@W-20224082 - [Webauthn] Create passkey in browser and register in SLAS

[yunakim714]

Description

Submitting the OTP should prompt the shopper to create a passkey on the browser, which is then registered in SLAS.

Types of Changes

• Bug fix (non-breaking change that fixes an issue)
• New feature (non-breaking change that adds functionality)
• Documentation update
• Breaking change (could cause existing functionality to not work as expected)
• Other changes (non-breaking changes that does not fit any of the above)

Breaking changes include:

• Removing a public function or component or prop
• Adding a required argument to a function
• Changing the data type of a function parameter or return value
• Adding a new peer dependency to package.json

Changes

• Once shopper inputs the OTP, they are prompted to create a passkey on the browser
  • Submitting the OTP sends a POST to the /webauthn/register/start endpoint
  • navigator.credentials.create() is then called with the response data from the start endpoint
  • The response from the navigator is then used to send a POST to the /webauthn/register/finish endpoint to save the passkey

How to Test-Drive This PR

• Go to https://wasatch-mrt-yuna.mrt-storefront-staging.com/
• Log in to your account
• Click Create Passkey on the passkey toast
• Input the passkey nickname, click Register Passkey, then go to https://webhook.site/#!/view/61bf506d-d9c8-4a48-84c4-b3458d6d54ac/7edbc702-b0b2-48df-abe0-f50ec08741f1/1 and input the token into the OTP modal
• Create your passkey
• Verify you see a successful POST to the webauthn/register/finish endpoint and all modals are closed

To run unit tests:

• Run npm run test app/components/passkey-registration-modal

Checklists

General

• Changes are covered by test cases
• CHANGELOG.md updated with a short description of changes (not required for documentation updates)

Accessibility Compliance

You must check off all items in one of the follow two lists:

• There are no changes to UI

or...

• Changes were tested with a Screen Reader (iOS VoiceOver or Android Talkback) and had no issues
• Changes comply with WCAG 2.0 guidelines levels A and AA
• Changes to common UI patterns and interactions comply with WAI-ARIA best practices

Localization

• Changes include a UI text update in the Retail React App (which requires translation)

[cc-prodsec]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[yunakim714]

Should clear the OTP input when shopper clicks Resend Code

[hajinsuha1]

should we always return the localized error message and never the api error mesage? or map error messages from the API to a localized message similar to what we did here: https://salesforce.quip.com/97bPANYv5D2U

[hajinsuha1]

Thinking through this again, we will definitely need a localized error for some errors like when the /webauthn/register/authorize returns "Too many webauthn user authorization requests were made. Please try again later.".

How about we keep the error handling generic and create a separate story for error handling for registration and login to make sure we handle all the cases.

[yunakim714]

Sounds good - Created the ticket https://gus.lightning.force.com/lightning/r/ADM_Work__c/a07EE00002TfC8TYAV/view

[hajinsuha1]

should we include a comment on when each of these errors are thrown?
e.g., AbortError implies the action was stopped, NotAllowedError implies a lack of permission or authorization.

[yunakim714]

This will be addressed in the error handling ticket - will note in the description of the new work item!