Skip to content

feat: add passwordless OTP on database connections#886

Merged
utkrishtsahu merged 4 commits into
mainfrom
feat/passwordless-otp-database-connections
Jul 3, 2026
Merged

feat: add passwordless OTP on database connections#886
utkrishtsahu merged 4 commits into
mainfrom
feat/passwordless-otp-database-connections

Conversation

@utkrishtsahu

@utkrishtsahu utkrishtsahu commented Jul 2, 2026

Copy link
Copy Markdown
Contributor
  • All new/changed/fixed functionality is covered by tests (or N/A)
  • I have added documentation for all new/changed functionality (or N/A)

📋 Changes

📋 Changes

Adds support for the embedded Passwordless OTP flow on Auth0 database connections (connections configured with email_otp/phone_otp). Unlike the existing passwordless methods on auth0.api — which target dedicated email/sms strategy connections — this is a challenge/response flow against standard auth0-strategy database connections, exposed through a new dedicated auth0.passwordless client.

New public API (auth0.passwordless)

  • challengeWithEmail({ email, connection, allowSignup = false })PasswordlessChallenge
  • challengeWithPhoneNumber({ phoneNumber, connection, deliveryMethod = DeliveryMethod.text, allowSignup = false })PasswordlessChallenge
  • loginWithOtp({ authSession, otp, scopes, audience })Credentials

Usage:

final challenge = await auth0.passwordless.challengeWithEmail(
    email: 'jane.smith@example.com', connection: 'my-database-connection');

final credentials = await auth0.passwordless.loginWithOtp(
    authSession: challenge.authSession, otp: '123456');

Types added

  • PasswordlessChallenge model (holds the opaque authSession)
  • DeliveryMethod enum (text / voice)
  • Options: AuthPasswordlessChallengeEmailOptions, AuthPasswordlessChallengePhoneOptions, AuthPasswordlessLoginWithOtpOptions
  • New abstract methods on Auth0FlutterAuthPlatform and their method-channel implementations (auth#passwordlessChallengeWithEmail, auth#passwordlessChallengeWithPhoneNumber, auth#passwordlessLoginWithOtp)

Types added

  • PasswordlessChallenge model (holds the opaque authSession)
  • DeliveryMethod enum (text / voice)
  • Options: AuthPasswordlessChallengeEmailOptions, AuthPasswordlessChallengePhoneOptions, AuthPasswordlessLoginWithOtpOptions
  • New abstract methods on Auth0FlutterAuthPlatform and their method-channel implementations (auth#passwordlessChallengeWithEmail, auth#passwordlessChallengeWithPhoneNumber, auth#passwordlessLoginWithOtp)

Native layer

Android: bumped com.auth0.android:auth0 3.19.0 → 3.20.0; added three request handlers backed by passwordlessClient().challengeWithEmail / challengeWithPhoneNumber / loginWithOTP, registered in the plugin.
iOS / macOS: bumped Auth0 2.21.2 → 2.23.0; added three method handlers backed by passwordlessChallenge(...) and login(otp:challenge:audience:scope:). Handlers live in darwin/Classes with ios/macos symlinks per the repo convention.

Behavior notes

  • The challenge always succeeds for a valid request regardless of whether the user exists (user-enumeration prevention); a new user is signed up only when allowSignup: true is passed.
  • authSession is treated as opaque and only passed through — never parsed, logged, or persisted.
  • If the user has MFA configured, loginWithOtp fails with the existing ApiException where isMultifactorRequired is true (no new error type); callers continue via auth0.api.multifactorChallenge / auth0.api.loginWithOtp.
  • DPoP-bound tokens are honored from the token exchange when the Auth0 instance is constructed with useDPoP: true.

📎 References

🎯 Testing

Automated

Platform interface — auth0_flutter_platform_interface/test/method_channel_auth0_flutter_auth_test.dart: added groups for passwordlessChallengeWithEmail, passwordlessChallengeWithPhoneNumber, and passwordlessLoginWithOtp verifying the correct method-channel method is invoked, all properties are marshalled correctly, defaults are applied (allowSignup: false, deliveryMethod: text), the parsed result is returned, and a PlatformException maps to an ApiException.
Public API — auth0_flutter/test/mobile/passwordless_api_test.dart: verifies each auth0.passwordless method passes options through to the platform, applies defaults, returns the platform result, and that useDPoP from the Auth0 constructor is threaded into the request.

Summary by CodeRabbit

  • New Features
    • Added passwordless OTP flows for database connections: request challenges via email/phone and sign in with OTP on mobile and macOS/iOS.
    • Exposed configuration for allowSignup, phone delivery (text/voice), scopes, audience, and useDPoP for DPoP-bound exchange.
  • Documentation
    • Updated examples with end-to-end passwordless guidance (challenge + OTP login) and DPoP notes.
  • Bug Fixes
    • Routed the new passwordless methods correctly across Flutter, Android, and Apple implementations.
  • Tests
    • Added/expanded coverage for method-channel wiring and parameter propagation.
  • Chores
    • Updated underlying Auth0 SDK versions for Android and Apple builds.

@coderabbitai

coderabbitai Bot commented Jul 2, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 98380fd9-4978-4378-b443-3d6a0c845fcb

📥 Commits

Reviewing files that changed from the base of the PR and between a046468 and ff37df4.

📒 Files selected for processing (1)
  • auth0_flutter/EXAMPLES.md

Walkthrough

This PR adds passwordless OTP support for database connections across the Flutter platform interface, native Android and Apple handlers, the Dart API, tests, and examples. It also threads useDPoP through the Dart passwordless flow and bumps native Auth0 SDK dependencies.

Changes

Passwordless OTP Feature

Layer / File(s) Summary
Shared contracts and platform interface
auth0_flutter_platform_interface/lib/src/auth/delivery_method.dart, .../passwordless_challenge.dart, .../auth_passwordless_challenge_email_options.dart, .../auth_passwordless_challenge_phone_options.dart, .../auth_passwordless_login_with_otp_options.dart, .../auth0_flutter_platform_interface.dart, .../auth0_flutter_auth_platform.dart, auth0_flutter_platform_interface/lib/auth0_flutter_platform_interface.dart
Adds request option types, DeliveryMethod, PasswordlessChallenge, platform methods, and exports for passwordless challenge and OTP login.
Method-channel routing and tests
auth0_flutter_platform_interface/lib/src/method_channel_auth0_flutter_auth.dart, auth0_flutter_platform_interface/test/method_channel_auth0_flutter_auth_test.dart
Implements passwordless method-channel calls and verifies argument mapping, default values, response decoding, and error handling.
Android handlers and SDK bump
auth0_flutter/android/build.gradle, .../Auth0FlutterPlugin.kt, .../PasswordlessChallengeWithEmailApiRequestHandler.kt, .../PasswordlessChallengeWithPhoneNumberApiRequestHandler.kt, .../PasswordlessLoginWithOtpApiRequestHandler.kt
Registers Android passwordless handlers, implements challenge/login flows, and updates the Android Auth0 dependency.
Apple handlers and podspec updates
auth0_flutter/darwin/Classes/AuthAPI/AuthAPIHandler.swift, .../AuthAPIPasswordlessChallengeEmailMethodHandler.swift, .../AuthAPIPasswordlessChallengePhoneNumberMethodHandler.swift, .../AuthAPIPasswordlessLoginWithOtpMethodHandler.swift, auth0_flutter/ios/auth0_flutter.podspec, auth0_flutter/darwin/auth0_flutter.podspec, auth0_flutter/macos/auth0_flutter.podspec
Adds Apple passwordless method routing and handlers, and bumps the Auth0 pod dependency.
Dart API, DPoP wiring, and example docs
auth0_flutter/lib/auth0_flutter.dart, .../lib/src/mobile/passwordless_api.dart, .../test/mobile/passwordless_api_test.dart, auth0_flutter/EXAMPLES.md
Adds the Dart Passwordless API, wires useDPoP through Auth0, validates request construction in tests, and documents the OTP flow.

Estimated code review effort: 4 (Complex) | ~60 minutes

Suggested reviewers: sanchitmehtagit

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main change: adding passwordless OTP support for database connections.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/passwordless-otp-database-connections

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 7

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
auth0_flutter_platform_interface/lib/src/auth/auth_passwordless_login_with_otp_options.dart (1)

1-24: 🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win

Ensure openid is always included in passwordless OTP scopes.

loginWithOtp() promises openid “regardless of this setting,” but this options object forwards scopes verbatim, and the native handlers only add the default scope when the set is empty. If a caller passes custom scopes without openid, the auth request can miss the ID token flow.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@auth0_flutter_platform_interface/lib/src/auth/auth_passwordless_login_with_otp_options.dart`
around lines 1 - 24, The AuthPasswordlessLoginWithOtpOptions scope mapping
forwards custom scopes as-is, so openid can be omitted when callers provide
non-empty scopes. Update AuthPasswordlessLoginWithOtpOptions.toMap() to always
include openid in the scopes list before sending it to native handlers, while
preserving any additional scopes and leaving loginWithOtp() behavior consistent
with its promise.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@auth0_flutter_platform_interface/test/method_channel_auth0_flutter_auth_test.dart`:
- Around line 1826-1900: Add a missing test in the passwordlessLoginWithOtp
group to verify default omission behavior for optional fields. Use
MethodChannelAuth0FlutterAuth.passwordlessLoginWithOtp with only required
inputs, then assert the captured MethodCall arguments omit audience and send
scopes as empty/default, matching the existing patterns in the login, renew, and
customTokenExchange tests. This will cover the native contract for absent
optional values without changing the implementation.
- Around line 1658-1730: Add a missing test in the
passwordlessChallengeWithEmail group to explicitly verify the default value of
allowSignup when it is omitted, matching the coverage already present in
passwordlessChallengeWithPhoneNumber. In
MethodChannelAuth0FlutterAuth.passwordlessChallengeWithEmail, construct an
AuthPasswordlessChallengeEmailOptions without allowSignup, invoke the method,
and assert the captured MethodCall arguments include allowSignup as false. This
keeps the behavior for the new public symbol pinned down and consistent with the
sibling challenge tests.

In
`@auth0_flutter/android/src/main/kotlin/com/auth0/auth0_flutter/request_handlers/api/PasswordlessChallengeWithEmailApiRequestHandler.kt`:
- Around line 26-27: The
`PasswordlessChallengeWithEmailApiRequestHandler.handle` path is using unsafe
force casts for `args["email"]` and `args["connection"]`, which can crash on
malformed MethodChannel input. Replace these casts with safe type handling in
this handler, and explicitly validate/null-check the values before proceeding so
invalid args return a clean Flutter error instead of throwing
`ClassCastException`.

In
`@auth0_flutter/android/src/main/kotlin/com/auth0/auth0_flutter/request_handlers/api/PasswordlessChallengeWithPhoneNumberApiRequestHandler.kt`:
- Around line 28-29: The PasswordlessChallengeWithPhoneNumberApiRequestHandler
request parsing still uses unchecked force-casts for args["phoneNumber"] and
args["connection"], which can crash on malformed input; update the handler to
use safe casts and explicit null/failure handling, matching the pattern used in
the email handler, so invalid arguments return a Flutter error instead of
throwing. Focus on the argument extraction in
PasswordlessChallengeWithPhoneNumberApiRequestHandler and ensure both
phoneNumber and connection are validated before proceeding.

In
`@auth0_flutter/android/src/main/kotlin/com/auth0/auth0_flutter/request_handlers/api/PasswordlessLoginWithOtpApiRequestHandler.kt`:
- Around line 25-28: The PasswordlessLoginWithOtpApiRequestHandler handler is
force-casting `authSession` and `otp` to String after only checking presence
with `assertHasProperties`, which can crash the MethodChannel on bad input.
Update the request parsing in `PasswordlessLoginWithOtpApiRequestHandler` to use
safe casts for both values, validate that each is a non-null String, and return
a clean `result.error` when either value is missing or of the wrong type instead
of throwing.

In
`@auth0_flutter/darwin/Classes/AuthAPI/AuthAPIPasswordlessLoginWithOtpMethodHandler.swift`:
- Around line 27-33: The `PasswordlessChallenge` reconstruction in
`AuthAPIPasswordlessLoginWithOtpMethodHandler` should not rely on a JSON
round-trip through the internal `auth_session` coding key. Update the decoding
fallback to avoid depending on `JSONSerialization`/`JSONDecoder` for this type,
using a safer reconstruction path tied to `authSession` if available. If
reconstruction still fails, return a dedicated `FlutterError` for challenge
reconstruction instead of `Argument.authSession` missing, so the failure clearly
matches the `callback` path here.

In `@auth0_flutter/EXAMPLES.md`:
- Line 1326: The `loginWithOtp` note in `EXAMPLES.md` points to a broken
`#api-client-errors` fragment, so update the markdown link to the existing API
error-handling heading slug in this document. Find the matching heading near the
`ApiException`/error section and change the anchor in the MFA paragraph so the
`loginWithOtp` reference resolves correctly.

---

Outside diff comments:
In
`@auth0_flutter_platform_interface/lib/src/auth/auth_passwordless_login_with_otp_options.dart`:
- Around line 1-24: The AuthPasswordlessLoginWithOtpOptions scope mapping
forwards custom scopes as-is, so openid can be omitted when callers provide
non-empty scopes. Update AuthPasswordlessLoginWithOtpOptions.toMap() to always
include openid in the scopes list before sending it to native handlers, while
preserving any additional scopes and leaving loginWithOtp() behavior consistent
with its promise.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 595daa70-6cde-4d38-aaa1-d196471b9c8a

📥 Commits

Reviewing files that changed from the base of the PR and between 6ff0a3b and d69b7b8.

⛔ Files ignored due to path filters (7)
  • auth0_flutter/ios/Classes/AuthAPI/AuthAPIPasswordlessChallengeEmailMethodHandler.swift is excluded by !auth0_flutter/ios/Classes/**
  • auth0_flutter/ios/Classes/AuthAPI/AuthAPIPasswordlessChallengePhoneNumberMethodHandler.swift is excluded by !auth0_flutter/ios/Classes/**
  • auth0_flutter/ios/Classes/AuthAPI/AuthAPIPasswordlessLoginWithOtpMethodHandler.swift is excluded by !auth0_flutter/ios/Classes/**
  • auth0_flutter/macos/Classes/AuthAPI/AuthAPIPasswordlessChallengeEmailMethodHandler.swift is excluded by !auth0_flutter/macos/Classes/**
  • auth0_flutter/macos/Classes/AuthAPI/AuthAPIPasswordlessChallengePhoneNumberMethodHandler.swift is excluded by !auth0_flutter/macos/Classes/**
  • auth0_flutter/macos/Classes/AuthAPI/AuthAPIPasswordlessLoginWithOtpMethodHandler.swift is excluded by !auth0_flutter/macos/Classes/**
  • auth0_flutter/test/mobile/passwordless_api_test.mocks.dart is excluded by !**/*.mocks.dart
📒 Files selected for processing (23)
  • auth0_flutter/EXAMPLES.md
  • auth0_flutter/android/build.gradle
  • auth0_flutter/android/src/main/kotlin/com/auth0/auth0_flutter/Auth0FlutterPlugin.kt
  • auth0_flutter/android/src/main/kotlin/com/auth0/auth0_flutter/request_handlers/api/PasswordlessChallengeWithEmailApiRequestHandler.kt
  • auth0_flutter/android/src/main/kotlin/com/auth0/auth0_flutter/request_handlers/api/PasswordlessChallengeWithPhoneNumberApiRequestHandler.kt
  • auth0_flutter/android/src/main/kotlin/com/auth0/auth0_flutter/request_handlers/api/PasswordlessLoginWithOtpApiRequestHandler.kt
  • auth0_flutter/darwin/Classes/AuthAPI/AuthAPIHandler.swift
  • auth0_flutter/darwin/Classes/AuthAPI/AuthAPIPasswordlessChallengeEmailMethodHandler.swift
  • auth0_flutter/darwin/Classes/AuthAPI/AuthAPIPasswordlessChallengePhoneNumberMethodHandler.swift
  • auth0_flutter/darwin/Classes/AuthAPI/AuthAPIPasswordlessLoginWithOtpMethodHandler.swift
  • auth0_flutter/ios/auth0_flutter.podspec
  • auth0_flutter/lib/auth0_flutter.dart
  • auth0_flutter/lib/src/mobile/passwordless_api.dart
  • auth0_flutter/test/mobile/passwordless_api_test.dart
  • auth0_flutter_platform_interface/lib/auth0_flutter_platform_interface.dart
  • auth0_flutter_platform_interface/lib/src/auth/auth_passwordless_challenge_email_options.dart
  • auth0_flutter_platform_interface/lib/src/auth/auth_passwordless_challenge_phone_options.dart
  • auth0_flutter_platform_interface/lib/src/auth/auth_passwordless_login_with_otp_options.dart
  • auth0_flutter_platform_interface/lib/src/auth/delivery_method.dart
  • auth0_flutter_platform_interface/lib/src/auth/passwordless_challenge.dart
  • auth0_flutter_platform_interface/lib/src/auth0_flutter_auth_platform.dart
  • auth0_flutter_platform_interface/lib/src/method_channel_auth0_flutter_auth.dart
  • auth0_flutter_platform_interface/test/method_channel_auth0_flutter_auth_test.dart

Comment on lines +27 to +33
// `PasswordlessChallenge` has no public initializer, but it is `Codable`
// with `authSession` mapped to the `auth_session` JSON key. Reconstruct
// it by decoding the opaque session token.
guard let challengeData = try? JSONSerialization.data(withJSONObject: ["auth_session": authSession]),
let challenge = try? JSONDecoder().decode(PasswordlessChallenge.self, from: challengeData) else {
return callback(FlutterError(from: .requiredArgumentMissing(Argument.authSession.rawValue)))
}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🗄️ Data Integrity & Integration | 🟠 Major | 🏗️ Heavy lift

🧩 Analysis chain

🌐 Web query:

Does Auth0.swift 2.23.0 provide a public way to construct PasswordlessChallenge from an authSession string?

💡 Result:

No, Auth0.swift 2.23.0 does not provide a public way to construct a PasswordlessChallenge from an authSession string. In the Auth0.swift SDK, passwordless authentication is handled by the Authentication client using methods such as startPasswordless(email:type:connection:) and login(email:code:...), which manage the flow internally without requiring manual construction of challenge objects from session strings [1][2][3]. The confusion may arise from other passwordless-related SDKs (such as the Bitwarden-maintained 'Passwordless' library) which use different terminology and internal structures [4][5], or from misunderstanding the Auth0 passkey implementation, which handles challenge data internally when using the SDK's native passkey login methods [6]. If you are working with Auth0 passkeys, the SDK automatically manages the challenge and WebAuthn responses when you use the provided passkey login overloads [6].

Citations:


🏁 Script executed:

#!/bin/bash
set -euo pipefail

git ls-files | rg 'auth0_flutter/darwin/Classes/AuthAPI/AuthAPIPasswordlessLoginWithOtpMethodHandler.swift|PasswordlessChallenge|Auth0\.swift|Podfile|Podfile.lock|Package\.resolved|pubspec\.yaml'

printf '\n--- file outline ---\n'
ast-grep outline auth0_flutter/darwin/Classes/AuthAPI/AuthAPIPasswordlessLoginWithOtpMethodHandler.swift --view expanded || true

printf '\n--- relevant search ---\n'
rg -n "PasswordlessChallenge|auth_session|requiredArgumentMissing\\(Argument\\.authSession" auth0_flutter/darwin -S

Repository: auth0/auth0-flutter

Length of output: 4393


Avoid the JSON round-trip for PasswordlessChallenge. Auth0.swift 2.23.0 still doesn’t expose a public initializer from authSession, so this depends on the internal auth_session coding key and can break on SDK updates. If decoding fails, return a reconstruction-specific FlutterError; .requiredArgumentMissing(authSession) points to the wrong failure.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@auth0_flutter/darwin/Classes/AuthAPI/AuthAPIPasswordlessLoginWithOtpMethodHandler.swift`
around lines 27 - 33, The `PasswordlessChallenge` reconstruction in
`AuthAPIPasswordlessLoginWithOtpMethodHandler` should not rely on a JSON
round-trip through the internal `auth_session` coding key. Update the decoding
fallback to avoid depending on `JSONSerialization`/`JSONDecoder` for this type,
using a safer reconstruction path tied to `authSession` if available. If
reconstruction still fails, return a dedicated `FlutterError` for challenge
reconstruction instead of `Argument.authSession` missing, so the failure clearly
matches the `callback` path here.

Comment thread auth0_flutter/EXAMPLES.md Outdated
.challengeWithEmail(email, connection, allowSignup)
.start(object : Callback<PasswordlessChallenge, AuthenticationException> {
override fun onFailure(exception: AuthenticationException) {
result.error(

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you want to handle the no_network scenario in the error cases ?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Network errors are already surfaced through the existing failure path: the native SDKs raise them as AuthenticationException/AuthenticationError, which flow into the onFailure/.failure branch and reach Dart as an ApiException (with isNetworkError/retryable metadata intact). No special-casing needed here — it's handled the same way as every other API call in the SDK.

Comment thread auth0_flutter/EXAMPLES.md
> Sending additional parameters is supported only on iOS at the moment.

### Passwordless OTP on database connections

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

add a note mentioning this is currently in EA

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@auth0_flutter/darwin/auth0_flutter.podspec`:
- Line 22: The Auth0 dependency pin in auth0_flutter.podspec references an
unavailable pod version, so update the s.dependency entry for Auth0 to a
published stable 2.x release. Use the existing podspec dependency declaration as
the fix point and change the version from the current pin to a version that is
actually available, such as 2.22.0, so pod install and CI can resolve it.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: ddb71fae-d7ea-43cf-8d1e-11e2b77c2f1b

📥 Commits

Reviewing files that changed from the base of the PR and between d69b7b8 and a046468.

📒 Files selected for processing (9)
  • auth0_flutter/EXAMPLES.md
  • auth0_flutter/android/src/main/kotlin/com/auth0/auth0_flutter/request_handlers/api/PasswordlessChallengeWithEmailApiRequestHandler.kt
  • auth0_flutter/android/src/main/kotlin/com/auth0/auth0_flutter/request_handlers/api/PasswordlessChallengeWithPhoneNumberApiRequestHandler.kt
  • auth0_flutter/android/src/main/kotlin/com/auth0/auth0_flutter/request_handlers/api/PasswordlessLoginWithOtpApiRequestHandler.kt
  • auth0_flutter/darwin/Classes/AuthAPI/AuthAPIPasswordlessLoginWithOtpMethodHandler.swift
  • auth0_flutter/darwin/auth0_flutter.podspec
  • auth0_flutter/lib/src/mobile/passwordless_api.dart
  • auth0_flutter/macos/auth0_flutter.podspec
  • auth0_flutter_platform_interface/test/method_channel_auth0_flutter_auth_test.dart

s.osx.dependency 'FlutterMacOS'

s.dependency 'Auth0', '2.21.2'
s.dependency 'Auth0', '2.23.0'

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🌐 Web query:

Is Auth0.swift version 2.23.0 published on CocoaPods or GitHub releases?

💡 Result:

Auth0.swift version 2.23.0 has not been published on either CocoaPods or GitHub Releases. As of July 3, 2026, the available release history for the repository shows that version 2.22.0 is the latest stable release in the 2.x line, followed by pre-release versions such as 3.0.0-beta.1 and 3.0.0-beta.2 [1][2][3]. The repository's changelog and release history skip version 2.23.0 [1][4].

Citations:


Pin a published Auth0 pod version

Auth0 2.23.0 doesn’t appear to be published; the latest stable 2.x release is 2.22.0. This pin will break pod install/CI until it’s changed to an available version.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@auth0_flutter/darwin/auth0_flutter.podspec` at line 22, The Auth0 dependency
pin in auth0_flutter.podspec references an unavailable pod version, so update
the s.dependency entry for Auth0 to a published stable 2.x release. Use the
existing podspec dependency declaration as the fix point and change the version
from the current pin to a version that is actually available, such as 2.22.0, so
pod install and CI can resolve it.

@utkrishtsahu utkrishtsahu merged commit 0965813 into main Jul 3, 2026
16 checks passed
@utkrishtsahu utkrishtsahu deleted the feat/passwordless-otp-database-connections branch July 3, 2026 11:36
@utkrishtsahu utkrishtsahu mentioned this pull request Jul 3, 2026
@utkrishtsahu utkrishtsahu mentioned this pull request Jul 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants