Add WebAuthn / passkey client + Auth0 / Firebase passkey helpers#5039
Merged
Conversation
Extends the OidcClient identity stack (#5018) with a portable WebAuthn client. Most CN1 apps that sign users in via OidcClient already get passkeys for free (the IdP handles the ceremony, OIDC just delivers the tokens) -- this lands the surface for apps that talk to their own relying-party backend, or that want to drive Auth0 / Firebase passkeys directly. * New com.codename1.io.webauthn package: WebAuthnClient (create/get with the W3C JSON wire format), WebAuthnNative SPI, PublicKeyCredentialCreationOptions / RequestOptions / response wrapper with verbatim toJson() round-trip, WebAuthnException with W3C-named codes (NotAllowedError, InvalidStateError, SecurityError, etc.). * iOS port: ASAuthorizationPlatformPublicKeyCredentialProvider impl (iOS 16+) in Ports/iOSPort/nativeSources/CN1WebAuthn.m. Gated behind the existing CN1_INCLUDE_WEBAUTHN define so apps that never use passkeys ship without the symbols. AuthenticationServices.framework was already auto-linked by the OIDC scanner branch; IPhoneBuilder now also flips the CN1_INCLUDE_WEBAUTHN define when the classpath scanner sees com.codename1.io.webauthn.* references. * Android port: androidx.credentials.CredentialManager impl via reflection (so the port itself doesn't need androidx.credentials on its compile classpath). AndroidGradleBuilder auto-injects androidx.credentials:credentials + credentials-play-services-auth when the app references the WebAuthn classes; versions can be overridden via android.credentialsVersion build hint. * Provider passkey helpers: Auth0Connect.signInWithPasskey / registerPasskey (Auth0 WebAuthn grant_type), FirebaseAuth. signInWithPasskey / registerPasskey (Identity Platform v2 passkey REST endpoints). Both drive WebAuthnClient under the hood and return tokens through the existing OidcTokens / FirebaseUser model. * Tests: 14 new WebAuthnCoreTest assertions (options parsing, response parsing, builder round-trip, exception code mapping, async dispatch with a stub provider). Async tests use a CountDownLatch wired through .ready/.except instead of AsyncResource.get(timeout) to avoid the missed-notify race in the observer/wait path when the worker thread races against the registration. * Docs: new "Passkeys / WebAuthn" section in the Authentication and Identity chapter covering when to use the API, platform requirements (Associated Domains on iOS 16+, Digital Asset Links on Android API 28+), the Auth0 and Firebase passkey recipes, and the W3C error-code mapping. * CI: extended .github/workflows/identity-stack.yml path filters, unit-test list, Android bundle verification, and clang -fsyntax-only step to cover the new WebAuthn sources. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Contributor
|
Developer Guide build artifacts are available for download from this workflow run:
Developer Guide quality checks: |
Collaborator
Author
|
Compared 20 screenshots: 20 matched. |
Contributor
Cloudflare Preview
|
The WebAuthn stack ships in the same 7.0.245 release as the OidcClient identity stack (#5018); the original 7.0.246 tag was off by one. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Collaborator
Author
|
Compared 110 screenshots: 110 matched. Native Android coverage
✅ Native Android screenshot tests passed. Native Android coverage
Benchmark ResultsDetailed Performance Metrics
|
Collaborator
Author
|
Compared 110 screenshots: 110 matched. Benchmark Results
Build and Run Timing
Detailed Performance Metrics
|
Collaborator
Author
|
Compared 110 screenshots: 110 matched. Benchmark Results
Build and Run Timing
Detailed Performance Metrics
|
The first CI run on PR #5039 turned up three categorized issues, all contained to the new WebAuthn / passkey surface. * SpotBugs SIC_INNER_SHOULD_BE_STATIC_ANON (5×) in FirebaseAuth's passkey helpers. The flagged anonymous SuccessCallback / ConnectionRequest bodies only referenced captured locals plus static utilities, so SpotBugs flagged them as candidates for promotion to named static nested classes. Refactored each body into a private instance method (`onPasskeyEnrollmentStart`, `onPasskeySignInStart`, `completeFromMap`, `handlePostJsonRawResponse`) that the callback delegates to. This matches the existing FirebaseAuth#enqueue pattern, which also uses an anonymous ConnectionRequest body that pins the enclosing instance via a `persist(u)` call. Added an `ErrorForwarder` named static class for the repeated `.except(throwable -> out.error(throwable))` boilerplate so the call sites stay readable. * Vale (8×) in the new Passkeys / WebAuthn section. Replaced the "for free" cliche; de-hyphenated "auto-linked" / "auto-injected" per Microsoft.Auto style; switched four "does not" / "could not" to contractions. * LanguageTool (11×). Added `IdP`, `webauthn`, `[Pp]asskey(s)?` to the developer-guide accept list (technical terminology). Replaced the seven `->` HTML-entity arrows in the Auth0 / Firebase console navigation paths with the Unicode `→` (`→`) the rule suggests. Fixed the British "enrol" / "enrols" spellings to the American "enroll" / "enrolls" the dictionary prefers. 44/44 identity-stack tests still pass and `vale` reports zero issues on the chapter locally. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Second CI pass on PR #5039 turned up PMD warnings that the project treats as build-breaking: * MissingOverride on the two `run()` methods in WebAuthnClient's CreateRunnable / GetRunnable named static classes -- both implement Runnable.run() and were missing the annotation. * ControlStatementBraces (7×) on single-line `if (cond) stmt;` shapes in the JSON-building helpers I added to Auth0Connect (separator emission in joinScopes, mapToJson, mapToFlatJson, appendValue) and FirebaseAuth (serialiseMap, appendValue). Expanded each to the braced form. All 44 identity-stack tests still pass. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Contributor
✅ Continuous Quality ReportTest & Coverage
Static Analysis
Generated automatically by the PR CI workflow. |
shai-almog
added a commit
that referenced
this pull request
May 25, 2026
Combine the two non-overlapping accept-list blocks (router & JS port identifiers from this PR, WebAuthn / passkey terms from master's #5039) into one section.
This was referenced May 29, 2026
shai-almog
added a commit
that referenced
this pull request
May 29, 2026
Consolidated follow-up to the May 29 weekly index. Covers the four surfaces that moved from "you need a cn1lib for this" to "it is in the framework" this release: - Connectivity (PR #5021): com.codename1.io.{wifi,bonjour,usb} + NetworkManager.addNetworkTypeListener with the per-platform implementations and the three new CN1_INCLUDE_* defines that keep unused entitlements out of Apple's API-usage scan. - Identity (PRs #5018, #5039): OIDC client backed by ASWebAuthenticationSession / Custom Tabs with PKCE; Sign in with Apple in core; refreshed Google/Facebook/Microsoft/Auth0/Firebase wrappers; WebAuthn / passkey client in W3C JSON wire format with iOS 16 and Android API 28 native bindings; Auth0/Firebase passkey helpers; legacy Oauth2 deprecated. - Sharing (PR #5036): ShareResult callbacks (SHARED_TO/DISMISSED/FAILED) on iOS and Android via UIActivityViewController.completionWithItemsHandler and Intent.createChooser with IntentSender; IOSShareExtensionBuilder in the Maven plugin generates a complete .ios.appext bundle. - AI (PRs #5035, #5057): com.codename1.ai with LlmClient for OpenAI/Anthropic/Gemini/Ollama, streaming SSE, ChatView, SpeechRecognizer/TextToSpeech, SecureStorage non-prompting overloads, simulator Ollama redirect, AiDependencyTable build-time injection, and the cn1-ai-mlkit-{barcode,docscan,face} cn1libs. Closes with the structural element common to all four (scanner-driven gating that mirrors the NFC/biometrics pattern from two weeks ago).
shai-almog
added a commit
that referenced
this pull request
May 29, 2026
Consolidated follow-up to the May 29 weekly index. Covers the four surfaces that moved from "you need a cn1lib for this" to "it is in the framework" this release: - Connectivity (PR #5021): com.codename1.io.{wifi,bonjour,usb} + NetworkManager.addNetworkTypeListener with the per-platform implementations and the three new CN1_INCLUDE_* defines that keep unused entitlements out of Apple's API-usage scan. - Identity (PRs #5018, #5039): OIDC client backed by ASWebAuthenticationSession / Custom Tabs with PKCE; Sign in with Apple in core; refreshed Google/Facebook/Microsoft/Auth0/Firebase wrappers; WebAuthn / passkey client in W3C JSON wire format with iOS 16 and Android API 28 native bindings; Auth0/Firebase passkey helpers; legacy Oauth2 deprecated. - Sharing (PR #5036): ShareResult callbacks (SHARED_TO/DISMISSED/FAILED) on iOS and Android via UIActivityViewController.completionWithItemsHandler and Intent.createChooser with IntentSender; IOSShareExtensionBuilder in the Maven plugin generates a complete .ios.appext bundle. - AI (PRs #5035, #5057): com.codename1.ai with LlmClient for OpenAI/Anthropic/Gemini/Ollama, streaming SSE, ChatView, SpeechRecognizer/TextToSpeech, SecureStorage non-prompting overloads, simulator Ollama redirect, AiDependencyTable build-time injection, and the cn1-ai-mlkit-{barcode,docscan,face} cn1libs. Closes with the structural element common to all four (scanner-driven gating that mirrors the NFC/biometrics pattern from two weeks ago).
shai-almog
added a commit
that referenced
this pull request
May 29, 2026
Consolidated follow-up to the May 29 weekly index. Covers the four surfaces that moved from "you need a cn1lib for this" to "it is in the framework" this release: - Connectivity (PR #5021): com.codename1.io.{wifi,bonjour,usb} + NetworkManager.addNetworkTypeListener with the per-platform implementations and the three new CN1_INCLUDE_* defines that keep unused entitlements out of Apple's API-usage scan. - Identity (PRs #5018, #5039): OIDC client backed by ASWebAuthenticationSession / Custom Tabs with PKCE; Sign in with Apple in core; refreshed Google/Facebook/Microsoft/Auth0/Firebase wrappers; WebAuthn / passkey client in W3C JSON wire format with iOS 16 and Android API 28 native bindings; Auth0/Firebase passkey helpers; legacy Oauth2 deprecated. - Sharing (PR #5036): ShareResult callbacks (SHARED_TO/DISMISSED/FAILED) on iOS and Android via UIActivityViewController.completionWithItemsHandler and Intent.createChooser with IntentSender; IOSShareExtensionBuilder in the Maven plugin generates a complete .ios.appext bundle. - AI (PRs #5035, #5057): com.codename1.ai with LlmClient for OpenAI/Anthropic/Gemini/Ollama, streaming SSE, ChatView, SpeechRecognizer/TextToSpeech, SecureStorage non-prompting overloads, simulator Ollama redirect, AiDependencyTable build-time injection, and the cn1-ai-mlkit-{barcode,docscan,face} cn1libs. Closes with the structural element common to all four (scanner-driven gating that mirrors the NFC/biometrics pattern from two weeks ago).
shai-almog
added a commit
that referenced
this pull request
May 29, 2026
Consolidated follow-up to the May 29 weekly index. Covers the four surfaces that moved from "you need a cn1lib for this" to "it is in the framework" this release: - Connectivity (PR #5021): com.codename1.io.{wifi,bonjour,usb} + NetworkManager.addNetworkTypeListener with the per-platform implementations and the three new CN1_INCLUDE_* defines that keep unused entitlements out of Apple's API-usage scan. - Identity (PRs #5018, #5039): OIDC client backed by ASWebAuthenticationSession / Custom Tabs with PKCE; Sign in with Apple in core; refreshed Google/Facebook/Microsoft/Auth0/Firebase wrappers; WebAuthn / passkey client in W3C JSON wire format with iOS 16 and Android API 28 native bindings; Auth0/Firebase passkey helpers; legacy Oauth2 deprecated. - Sharing (PR #5036): ShareResult callbacks (SHARED_TO/DISMISSED/FAILED) on iOS and Android via UIActivityViewController.completionWithItemsHandler and Intent.createChooser with IntentSender; IOSShareExtensionBuilder in the Maven plugin generates a complete .ios.appext bundle. - AI (PRs #5035, #5057): com.codename1.ai with LlmClient for OpenAI/Anthropic/Gemini/Ollama, streaming SSE, ChatView, SpeechRecognizer/TextToSpeech, SecureStorage non-prompting overloads, simulator Ollama redirect, AiDependencyTable build-time injection, and the cn1-ai-mlkit-{barcode,docscan,face} cn1libs. Closes with the structural element common to all four (scanner-driven gating that mirrors the NFC/biometrics pattern from two weeks ago).
shai-almog
added a commit
that referenced
this pull request
May 30, 2026
Consolidated follow-up to the May 29 weekly index. Covers the four surfaces that moved from "you need a cn1lib for this" to "it is in the framework" this release: - Connectivity (PR #5021): com.codename1.io.{wifi,bonjour,usb} + NetworkManager.addNetworkTypeListener with the per-platform implementations and the three new CN1_INCLUDE_* defines that keep unused entitlements out of Apple's API-usage scan. - Identity (PRs #5018, #5039): OIDC client backed by ASWebAuthenticationSession / Custom Tabs with PKCE; Sign in with Apple in core; refreshed Google/Facebook/Microsoft/Auth0/Firebase wrappers; WebAuthn / passkey client in W3C JSON wire format with iOS 16 and Android API 28 native bindings; Auth0/Firebase passkey helpers; legacy Oauth2 deprecated. - Sharing (PR #5036): ShareResult callbacks (SHARED_TO/DISMISSED/FAILED) on iOS and Android via UIActivityViewController.completionWithItemsHandler and Intent.createChooser with IntentSender; IOSShareExtensionBuilder in the Maven plugin generates a complete .ios.appext bundle. - AI (PRs #5035, #5057): com.codename1.ai with LlmClient for OpenAI/Anthropic/Gemini/Ollama, streaming SSE, ChatView, SpeechRecognizer/TextToSpeech, SecureStorage non-prompting overloads, simulator Ollama redirect, AiDependencyTable build-time injection, and the cn1-ai-mlkit-{barcode,docscan,face} cn1libs. Closes with the structural element common to all four (scanner-driven gating that mirrors the NFC/biometrics pattern from two weeks ago).
shai-almog
added a commit
that referenced
this pull request
May 31, 2026
…AI) (#5087) * Blog: platform APIs in the core (connectivity + identity + sharing + AI) Consolidated follow-up to the May 29 weekly index. Covers the four surfaces that moved from "you need a cn1lib for this" to "it is in the framework" this release: - Connectivity (PR #5021): com.codename1.io.{wifi,bonjour,usb} + NetworkManager.addNetworkTypeListener with the per-platform implementations and the three new CN1_INCLUDE_* defines that keep unused entitlements out of Apple's API-usage scan. - Identity (PRs #5018, #5039): OIDC client backed by ASWebAuthenticationSession / Custom Tabs with PKCE; Sign in with Apple in core; refreshed Google/Facebook/Microsoft/Auth0/Firebase wrappers; WebAuthn / passkey client in W3C JSON wire format with iOS 16 and Android API 28 native bindings; Auth0/Firebase passkey helpers; legacy Oauth2 deprecated. - Sharing (PR #5036): ShareResult callbacks (SHARED_TO/DISMISSED/FAILED) on iOS and Android via UIActivityViewController.completionWithItemsHandler and Intent.createChooser with IntentSender; IOSShareExtensionBuilder in the Maven plugin generates a complete .ios.appext bundle. - AI (PRs #5035, #5057): com.codename1.ai with LlmClient for OpenAI/Anthropic/Gemini/Ollama, streaming SSE, ChatView, SpeechRecognizer/TextToSpeech, SecureStorage non-prompting overloads, simulator Ollama redirect, AiDependencyTable build-time injection, and the cn1-ai-mlkit-{barcode,docscan,face} cn1libs. Closes with the structural element common to all four (scanner-driven gating that mirrors the NFC/biometrics pattern from two weeks ago). * Platform-APIs post: rewrite around AI + OAuth headline - Retitled "AI, OAuth, And Other Platform APIs In The Core". - Reordered sections so the two headline pieces come first: AI (with deep tutorials) and OAuth / OIDC (with provider walk- throughs and a migration). WiFi / connectivity and share-sheet callbacks land at the end. - Opener no longer runs together; the NFC / biometrics / crypto call-back is linked to the previous post explicitly. - AI section expanded with concrete examples for streaming, tool calls, embeddings, image generation, the simulator Ollama redirect, the SecureStorage non-prompting overloads, the ChatView binding, and an ASCII mockup of the ChatView surface for readers who haven't seen it. - New subsection explaining why the ML Kit AI features stay in cn1libs even though the LlmClient surface lives in core (core carries the plumbing every AI app wants; specialised verticals with large native dependencies stay opt-in; the cloud-build big- upload guard rules out the multi-gigabyte models). - OAuth section now walks through OIDC discovery, the four provider wrappers (Google, Microsoft, Auth0, Facebook), Sign in with Apple, an Oauth2-to-OidcClient migration example, and the WebAuthn / passkey client. - Dev-guide references go to the HTML version on the website. - Hero image lands at /blog/platform-apis-in-the-core.jpg. - Wrap-up has the link back to the intro and forward to the Wednesday post. Also updates the developer-workflow post (rebased on top) to add the forward link to this post in its wrap-up. * Platform-APIs post: review fixes - Opening description rewritten so it does not read as a comma list. - Dropped the "AI first, OAuth second" meta-paragraph. - Anthropic and Gemini are no longer described as "still in flight"; both are fully implemented in this release. - Replaced the SecureStorage "small thing that matters more than it sounds" framing with a proper "How to handle API keys" section that opens with the security rule (never check in, never embed, never hardcode), explains the proper shape (fetch from your backend over an authenticated request, cache to the platform keychain via SecureStorage), and gives a concrete getOpenAiKey example. - ChatView ASCII mockup replaced with a screenshot reference and a richer code example that drives the chat manually (ConversationStore + per-message lifecycle + error path). - Removed the Speech / TTS subsection entirely. The native iOS / Android bridges are still tracked follow-ups in PR #5035 and are not shipping in this release. - iOS Share Extension paragraph expanded into a real "how your app appears in other apps' share menus" section with a pom.xml configuration block, the cn1:generate-ios-share-extension Mojo invocation, and a host-side payload-read example. - AI cn1libs rewritten. The 13 cn1libs land in a feature table with a one-line "what it gives you" column each, followed by a "how to add and use them" paragraph and three short worked examples (barcode, text recognition, translation). The "why these are cn1libs and not core" answer follows the concrete list rather than appearing without context. - "What ties this together" section removed. * Platform-APIs post: real ChatView screenshot + per-cn1lib subsections - Replaced the placeholder ChatView image reference with a real screenshot pulled from the ChatViewDevGuideScreenshotTest output (scripts/ios/screenshots-metal/ChatView_light.png), cropped to remove the test-harness caption and downscaled for web payload. - Replaced the AI cn1lib quick-table and the "Why are these cn1libs" paragraph with thirteen per-cn1lib subsections (cn1-ai-mlkit-{ text, barcode, face, labeling, translate, smartreply, langid, pose, segmentation, docscan}, cn1-ai-tflite, cn1-ai-whisper, cn1-ai-stablediffusion). Each subsection covers TL;DR, per- platform native bridge, use cases, and a real working code sample using the actual facade signature (TextRecognizer. recognize / BarcodeScanner.scan / FaceDetector.detect / ... PoseDetector.detect / SelfieSegmenter.segment / ... etc). - Up front: the cn1libs aren't in the CN1 Preferences picker yet, so the manual pom.xml dependency snippet is the supported path; the shared pattern is given once with just the artifactId changing per cn1lib. - Dropped the mention of scripts/create-ai-cn1lib.sh as an implementation detail. * Platform-APIs post: shift to 2026-05-31, retime forward links Tighter daily cadence: the platform-APIs post moves from Monday 2026-06-01 to Sunday 2026-05-31, and the codegen post (PR #5088) moves from Wednesday 2026-06-03 to Monday 2026-06-01. - Front-matter date: 2026-06-01 -> 2026-05-31. - Wrap-up: "The next post is on Wednesday" -> "Tomorrow's post" with the link to /blog/build-time-codegen/. - In-text reference: "Wednesday's post" (in the embeddings paragraph that mentions the upcoming ORM) -> "tomorrow's post". - Developer-workflow post forward link (added on top of the merged base by this PR): "Monday's post" -> "Tomorrow's post" to match the new platform-APIs date.
shai-almog
added a commit
that referenced
this pull request
Jun 1, 2026
…5088) * Blog: platform APIs in the core (connectivity + identity + sharing + AI) Consolidated follow-up to the May 29 weekly index. Covers the four surfaces that moved from "you need a cn1lib for this" to "it is in the framework" this release: - Connectivity (PR #5021): com.codename1.io.{wifi,bonjour,usb} + NetworkManager.addNetworkTypeListener with the per-platform implementations and the three new CN1_INCLUDE_* defines that keep unused entitlements out of Apple's API-usage scan. - Identity (PRs #5018, #5039): OIDC client backed by ASWebAuthenticationSession / Custom Tabs with PKCE; Sign in with Apple in core; refreshed Google/Facebook/Microsoft/Auth0/Firebase wrappers; WebAuthn / passkey client in W3C JSON wire format with iOS 16 and Android API 28 native bindings; Auth0/Firebase passkey helpers; legacy Oauth2 deprecated. - Sharing (PR #5036): ShareResult callbacks (SHARED_TO/DISMISSED/FAILED) on iOS and Android via UIActivityViewController.completionWithItemsHandler and Intent.createChooser with IntentSender; IOSShareExtensionBuilder in the Maven plugin generates a complete .ios.appext bundle. - AI (PRs #5035, #5057): com.codename1.ai with LlmClient for OpenAI/Anthropic/Gemini/Ollama, streaming SSE, ChatView, SpeechRecognizer/TextToSpeech, SecureStorage non-prompting overloads, simulator Ollama redirect, AiDependencyTable build-time injection, and the cn1-ai-mlkit-{barcode,docscan,face} cn1libs. Closes with the structural element common to all four (scanner-driven gating that mirrors the NFC/biometrics pattern from two weeks ago). * Platform-APIs post: rewrite around AI + OAuth headline - Retitled "AI, OAuth, And Other Platform APIs In The Core". - Reordered sections so the two headline pieces come first: AI (with deep tutorials) and OAuth / OIDC (with provider walk- throughs and a migration). WiFi / connectivity and share-sheet callbacks land at the end. - Opener no longer runs together; the NFC / biometrics / crypto call-back is linked to the previous post explicitly. - AI section expanded with concrete examples for streaming, tool calls, embeddings, image generation, the simulator Ollama redirect, the SecureStorage non-prompting overloads, the ChatView binding, and an ASCII mockup of the ChatView surface for readers who haven't seen it. - New subsection explaining why the ML Kit AI features stay in cn1libs even though the LlmClient surface lives in core (core carries the plumbing every AI app wants; specialised verticals with large native dependencies stay opt-in; the cloud-build big- upload guard rules out the multi-gigabyte models). - OAuth section now walks through OIDC discovery, the four provider wrappers (Google, Microsoft, Auth0, Facebook), Sign in with Apple, an Oauth2-to-OidcClient migration example, and the WebAuthn / passkey client. - Dev-guide references go to the HTML version on the website. - Hero image lands at /blog/platform-apis-in-the-core.jpg. - Wrap-up has the link back to the intro and forward to the Wednesday post. Also updates the developer-workflow post (rebased on top) to add the forward link to this post in its wrap-up. * Platform-APIs post: review fixes - Opening description rewritten so it does not read as a comma list. - Dropped the "AI first, OAuth second" meta-paragraph. - Anthropic and Gemini are no longer described as "still in flight"; both are fully implemented in this release. - Replaced the SecureStorage "small thing that matters more than it sounds" framing with a proper "How to handle API keys" section that opens with the security rule (never check in, never embed, never hardcode), explains the proper shape (fetch from your backend over an authenticated request, cache to the platform keychain via SecureStorage), and gives a concrete getOpenAiKey example. - ChatView ASCII mockup replaced with a screenshot reference and a richer code example that drives the chat manually (ConversationStore + per-message lifecycle + error path). - Removed the Speech / TTS subsection entirely. The native iOS / Android bridges are still tracked follow-ups in PR #5035 and are not shipping in this release. - iOS Share Extension paragraph expanded into a real "how your app appears in other apps' share menus" section with a pom.xml configuration block, the cn1:generate-ios-share-extension Mojo invocation, and a host-side payload-read example. - AI cn1libs rewritten. The 13 cn1libs land in a feature table with a one-line "what it gives you" column each, followed by a "how to add and use them" paragraph and three short worked examples (barcode, text recognition, translation). The "why these are cn1libs and not core" answer follows the concrete list rather than appearing without context. - "What ties this together" section removed. * Platform-APIs post: real ChatView screenshot + per-cn1lib subsections - Replaced the placeholder ChatView image reference with a real screenshot pulled from the ChatViewDevGuideScreenshotTest output (scripts/ios/screenshots-metal/ChatView_light.png), cropped to remove the test-harness caption and downscaled for web payload. - Replaced the AI cn1lib quick-table and the "Why are these cn1libs" paragraph with thirteen per-cn1lib subsections (cn1-ai-mlkit-{ text, barcode, face, labeling, translate, smartreply, langid, pose, segmentation, docscan}, cn1-ai-tflite, cn1-ai-whisper, cn1-ai-stablediffusion). Each subsection covers TL;DR, per- platform native bridge, use cases, and a real working code sample using the actual facade signature (TextRecognizer. recognize / BarcodeScanner.scan / FaceDetector.detect / ... PoseDetector.detect / SelfieSegmenter.segment / ... etc). - Up front: the cn1libs aren't in the CN1 Preferences picker yet, so the manual pom.xml dependency snippet is the supported path; the shared pattern is given once with just the artifactId changing per cn1lib. - Dropped the mention of scripts/create-ai-cn1lib.sh as an implementation detail. * Platform-APIs post: shift to 2026-05-31, retime forward links Tighter daily cadence: the platform-APIs post moves from Monday 2026-06-01 to Sunday 2026-05-31, and the codegen post (PR #5088) moves from Wednesday 2026-06-03 to Monday 2026-06-01. - Front-matter date: 2026-06-01 -> 2026-05-31. - Wrap-up: "The next post is on Wednesday" -> "Tomorrow's post" with the link to /blog/build-time-codegen/. - In-text reference: "Wednesday's post" (in the embeddings paragraph that mentions the upcoming ORM) -> "tomorrow's post". - Developer-workflow post forward link (added on top of the merged base by this PR): "Monday's post" -> "Tomorrow's post" to match the new platform-APIs date. * Blog: build-time codegen (router, ORM, mappers, binder, SVG/Lottie) Final consolidated follow-up to the May 29 weekly index. Pulls together six PRs that share the same architectural shape: emit Java at build time, validate at build time, fail fast, and let R8 / ParparVM rename the generated code together with the rest of the app. - PR #5037: bytecode AnnotationProcessor SPI in the Maven plugin, the declarative router that is its first consumer (@route with guards, redirects, per-tab navigation shell, location listeners), the unified cold + warm DeepLink API, iOS Universal Links / Android App Links JSON generators, and the JavaScript-port window.history bridge. - PR #5047: three more processors on the same SPI -- SQLite ORM (@entity / @id / @column), JSON / XML mapping (@mapped / @JsonProperty / @xmlelement), and component binding (@bindable / @Bind with the new BindAttr enum). - PR #5062: validation annotations (@required, @Length, @regex, @Email, @url, @Numeric, @existin, @Validate) that compose with @Bind and surface through Binding.getValidator(). - PR #5055: the Immich-port baseline -- Map default methods, BiFunction, atomics, Rest.fetchAsJsonList / fetchAsMapped(List), URLImage.RequestDecorator / setDefaultBearerToken, JSONWriter, modern animated tab indicator + arc-spinner pull-to-refresh, MorphTransition.snapshotMode, WebSocket in core, and the new cn1:generate-openapi-client mojo. - PR #5042: build-time SVG transcoder that lowers SVG (and SMIL animations) into Codename One Image subclasses via the shape API. - PR #5066: Lottie / Bodymovin transcoder reusing the same SVGDocument model, JavaCodeGenerator, and SVGRegistry. - PR #5049: the iOS Metal stencil-clip + drawString and Android LinearGradientPaint fixes the SVG screenshot tests exposed. Calls out the Metal-only caveat on iOS for SVG / Lottie (the GL ES 2 path does not have the shape coverage) -- a non-issue on most apps now that Metal is the default. * Build-time-codegen post: style pass - "I" voice replaced with "we" / team-flavoured phrasing. - Front matter description and feed_html no longer name the Immich Flutter port; the porting exercise is described generically as "a substantial mobile client app". - Section heading renamed from "The Immich-port baseline" to "The porting-exercise baseline". - Body prose no longer names the Flutter source; the porting exercise is described in generic terms ("a substantial third-party mobile client onto Codename One"). - "Form.setPopGuard analogue to Flutter's PopScope" rephrased so the Flutter analogy is gone and the hook is described directly. - Wrap-up rephrased so the "next index lands on Friday" line reads as a fact rather than a personal commitment. * Build-time-codegen post: hero image + cross-post linking - Hero image lands at /blog/build-time-codegen.jpg. - Wrap-up reworded so the "back to the weekly index" link uses the same shape as the workflow and platform-APIs posts. - Platform-APIs post (rebased on top) updated so its wrap-up forward-links to this post by URL rather than by date prose. * Build-time-codegen post: quote YAML title to dodge colon parse error The post failed CI with: error building site: assemble: failed to create page from pageMetaSource /blog/build-time-codegen: ...build-time-codegen.md:2:8": [1:8] mapping value is not allowed in this context The title contains an unquoted colon ("Build-Time Codegen: Router, ORM, Mappers, Binder, SVG / Lottie"), which YAML reads as a key / value separator at column 8 and trips the parser. Wrapping the value in double quotes makes it a plain string. Verified locally with `hugo --buildFuture`: the post renders and the rendered <title> shows the colon intact. * Build-time-codegen post: major restructure per review - Retitled "Routing, ORM, OpenAPI, And Build-Time SVG / Lottie". The headline pieces (router, ORM, OpenAPI, SVG, Lottie) lead; the codegen plumbing is the "How it works" section at the end. - Front-matter description rewritten around the headline pieces and the JPA / JAXB familiarity callouts. - Routing section now leads with the deep-link motivation: what problem deep links create (URLs arriving from many sources), why a single Display.setDeepLinkHandler scales badly, and how @route(...) collapses the if/else handler into one annotation per form. Spring developers get an explicit "@route ~ @RequestMapping, :id ~ {id}, RouteMatch.param ~ @PathVariable" callout. React/Vue/Angular Router familiarity also called out. - ORM section gets a JPA / Hibernate familiarity callout (@entity, @id, @column, EntityManager, Dao#findById/findAll/find), plus the explicit "renamed @transient to @DbTransient to avoid java.beans.Transient" note. - JSON / XML section gets a JAXB familiarity callout (@xmlRoot, @xmlelement, @XmlAttribute, @XmlTransient direct port; the Jackson convention for the JSON side). - New OpenAPI section as a headline feature. Walks through the cn1:generate-openapi-client Mojo configuration in pom.xml, the Petstore reference spec output (6 models + 3 Api classes), and a concrete PetApi usage example (getPetById, findPetsByStatus, addPet). Frames the practical effect for teams whose backends already publish OpenAPI specs. - Component-binding section preserved with its validation annotations, BindAttr, GroupConstraint composition. - SVG section gets its own heading with a real static-fixture screenshot (cropped from scripts/ios/screenshots-metal/ SVGStatic.png). - Lottie section gets its own heading with an animated GIF composed from the 6-frame LottieAnimatedScreenshotTest grid (cropped, labels masked, frames stitched at 200ms each, looped). - "How it works" section at the end explains the bytecode AnnotationProcessor SPI, the generate-sources / process-classes Mojo split, the stub-then-overwrite pattern, and the three non-negotiable rules (no Class.forName, no service loader, no field reflection). - REMOVED: "The porting-exercise baseline" section and any other mention of how decisions were arrived at. - REMOVED: "The Metal / Android rendering fixes" subsection. The three Metal / Android bug fixes are not user-facing features of this release and do not belong in this post. - REMOVED: "What ties this together" section. - Front-matter title now quoted to handle the colon (carried over from the previous CI fix). Hero image and the lottie-pulse-spinner.gif / svg-static.png fixtures committed alongside. * Build-time-codegen post: reorder + retitle per review - Title retitled "OpenAPI, ORM, SVG and Lottie" (routing dropped from the title, not the first thing above the fold). - OpenAPI section stays first, then ORM, JSON / XML, binding, SVG, Lottie. Deep links and routing moved to the END of the post, just before the codegen plumbing section. - Routing reframed as "the first place we used the preprocessor" rather than "the piece that motivates everything else". - Deep-link section now spells out the honest history. AppArg worked for small surfaces but got fragile across cold/warm lifecycle paths and especially in the case where a user lands mid-app via a link and then continues to interact (back-stack composition, falling off the edge on back). The new DeepLink + setDeepLinkHandler runs on a consistent path and parses for you. - Removed the "The Initializr, the Playground, the Skin Designer, and the new Build Cloud console are all working examples" sentence; none of those use the routing framework. - Removed the "Three rules the design enforces: no Class.forName, no service loader, no field reflection. The 'this code only breaks in production because R8 renamed a field' shape of JPA-on-Android bug is structurally absent" paragraph from the ORM section. - @bindable example now shows the Form with the matching components (TextField with setName, ComboBox, Button), so the binder's "match by component name" contract is visible. - New SVG sizing subsection. cn1-svg-width / cn1-svg-height in millimeters is the recommended knob; same constant size at every DPI; sidesteps the design-pixel guesswork. Two-float constructor for projects that don't use CSS. - New paragraph up front in the SVG section spelling out that a transcoded SVG is a vector image but still an Image: works in every Image slot in the framework, just scales cleanly. - iOS Metal caveat fixed. On ios.metal=false the SVG / Lottie shape API renders with visible artifacts in many cases, not the placeholder you might expect. - SVG and Lottie both ask the community to file issues with the failing source file attached when the transcoder mishandles something. The transcoder grows one shape family at a time from those reports. - SVG / Lottie source path corrected from src/main/svg/ and src/main/lottie/ to src/main/css/ (the actual hellocodenameone fixture lays them out alongside theme.css there). - Lottie GIF regenerated. 24 interpolated frames at 60 ms each (was 6 frames at 200 ms); much smoother playback in-browser. - Wrap-up teases Friday's release post: pretty big features landing, the headline pieces are the most substantial things in months and worth checking back for. * Build-time-codegen post: drop "knob", correct SVG coverage - Section heading "Sizing in millimeters is the important knob" shortened to "Sizing in millimeters". - The "Explicit non-coverage in v1" sentence was wrong: text and clip-path are supported in this release and visible in the static-SVG fixture screenshot we ship in the post. Rewritten to call out that text and clipPath landed via PR #5056, show what is supported (<text> / <tspan> with single-style fills and transforms; <clipPath> via clip-path="url(#id)" against rect / circle / path clip shapes), and accurately list what is still not covered (filter primitives, mask with alpha, radialGradient, CSS-in-SVG with selector style rules). * Build-time-codegen post: shift to 2026-06-01 Tighter daily cadence; the codegen post moves from Wednesday 2026-06-03 to Monday 2026-06-01. - Front-matter date: 2026-06-03 -> 2026-06-01. - Intro recap line "Saturday's was about how you iterate; Monday's was about new platform APIs" -> "Saturday's was about how you iterate; yesterday's was about new platform APIs". Today is now Monday. - "this Friday's release post" wrap-up tease unchanged; that refers to the next weekly release index post and Friday is unchanged.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Extends the OidcClient identity stack (#5018) with a portable WebAuthn / passkey client and provider passkey helpers.
com.codename1.io.webauthnpackage:WebAuthnClient(W3C JSON wire format),WebAuthnNativeSPI, options + response wrappers (PublicKeyCredentialCreationOptions,PublicKeyCredentialRequestOptions,PublicKeyCredential),WebAuthnExceptionwith W3C-named codesASAuthorizationPlatformPublicKeyCredentialProvideron iOS 16+,androidx.credentials.CredentialManageron Android API 28+Auth0Connect.signInWithPasskey/.registerPasskey(Auth0 WebAuthn grant),FirebaseAuth.signInWithPasskey/.registerPasskey(Identity Platform v2 REST endpoints)WebAuthnCoreTestassertions; the 30 existing identity-stack tests still passWhy now
Most CN1 apps that sign users in via
OidcClientagainst Google / Apple / Microsoft / Auth0 / Firebase already get passkeys transparently -- the IdP handles the ceremony, OIDC just hands you the resulting tokens. This PR lands the surface for the cases that don't have that path:Architecture
Mirrors the OIDC stack:
coreis platform-neutral; the actual passkey call goes through aWebAuthnNativeSPIWebAuthnClient.setProvider(...)from a generated init stubIPhoneBuilder/AndroidGradleBuilderonly flip the bridge on when the classpath scanner seescom.codename1.io.webauthn.*references, so apps that never use passkeys ship without the symbols or extra Gradle depswebauthn4j,@simplewebauthn/server,webauthn-rs, etc.)Test plan
WebAuthnCoreTest(14 assertions) -- pure-JVM coverage of options / response parsing, builder round-trip, exception codes, async dispatch with a stub providerOidcCoreTest,WebAuthnCoreTest,Oauth2Test,Oauth2RefreshTokenRequestTest,GoogleConnectTest,FacebookConnectTest,LoginTest,Login1Test,LoginExtrasTestall passIPhoneBuilder+AndroidGradleBuilderscanner changes)WebAuthnNativeImpl.javaships inandroid_port_sources.jar)clang -fsyntax-onlyonCN1WebAuthn.magainst the iPhoneOS SDK in bothstubsandfullconfigurationsassetlinks.jsonpublished (manual)🤖 Generated with Claude Code