🥅 app: fingerprint passkey errors by message, drop expected ones

Author: cruzdanilo

.changeset/nrts-fppm-tpur.md

@@ -0,0 +1,5 @@
+---
+"@exactly/mobile": patch
+---
+
+🥅 fingerprint passkey errors by message, drop expected ones

src/app/_layout.tsx

@@ -41,7 +41,7 @@ import en from "../i18n/en.json";
 import es from "../i18n/es.json";
 import e2e from "../utils/e2e";
 import queryClient, { persistOptions } from "../utils/queryClient";
-import reportError from "../utils/reportError";
+import reportError, { classifyError } from "../utils/reportError";
 import exaConfig from "../utils/wagmi/exa";
 import ownerConfig from "../utils/wagmi/owner";
 
@@ -112,6 +112,14 @@ init({
   enableUserInteractionTracing: true,
   integrations: [routingInstrumentation, userFeedback, ...(__DEV__ || e2e ? [] : [mobileReplayIntegration()])],
   _experiments: __DEV__ || e2e ? undefined : { replaysOnErrorSampleRate: 1, replaysSessionSampleRate: 0.01 },
+  beforeSend: (event, hint) => {
+    const value = event.exception?.values?.[0]?.value;
+    const source = hint.originalException ?? value ?? event.message;
+    const { expected, fingerprint } = classifyError(source);
+    if (expected) return null;
+    event.fingerprint ??= fingerprint;
+    return event;
+  },
   spotlight: __DEV__ || !!e2e,
 });
 const useServerFonts = typeof window === "undefined" ? useFonts : () => undefined;

src/utils/accountClient.ts

@@ -61,6 +61,7 @@ import e2e from "./e2e";
 import { login } from "./onesignal";
 import publicClient from "./publicClient";
 import queryClient, { type AuthMethod } from "./queryClient";
+import { isPasskeyCancelled } from "./reportError";
 import ownerConfig from "./wagmi/owner";
 
 import type { Credential } from "@exactly/common/validation";
@@ -106,17 +107,7 @@ export default async function createAccountClient({ credentialId, factory, x, y
         if (s > P256_N / 2n) s = P256_N - s; // pass malleability guard
         return webauthn({ authenticatorData, clientDataJSON, challengeIndex, typeIndex, r, s });
       } catch (error: unknown) {
-        if (
-          error instanceof Error &&
-          (error.message ===
-            "The operation couldn’t be completed. (com.apple.AuthenticationServices.AuthorizationError error 1001.)" ||
-            error.message ===
-              "The operation couldn’t be completed. (com.apple.AuthenticationServices.AuthorizationError error 1004.)" ||
-            error.message === "The operation couldn’t be completed. Device must be unlocked to perform request." ||
-            error.message === "UserCancelled")
-        ) {
-          return "0x";
-        }
+        if (isPasskeyCancelled(error)) return "0x";
         throw error;
       }
     },

src/utils/reportError.ts

@@ -2,9 +2,113 @@ import { captureException } from "@sentry/react-native";
 
 export default function reportError(error: unknown, hint?: Parameters<typeof captureException>[1]) {
   console.error(error); // eslint-disable-line no-console
+  const classification = classify(parseError(error));
+  if (classification.expected) return;
   try {
-    return captureException(error, hint);
+    if (hint) return captureException(error, hint);
+    return captureException(
+      error,
+      classification.fingerprint ? { fingerprint: classification.fingerprint } : undefined,
+    );
   } catch (sentryError) {
     console.error(sentryError); // eslint-disable-line no-console
   }
 }
+
+const passkeyCancelledMessages = new Set([
+  "The operation couldn’t be completed. (com.apple.AuthenticationServices.AuthorizationError error 1001.)",
+  "The operation couldn’t be completed. (com.apple.AuthenticationServices.AuthorizationError error 1004.)",
+  "The operation couldn’t be completed. Device must be unlocked to perform request.",
+  "UserCancelled",
+]);
+const passkeyExpectedMessages = new Set([
+  ...passkeyCancelledMessages,
+  "The operation couldn’t be completed. Stolen Device Protection is enabled and biometry is required.",
+]);
+const authPrefixes = ["androidx.credentials.exceptions.domerrors.NotAllowedError"];
+type ParsedError = ReturnType<typeof parseError>;
+
+export function isPasskeyExpected(error: unknown) {
+  return classify(parseError(error)).passkeyExpected;
+}
+
+export function isPasskeyCancelled(error: unknown) {
+  return classify(parseError(error)).passkeyCancelled;
+}
+
+export function isAuthExpected(error: unknown) {
+  return classify(parseError(error)).authExpected;
+}
+
+export function isExpected(error: unknown) {
+  return classify(parseError(error)).expected;
+}
+
+export function fingerprint(error: unknown) {
+  return classify(parseError(error)).fingerprint;
+}
+
+export function classifyError(error: unknown) {
+  return classify(parseError(error));
+}
+
+function parseError(error: unknown) {
+  const code =
+    typeof error === "object" &&
+    error !== null &&
+    "code" in error &&
+    typeof error.code === "string" &&
+    error.code.length > 0
+      ? error.code
+      : undefined;
+  const name =
+    typeof error === "object" &&
+    error !== null &&
+    "name" in error &&
+    typeof error.name === "string" &&
+    error.name.length > 0
+      ? error.name
+      : undefined;
+  const message =
+    error instanceof Error
+      ? normalizeMessage(error.message)
+      : typeof error === "string"
+        ? normalizeMessage(error)
+        : typeof error === "object" &&
+            error !== null &&
+            "message" in error &&
+            typeof error.message === "string" &&
+            error.message.length > 0
+          ? normalizeMessage(error.message)
+          : undefined;
+  return { code, name, message };
+}
+
+function classify({ code, message }: ParsedError) {
+  const passkeyCancelled = message !== undefined && passkeyCancelledMessages.has(message);
+  const passkeyExpected =
+    passkeyCancelled ||
+    (message !== undefined &&
+      (passkeyExpectedMessages.has(message) ||
+        message.includes("There is already a pending passkey request") ||
+        authPrefixes.some((prefix) => message.startsWith(prefix))));
+  const authExpected = passkeyExpected || message === "invalid operation";
+  const expected = authExpected;
+  const fingerprintMessage =
+    message?.startsWith("Calling the 'get' function has failed") ||
+    message?.startsWith("The operation couldn’t be completed.")
+      ? message
+      : undefined;
+  const value =
+    code !== undefined && code !== "ERR_UNKNOWN"
+      ? ["{{ default }}", code]
+      : fingerprintMessage === undefined
+        ? undefined
+        : ["{{ default }}", fingerprintMessage];
+  return { passkeyExpected, passkeyCancelled, authExpected, expected, fingerprint: value };
+}
+
+function normalizeMessage(message: string) {
+  const value = message.startsWith("Error: ") ? message.slice("Error: ".length) : message;
+  return value.trim();
+}

src/utils/server.ts

@@ -14,6 +14,7 @@ import { Credential } from "@exactly/common/validation";
 import { login as loginIntercom, logout as logoutIntercom } from "./intercom";
 import { decrypt, decryptPIN, encryptPIN, session } from "./panda";
 import queryClient, { APIError, type AuthMethod } from "./queryClient";
+import { isPasskeyExpected } from "./reportError";
 import ownerConfig from "./wagmi/owner";
 
 import type { ExaAPI } from "@exactly/server/api"; // eslint-disable-line @nx/enforce-module-boundaries
@@ -61,19 +62,7 @@ queryClient.setQueryDefaults<number | undefined>(["auth"], {
     return parse(Auth, expires);
   },
   meta: {
-    suppressError: (error) =>
-      error instanceof ValiError ||
-      (error instanceof Error &&
-        (error.name === "NotAllowedError" ||
-          error.message === "UnknownError" ||
-          error.message ===
-            "The operation couldn’t be completed. (com.apple.AuthenticationServices.AuthorizationError error 1001.)" ||
-          error.message ===
-            "The operation couldn’t be completed. (com.apple.AuthenticationServices.AuthorizationError error 1004.)" ||
-          error.message === "The operation couldn’t be completed. Device must be unlocked to perform request." ||
-          error.message === "UserCancelled" ||
-          error.message.startsWith("androidx.credentials.exceptions.domerrors.NotAllowedError") ||
-          ("code" in error && error.code === "ERR_UNKNOWN"))),
+    suppressError: (error) => error instanceof ValiError || isPasskeyExpected(error),
   },
 });
 

src/utils/useAuth.ts

@@ -12,7 +12,7 @@ import chain from "@exactly/common/generated/chain";
 
 import alchemyConnector from "./alchemyConnector";
 import queryClient, { type AuthMethod } from "./queryClient";
-import reportError from "./reportError";
+import reportError, { isAuthExpected } from "./reportError";
 import { APIError, createCredential, getCredential } from "./server";
 import ownerConfig, { getConnector as getOwnerConnector } from "./wagmi/owner";
 
@@ -49,19 +49,7 @@ function handleError(
   onDomainError: () => void,
   t: TFunction,
 ) {
-  if (
-    (error instanceof Error &&
-      (error.message ===
-        "The operation couldn’t be completed. (com.apple.AuthenticationServices.AuthorizationError error 1001.)" ||
-        error.message ===
-          "The operation couldn’t be completed. (com.apple.AuthenticationServices.AuthorizationError error 1004.)" ||
-        error.message === "The operation couldn’t be completed. Device must be unlocked to perform request." ||
-        error.message === "UserCancelled" ||
-        error.message.startsWith("androidx.credentials.exceptions.domerrors.NotAllowedError") ||
-        error.message === "invalid operation" ||
-        error.name === "NotAllowedError")) ||
-    error instanceof UserRejectedRequestError
-  ) {
+  if (isAuthExpected(error) || error instanceof UserRejectedRequestError) {
     queryClient.setQueryData(["method"], undefined);
     toast.show(t("Authentication cancelled"), {
       native: true,
@@ -70,7 +58,7 @@ function handleError(
     });
     return;
   }
-  if (error instanceof Error && "code" in error && (error as Error & { code: string }).code === "ERR_BIOMETRIC") {
+  if (error instanceof Error && "code" in error && error.code === "ERR_BIOMETRIC") {
     queryClient.setQueryData(["method"], undefined);
     toast.show(t("Biometrics must be enabled to use passkeys. Please enable biometrics in your device settings"), {
       native: true,
@@ -93,10 +81,5 @@ function handleError(
   ) {
     onDomainError();
   }
-  reportError(
-    error,
-    error instanceof Error && !(error instanceof APIError) && "code" in error
-      ? { fingerprint: ["{{ default }}", (error as Error & { code: string }).code] }
-      : undefined,
-  );
+  reportError(error);
 }