Skip to content

Passwordless db implementation - example#2718

Merged
Piyush-85 merged 10 commits into
mainfrom
feat/passwordless-db-example
Jul 6, 2026
Merged

Passwordless db implementation - example#2718
Piyush-85 merged 10 commits into
mainfrom
feat/passwordless-db-example

Conversation

@Piyush-85

@Piyush-85 Piyush-85 commented Jun 26, 2026

Copy link
Copy Markdown
Contributor
  • All new/changed/fixed functionality is covered by tests (or N/A)
  • I have added documentation for all new/changed functionality (or N/A)

📋 Changes

Adds examples/with-passwordless-db, a Next.js 16 App Router example demonstrating the full passwordless OTP on database connections flow.

The example covers the complete happy path:
email or phone identifier input → passwordless.challengeWithEmail / challengeWithPhoneNumber → OTP entry → passwordless.loginWithOtp → session established → dashboard. MFA is fully handled: when loginWithOtp returns mfa_required, the form calls mfa.getAuthenticators to determine whether the user needs to enroll (shows a QR code via a qrcode canvas component) or challenge an existing authenticator (TOTP or OOB). mfa.verify completes the flow in both cases.

Phone signup is set to allowSignup: false since Auth0 does not support phone OTP signup in non-interactive flows (phone_verified must be true before account creation). Email signup uses allowSignup: true.

📎 References

  • Depends on: feat/passwordless-db-types-errors, feat/passwordless-db-server, feat/passwordless-db-client

🎯 Testing

pnpm typecheck and pnpm build pass inside examples/with-passwordless-db. Tested end-to-end against a dev tenant with all required feature flags enabled:

  • Email OTP signup (new user) → OTP received → session created → dashboard
  • Email OTP login (existing user) → OTP received → session created → dashboard
  • Phone OTP login (pre-existing verified user) → OTP received → session created → dashboard
  • Invalid OTP → PasswordlessDbGetTokenError with invalid_request
  • Non-DB connection → PasswordlessDbChallengeError with invalid_connection

Summary by CodeRabbit

  • New Features
    • Added a new passwordless OTP database connections example with email/phone sign-in, optional MFA (TOTP enrollment and verification), and automatic redirect to a protected dashboard.
    • Improved MFA QR handling with visible fallback/manual key display when QR rendering fails.
    • Added an authenticated dashboard that shows user identity plus session and token details, with sign-out support.
  • Documentation
    • Expanded EXAMPLES.md and route documentation to cover the new database-connection OTP flow and setup details, including error types.
    • Added a complete README for the new example app.

@Piyush-85 Piyush-85 requested a review from a team as a code owner June 26, 2026 04:55
@coderabbitai

coderabbitai Bot commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 443e69fb-8dea-43ec-aa32-612fa5558c68

📥 Commits

Reviewing files that changed from the base of the PR and between 69c4c90 and 9e36e6d.

📒 Files selected for processing (1)
  • examples/with-passwordless-db/components/qr-code.tsx
🚧 Files skipped from review as they are similar to previous changes (1)
  • examples/with-passwordless-db/components/qr-code.tsx

📝 Walkthrough

Walkthrough

Adds a new example app for passwordless OTP on database connections, including sign-in, dashboard, QR/MFA flows, app scaffolding, and updated root/example documentation.

Changes

Passwordless DB example and documentation

Layer / File(s) Summary
Example app setup
examples/with-passwordless-db/{package.json, pnpm-workspace.yaml, next-env.d.ts, tsconfig.json, next.config.ts, postcss.config.mjs, tailwind.config.ts, lib/auth0.ts, proxy.ts, app/layout.tsx, app/globals.css}
Adds the example’s package metadata, TypeScript/Next/Tailwind/PostCSS setup, Auth0 client bootstrap, middleware proxy, root layout, and Tailwind base styles.
Example sign-in and dashboard UI
examples/with-passwordless-db/app/{page.tsx,dashboard/page.tsx}, examples/with-passwordless-db/components/{passwordless-db-form.tsx,qr-code.tsx}
Adds the authenticated redirect/sign-in page, the step-driven OTP/MFA form, QR fallback handling, and the protected dashboard view with session/token details.
EXAMPLES.md and README.md updates
EXAMPLES.md, README.md, examples/with-passwordless-db/README.md
Documents the passwordless DB OTP flow in the main and example READMEs, including setup, routes, client/headless usage, and MFA notes.

Estimated code review effort: 3 (Moderate) | ~25 minutes

Sequence Diagram(s)

sequenceDiagram
  participant Home
  participant PasswordlessDbForm
  participant Auth0
  participant Dashboard
  Home->>Auth0: getSession()
  Auth0-->>Home: no session
  Home-->>PasswordlessDbForm: render sign-in form
  PasswordlessDbForm->>Auth0: challengeWithEmail/challengeWithPhoneNumber
  Auth0-->>PasswordlessDbForm: authSession
  PasswordlessDbForm->>Auth0: loginWithOtp(authSession, otp)
  Auth0-->>PasswordlessDbForm: mfa_required or tokens
  PasswordlessDbForm->>Auth0: mfa.verify(oobCode or otp)
  Auth0-->>PasswordlessDbForm: tokens
  PasswordlessDbForm-->>Dashboard: redirect to /dashboard
Loading

Possibly related PRs

  • auth0/nextjs-auth0#2701: Both PRs modify examples/with-passwordless-db/pnpm-workspace.yaml to allow trusted package builds via allowBuilds.
  • auth0/nextjs-auth0#2719: The example's passwordless-db-form.tsx calls the client APIs (challengeWithEmail, challengeWithPhoneNumber, loginWithOtp, mfa_required handling) implemented in that PR.

Suggested reviewers: tusharpandey13, pmathew92

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly identifies the main change: a passwordless database example implementation.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/passwordless-db-example

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@codecov-commenter

codecov-commenter commented Jun 26, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 88.02%. Comparing base (34e51a5) to head (9e36e6d).

Additional details and impacted files
@@           Coverage Diff           @@
##             main    #2718   +/-   ##
=======================================
  Coverage   88.02%   88.02%           
=======================================
  Files          79       79           
  Lines       11011    11011           
  Branches     2277     2276    -1     
=======================================
  Hits         9692     9692           
  Misses       1275     1275           
  Partials       44       44           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@Piyush-85 Piyush-85 changed the base branch from main to feat/passwordless-db-client June 26, 2026 05:03
Comment thread EXAMPLES.md
Comment thread EXAMPLES.md Outdated
Comment thread EXAMPLES.md Outdated
Base automatically changed from feat/passwordless-db-client to feat/passwordless-db-server June 29, 2026 12:24
Base automatically changed from feat/passwordless-db-server to feat/passwordless-db-types-errors July 1, 2026 13:32
@Piyush-85 Piyush-85 mentioned this pull request Jul 6, 2026
2 tasks
Base automatically changed from feat/passwordless-db-types-errors to main July 6, 2026 11:28
@Piyush-85 Piyush-85 dismissed gyaneshgouraw-okta’s stale review July 6, 2026 11:28

The base branch was changed.

amitsingh05667
amitsingh05667 previously approved these changes Jul 6, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 7

🧹 Nitpick comments (1)
examples/with-passwordless-db/components/passwordless-db-form.tsx (1)

169-269: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Duplicate MFA-enroll/MFA-otp render blocks.

The two branches share nearly identical structure (numeric input, error box, submit button, back button with the same inline handler). Consider extracting a shared MfaCodeForm sub-component parameterized by heading/description/QR-code slot to reduce duplication.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@examples/with-passwordless-db/components/passwordless-db-form.tsx` around
lines 169 - 269, The mfa-enroll and mfa-otp branches in passwordless-db-form.tsx
duplicate the same form structure, input, error display, submit button, and back
action. Extract that shared UI into a reusable MfaCodeForm component (or
equivalent helper) and pass in the step-specific title, description, submit
label, and optional barcode/QR section so both branches reuse the same logic and
markup.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@EXAMPLES.md`:
- Around line 2166-2186: The Server Action example is missing the import needed
for the redirect call, so copying the snippet will fail at runtime. Update the
example around requestOtp and verifyOtp to include the appropriate redirect
import alongside auth0, and ensure the verifyOtp function can call
redirect("/dashboard") without referencing an undefined symbol.

In `@examples/with-passwordless-db/app/dashboard/page.tsx`:
- Around line 5-10: The Dashboard page calls auth0.getSession() without guarding
for SDK failures, so any thrown error can crash the example instead of falling
back cleanly. Update Dashboard to wrap the auth0.getSession() call in try/catch,
then use error.code-based handling to decide whether to redirect, render a
friendly fallback, or rethrow unexpected errors; keep the existing redirect("/")
behavior for the unauthenticated path and preserve the example’s simple flow in
this component.

In `@examples/with-passwordless-db/components/passwordless-db-form.tsx`:
- Around line 281-292: The OTP/MFA/identifier inputs in the passwordless DB form
rely on placeholder text only and need an explicit accessible name. Update the
relevant input fields in passwordless-db-form.tsx, including the OTP input in
the shown block and the other affected inputs around the referenced sections, by
adding proper <label> associations or an aria-label/aria-labelledby tied to each
field. Keep the existing input behavior in the component while ensuring each
field can be reliably identified by assistive technologies.
- Around line 186-198: The mfaCode input in the MFA enroll and MFA otp flows is
accepting non-digit characters because its onChange handler only stores the raw
value. Update both instances of the mfaCode field in PasswordlessDbForm to
sanitize input the same way as the otp field by stripping non-digits and
limiting to 6 characters before calling setMfaCode, so the submit state and
mfa.verify only receive numeric codes.

In `@examples/with-passwordless-db/components/qr-code.tsx`:
- Around line 7-17: The QrCode component only renders the QR canvas and ignores
QRCode.toCanvas failures, so users need a fallback when scanning is unavailable.
Update QrCode to expose the OTP secret as a visible manual-entry value alongside
the canvas, and add an explicit error state in the useEffect/toCanvas flow
instead of swallowing the rejection. Use the QrCode component and its
canvasRef/value handling to surface both the secret and a clear failure message
when QR rendering does not succeed.

In `@examples/with-passwordless-db/package.json`:
- Line 13: The example package.json dependencies are out of sync: `next` is
still pinned to 16.2.5 and `eslint-config-next` is not on the matching 16.2.6
release. Update the version entries in the package manifest for both `next` and
`eslint-config-next` so this example uses the latest 16.2.x patch and keeps the
lint config aligned with Next.js.

In `@examples/with-passwordless-db/README.md`:
- Around line 22-28: Remove the internal tenant feature-flag names from the
public README section in with-passwordless-db so it matches the updated guidance
in EXAMPLES.md. In the “Enable feature flags” content, keep only generic wording
that tells users to contact their Auth0 account team or use internal tooling if
available, and do not expose the specific `allow_otp_database_connection_*`
flags. Update the surrounding text in the README to be consistent with the
public-facing messaging used elsewhere in the docs.

---

Nitpick comments:
In `@examples/with-passwordless-db/components/passwordless-db-form.tsx`:
- Around line 169-269: The mfa-enroll and mfa-otp branches in
passwordless-db-form.tsx duplicate the same form structure, input, error
display, submit button, and back action. Extract that shared UI into a reusable
MfaCodeForm component (or equivalent helper) and pass in the step-specific
title, description, submit label, and optional barcode/QR section so both
branches reuse the same logic and markup.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 22dc6290-7110-471e-af12-0dc01842e7e6

📥 Commits

Reviewing files that changed from the base of the PR and between 34e51a5 and 351d1c0.

⛔ Files ignored due to path filters (1)
  • examples/with-passwordless-db/pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (18)
  • EXAMPLES.md
  • README.md
  • examples/with-passwordless-db/README.md
  • examples/with-passwordless-db/app/dashboard/page.tsx
  • examples/with-passwordless-db/app/globals.css
  • examples/with-passwordless-db/app/layout.tsx
  • examples/with-passwordless-db/app/page.tsx
  • examples/with-passwordless-db/components/passwordless-db-form.tsx
  • examples/with-passwordless-db/components/qr-code.tsx
  • examples/with-passwordless-db/lib/auth0.ts
  • examples/with-passwordless-db/next-env.d.ts
  • examples/with-passwordless-db/next.config.ts
  • examples/with-passwordless-db/package.json
  • examples/with-passwordless-db/pnpm-workspace.yaml
  • examples/with-passwordless-db/postcss.config.mjs
  • examples/with-passwordless-db/proxy.ts
  • examples/with-passwordless-db/tailwind.config.ts
  • examples/with-passwordless-db/tsconfig.json

Comment thread EXAMPLES.md
Comment thread examples/with-passwordless-db/app/dashboard/page.tsx
Comment thread examples/with-passwordless-db/components/passwordless-db-form.tsx
Comment thread examples/with-passwordless-db/components/passwordless-db-form.tsx
Comment thread examples/with-passwordless-db/components/qr-code.tsx Outdated
Comment thread examples/with-passwordless-db/package.json
Comment thread examples/with-passwordless-db/README.md Outdated

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@examples/with-passwordless-db/components/qr-code.tsx`:
- Around line 11-21: The QR code error state in qr-code.tsx is sticky because
renderError is only set to true and the canvas is conditionally unmounted, so
later value changes can never recover. Update the useEffect in QRCode rendering
to reset renderError when value changes and keep the canvas mounted (or
otherwise ensure QRCode.toCanvas can run again) so the component can re-render
successfully after a prior failure.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: abda2742-2b0d-4b17-9d96-dfecf183ad05

📥 Commits

Reviewing files that changed from the base of the PR and between 351d1c0 and 69c4c90.

📒 Files selected for processing (4)
  • EXAMPLES.md
  • examples/with-passwordless-db/README.md
  • examples/with-passwordless-db/components/passwordless-db-form.tsx
  • examples/with-passwordless-db/components/qr-code.tsx
✅ Files skipped from review due to trivial changes (1)
  • EXAMPLES.md
🚧 Files skipped from review as they are similar to previous changes (1)
  • examples/with-passwordless-db/components/passwordless-db-form.tsx

Comment thread examples/with-passwordless-db/components/qr-code.tsx
@Piyush-85 Piyush-85 merged commit e624429 into main Jul 6, 2026
9 checks passed
@Piyush-85 Piyush-85 deleted the feat/passwordless-db-example branch July 6, 2026 12:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants