Skip to content

feat: add clearAll() API to CredentialsManager and deleteAllEntries() method CredentialsStorage#1116

Merged
utkrishtsahu merged 6 commits intodevelop/v3.0from
SDK-7983-Add-clearAll-API-to-CredentialsManager
Mar 24, 2026
Merged

feat: add clearAll() API to CredentialsManager and deleteAllEntries() method CredentialsStorage#1116
utkrishtsahu merged 6 commits intodevelop/v3.0from
SDK-7983-Add-clearAll-API-to-CredentialsManager

Conversation

@utkrishtsahu
Copy link
Copy Markdown

@utkrishtsahu utkrishtsahu commented Mar 13, 2026

  • All new/changed/fixed functionality is covered by tests (or N/A)
  • I have added documentation for all new/changed functionality (or N/A)

📋 Changes

Added a new clearAll() throws API to CredentialsManager and a new deleteAllEntries() throws method to the CredentialsStorage protocol.

Types and methods added:

  • CredentialsStorage.deleteAllEntries() throws — New protocol requirement that deletes all storage entries. The SimpleKeychain extension implements this by calling SimpleKeychain.deleteAll().
  • CredentialsManager.clearAll() throws — New public method that removes all keychain entries managed by the Credentials Manager and resets the biometric authentication session. This differs from the existing clear() method, which only removes the default credentials entry.

Usage:

do {
    try credentialsManager.clearAll()
} catch {
    print("Failed to clear all credentials: \(error)")
}

Migration guide: Updated V3_MIGRATION_GUIDE.md with documentation for both new APIs, including migration examples for custom CredentialsStorage implementations.

📎 References

SDK-7983

🎯 Testing

Unit tests (3 new tests added to CredentialsManagerSpec):

Should clear all credentials from keychain — Stores credentials, calls clearAll(), verifies hasValid() returns false
Should not throw when keychain is already empty — Calls clearAll() on empty storage, verifies no error is thrown
Should throw when storage fails — Uses a mock storage that throws on deleteAllEntries(), verifies the error propagates
Manual testing (sample app on iPhone 17 Pro simulator):

Manual(Emulator)
Launched the app → checkAuthentication confirmed no credentials in keychain
Logged in via Web Auth → Verified credentials (access token, ID token, refresh token) were stored in keychain via CredentialsManager -> SimpleKeychain
Tapped "Clear All Credentials" → Verified SimpleKeychain.deleteAll() was called, all entries removed, biometric session reset, hasValid() = false
Tapped "Clear All Credentials" on empty keychain → Verified no error thrown, operation succeeds gracefully

@utkrishtsahu utkrishtsahu requested a review from a team as a code owner March 13, 2026 03:49
@utkrishtsahu utkrishtsahu changed the title feat: add clearAll() API to CredentialsManager and deleteAllEntries() to CredentialsStore feat: add clearAll() API to CredentialsManager Mar 13, 2026
@utkrishtsahu utkrishtsahu changed the title feat: add clearAll() API to CredentialsManager feat: add clearAll() API to CredentialsManager and deleteAllEntries() method CredentialsStorage Mar 13, 2026
@pmathew92 pmathew92 requested a review from Copilot March 13, 2026 05:48
Copilot AI reviewed Mar 13, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a new “clear everything” capability to Auth0.swift’s Credentials Manager by extending the storage abstraction and documenting the change for v3 migration.

Changes:

  • Add CredentialsManager.clearAll() throws to wipe all stored credential entries and reset the biometric session.
  • Extend CredentialsStorage with deleteAllEntries() throws, including a SimpleKeychain implementation.
  • Add test coverage and v3 migration guide entries for the new APIs.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

File Description
V3_MIGRATION_GUIDE.md Documents the new clearAll / deleteAllEntries APIs and migration impact.
Auth0Tests/CredentialsManagerSpec.swift Adds specs verifying clearAll() behavior and updates mocks for the new protocol requirement.
Auth0/CredentialsStorage.swift Extends the storage protocol and implements deleteAllEntries() for SimpleKeychain.
Auth0/CredentialsManager.swift Introduces clearAll() that resets biometric session and delegates to storage wipe.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Auth0/CredentialsManager.swift Outdated
Comment on lines +184 to +200
/// Clears all credentials stored in the Keychain, including the main credentials and any API credentials
/// for all audiences.
///
/// ## Usage
///
/// ```swift
/// try credentialsManager.clearAll()
/// ```
///
/// - Throws: An error when the delete operation fails.
public func clearAll() throws {
#if WEB_AUTH_PLATFORM
self.biometricSession.lock.lock()
self.biometricSession.lastBiometricAuthTime = self.biometricSession.noSession
self.biometricSession.lock.unlock()
#endif
try self.storage.deleteAllEntries()
Auth0/CredentialsStorage.swift Outdated
/// - Returns: If the entry was deleted.
func deleteEntry(forKey key: String) -> Bool

/// Deletes all storage entries.
V3_MIGRATION_GUIDE.md Outdated

**New method:** `clearAll() throws` has been added to `CredentialsManager`.

This method removes **all** credentials stored by the Credentials Manager from the Keychain, including the default credentials entry, any API credentials stored via `store(apiCredentials:)`, and any SSO credentials. It also resets the biometric authentication session (if biometric authentication was enabled).
@sanchitmehtagit sanchitmehtagit added Swift v3.0 This label depicts this feature is part of Swift 3.0 review:small Small review labels Mar 13, 2026
sanchitmehtagit
sanchitmehtagit reviewed Mar 16, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@sanchitmehtagit sanchitmehtagit left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes look good however, We should test following flows if not tested already

  1. Happy Case: We have only credentials and no APICredentials and then it calls clearAll() API, and then it calls retrieveCredentials(scope) does it throw the correct error?
  2. MRRT flow and calling clear All and then we call following apis
  • apiCredentials(forAudience) API, does it throw correct error.
  • store(apiCredentials) , whats behavior in this

NandanPrabhu
NandanPrabhu reviewed Mar 16, 2026
View reviewed changes
V3_MIGRATION_GUIDE.md Outdated

```swift
// v2 - CredentialsStorage protocol
class MyCustomStorage: CredentialsStorage {
Copy link
Copy Markdown
Contributor

@NandanPrabhu NandanPrabhu Mar 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

MyCustomCredentialStorage

Copy link
Copy Markdown
Author

@utkrishtsahu utkrishtsahu Mar 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

renamed MyCustomStorage to MyCustomCredentialStorage

@utkrishtsahu
Copy link
Copy Markdown
Author

utkrishtsahu commented Mar 16, 2026

Changes look good however, We should test following flows if not tested already

  1. Happy Case: We have only credentials and no APICredentials and then it calls clearAll() API, and then it calls retrieveCredentials(scope) does it throw the correct error?
  2. MRRT flow and calling clear All and then we call following apis
  • apiCredentials(forAudience) API, does it throw correct error.
  • store(apiCredentials) , whats behavior in this

@sanchitmehtagit
Flow 1 (Happy case):
Login → clearAll() → credentials() → Correctly throws .noCredentials

Flow 2 (MRRT + clearAll):

apiCredentials(forAudience:) after clearAll() → Correctly throws .noCredentials error
store(apiCredentials:) after clearAll() → Returns true, storage works normally

Console logs confirming all flows:


[Flow 1] clearAll() SUCCESS
[Flow 1] EXPECTED: credentials() threw error: No credentials were found in the store.
[Flow 1] PASS - Correctly received error after clearAll()

[Flow 2] EXPECTED: apiCredentials() threw error: No credentials were found in the store.
[Flow 2] PASS - Correctly received error after clearAll()
[Flow 2] store(apiCredentials:) after clearAll = true
[Flow 2] PASS - Can store new API credentials after clearAll()

sanchitmehtagit
sanchitmehtagit previously approved these changes Mar 17, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@sanchitmehtagit sanchitmehtagit left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM,
nit:lets add default implementation for deleteAllEntries() API with assertion as discussed for better DX and making it non breaking change

sanchitmehtagit
sanchitmehtagit previously approved these changes Mar 24, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@sanchitmehtagit sanchitmehtagit left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM with 1 nit

@utkrishtsahu utkrishtsahu merged commit 26dc2b1 into develop/v3.0 Mar 24, 2026
16 of 18 checks passed
@utkrishtsahu utkrishtsahu deleted the SDK-7983-Add-clearAll-API-to-CredentialsManager branch March 24, 2026 04:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@NandanPrabhu NandanPrabhu NandanPrabhu left review comments

Copilot code review Copilot Copilot left review comments

@sanchitmehtagit sanchitmehtagit sanchitmehtagit approved these changes

Assignees

No one assigned

Labels

review:small Small review Swift v3.0 This label depicts this feature is part of Swift 3.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@utkrishtsahu @NandanPrabhu @sanchitmehtagit