradle
  • android/src/main/java/com/auth0/react/A0Auth0Module.kt
  • android/src/main/java/com/auth0/react/Passwordless.kt
  • example/src/screens/class-based/ClassLogin.tsx
  • example/src/screens/hooks/Home.tsx
  • ios/A0Auth0.mm
  • ios/Passwordless.swift
  • src/Auth0.ts
  • src/core/interfaces/IAuth0Client.ts
  • src/core/interfaces/IPasswordlessClient.ts
  • src/core/interfaces/index.ts
  • src/hooks/Auth0Context.ts
  • src/hooks/Auth0Provider.tsx
  • src/platforms/native/adapters/NativeAuth0Client.ts
  • src/platforms/native/adapters/NativePasswordlessClient.ts
  • src/platforms/native/adapters/__tests__/NativePasswordlessClient.spec.ts
  • src/platforms/native/bridge/INativeBridge.ts
  • src/platforms/native/bridge/NativeBridgeManager.ts
  • src/platforms/native/bridge/__tests__/NativeBridgeManager.spec.ts
  • src/platforms/web/adapters/WebAuth0Client.ts
  • src/platforms/web/adapters/WebPasswordlessClient.ts
  • src/platforms/web/adapters/__tests__/WebPasswordlessClient.spec.ts
  • src/specs/NativeA0Auth0.ts
  • src/types/common.ts
  • src/types/parameters.ts

Comment thread src/platforms/native/adapters/NativePasswordlessClient.ts
Comment thread src/platforms/web/adapters/__tests__/WebPasswordlessClient.spec.ts
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant