feat: add clearAll() API to CredentialsManager and deleteAllEntries() method CredentialsStorage

[utkrishtsahu]

• All new/changed/fixed functionality is covered by tests (or N/A)
• I have added documentation for all new/changed functionality (or N/A)

📋 Changes

Added a new clearAll() throws API to CredentialsManager and a new deleteAllEntries() throws method to the CredentialsStorage protocol.

Types and methods added:

• CredentialsStorage.deleteAllEntries() throws — New protocol requirement that deletes all storage entries. The SimpleKeychain extension implements this by calling SimpleKeychain.deleteAll().
• CredentialsManager.clearAll() throws — New public method that removes all keychain entries managed by the Credentials Manager and resets the biometric authentication session. This differs from the existing clear() method, which only removes the default credentials entry.

Usage:

do {
    try credentialsManager.clearAll()
} catch {
    print("Failed to clear all credentials: \(error)")
}

Migration guide: Updated V3_MIGRATION_GUIDE.md with documentation for both new APIs, including migration examples for custom CredentialsStorage implementations.

📎 References

SDK-7983

🎯 Testing

Unit tests (3 new tests added to CredentialsManagerSpec):

Should clear all credentials from keychain — Stores credentials, calls clearAll(), verifies hasValid() returns false
Should not throw when keychain is already empty — Calls clearAll() on empty storage, verifies no error is thrown
Should throw when storage fails — Uses a mock storage that throws on deleteAllEntries(), verifies the error propagates
Manual testing (sample app on iPhone 17 Pro simulator):

Manual(Emulator)
Launched the app → checkAuthentication confirmed no credentials in keychain
Logged in via Web Auth → Verified credentials (access token, ID token, refresh token) were stored in keychain via CredentialsManager -> SimpleKeychain
Tapped "Clear All Credentials" → Verified SimpleKeychain.deleteAll() was called, all entries removed, biometric session reset, hasValid() = false
Tapped "Clear All Credentials" on empty keychain → Verified no error thrown, operation succeeds gracefully

[Copilot]

Pull request overview

Adds a new “clear everything” capability to Auth0.swift’s Credentials Manager by extending the storage abstraction and documenting the change for v3 migration.

Changes:

• Add CredentialsManager.clearAll() throws to wipe all stored credential entries and reset the biometric session.
• Extend CredentialsStorage with deleteAllEntries() throws, including a SimpleKeychain implementation.
• Add test coverage and v3 migration guide entries for the new APIs.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

File	Description
V3_MIGRATION_GUIDE.md	Documents the new clearAll / deleteAllEntries APIs and migration impact.
Auth0Tests/CredentialsManagerSpec.swift	Adds specs verifying clearAll() behavior and updates mocks for the new protocol requirement.
Auth0/CredentialsStorage.swift	Extends the storage protocol and implements deleteAllEntries() for SimpleKeychain.
Auth0/CredentialsManager.swift	Introduces clearAll() that resets biometric session and delegates to storage wipe.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[sanchitmehtagit]

Changes look good however, We should test following flows if not tested already

1. Happy Case: We have only credentials and no APICredentials and then it calls clearAll() API, and then it calls retrieveCredentials(scope) does it throw the correct error?
2. MRRT flow and calling clear All and then we call following apis

• apiCredentials(forAudience) API, does it throw correct error.
• store(apiCredentials) , whats behavior in this

[NandanPrabhu]

MyCustomCredentialStorage

[utkrishtsahu]

renamed MyCustomStorage to MyCustomCredentialStorage

[utkrishtsahu]

Changes look good however, We should test following flows if not tested already

1. Happy Case: We have only credentials and no APICredentials and then it calls clearAll() API, and then it calls retrieveCredentials(scope) does it throw the correct error?
2. MRRT flow and calling clear All and then we call following apis

• apiCredentials(forAudience) API, does it throw correct error.
• store(apiCredentials) , whats behavior in this

@sanchitmehtagit
Flow 1 (Happy case):
Login → clearAll() → credentials() → Correctly throws .noCredentials

Flow 2 (MRRT + clearAll):

apiCredentials(forAudience:) after clearAll() → Correctly throws .noCredentials error
store(apiCredentials:) after clearAll() → Returns true, storage works normally

Console logs confirming all flows:

[Flow 1] clearAll() SUCCESS
[Flow 1] EXPECTED: credentials() threw error: No credentials were found in the store.
[Flow 1] PASS - Correctly received error after clearAll()

[Flow 2] EXPECTED: apiCredentials() threw error: No credentials were found in the store.
[Flow 2] PASS - Correctly received error after clearAll()
[Flow 2] store(apiCredentials:) after clearAll = true
[Flow 2] PASS - Can store new API credentials after clearAll()

[sanchitmehtagit]

LGTM,
nit:lets add default implementation for deleteAllEntries() API with assertion as discussed for better DX and making it non breaking change

[sanchitmehtagit]

LGTM with 1 nit