feat(glean): Add glean probe for passkey support

Because:

* We want to know if passkey support is sufficient to justify implementation

This commit:

* Adds a glean event to sample capability support for passkey/WebAuthn, including PRF (Pseudo-Random Function) extension support and minimal device data.
* Adds a helper function to collect the data and emit the event.

Closes #FXA-12640

Author: vpomerleau

packages/fxa-content-server/server/lib/beta-settings.js

@@ -104,6 +104,11 @@ const settingsConfig = {
   glean: { ...config.get('glean'), appDisplayVersion: config.get('version') },
   redirectAllowlist: config.get('redirect_check.allow_list'),
   sendFxAStatusOnSettings: config.get('featureFlags.sendFxAStatusOnSettings'),
+  metrics: {
+    webauthnCapabilitiesSampleRate: config.get(
+      'metrics.webauthnCapabilitiesSampleRate'
+    ),
+  },
   showReactApp: {
     signUpRoutes: config.get('showReactApp.signUpRoutes'),
     signInRoutes: config.get('showReactApp.signInRoutes'),

packages/fxa-content-server/server/lib/configuration.js

@@ -83,6 +83,14 @@ const conf = (module.exports = convict({
       env: 'DISABLE_CLIENT_METRICS_STDERR',
     },
   },
+  metrics: {
+    webauthnCapabilitiesSampleRate: {
+      default: 0.1,
+      doc: 'Sampling rate (0..1) for WebAuthn capabilities probe in Settings',
+      env: 'WEBAUTHN_CAPABILITIES_SAMPLE_RATE',
+      format: Number,
+    },
+  },
   client_sessions: {
     cookie_name: 'session',
     duration: {
@@ -1044,12 +1052,12 @@ const conf = (module.exports = convict({
       env: 'SUBSCRIPTIONS_FIRESTORE_CONFIGS_ENABLED',
       format: Boolean,
     },
-    usePaymentsNextSubscriptionManagement : {
+    usePaymentsNextSubscriptionManagement: {
       default: true,
       doc: 'Whether to redirect to the new Subscription Management Page',
       env: 'FEATURE_FLAGS_PAYMENTS_NEXT_SUBSCRIPTION_MANAGEMENT',
       format: Boolean,
-    }
+    },
   },
   sync_tokenserver_url: {
     default: 'http://localhost:8000/token',

packages/fxa-content-server/server/lib/routes/react-app/route-definition-index.js

@@ -91,6 +91,11 @@ function getIndexRouteDefinition(config) {
     paymentsNextHostedUrl: PAYMENTS_NEXT_HOSTED_URL,
     maxEventOffset: MAX_EVENT_OFFSET,
     env: ENV,
+    metrics: {
+      webauthnCapabilitiesSampleRate: config.get(
+        'metrics.webauthnCapabilitiesSampleRate'
+      ),
+    },
     isCoppaEnabled: COPPA_ENABLED,
     isPromptNoneEnabled: PROMPT_NONE_ENABLED,
     googleAuthConfig: GOOGLE_AUTH_CONFIG,

packages/fxa-settings/src/components/App/index.tsx

@@ -42,6 +42,7 @@ import {
 } from '../../models/contexts/SettingsContext';
 
 import sentryMetrics from 'fxa-shared/sentry/browser';
+import { maybeRecordWebAuthnCapabilities } from '../../lib/webauthnCapabilitiesProbe';
 
 // Components
 import LoadingSpinner from 'fxa-react/components/LoadingSpinner';
@@ -298,6 +299,16 @@ export const App = ({
     );
   }, [metricsEnabled, integration, config.glean, config.version, metricsFlow]);
 
+  // Fire the WebAuthn capability probe once at app level after metrics are initialized.
+  useEffect(() => {
+    if (!metricsEnabled) {
+      return;
+    }
+    maybeRecordWebAuthnCapabilities(
+      config.metrics?.webauthnCapabilitiesSampleRate
+    );
+  }, [metricsEnabled, config.metrics?.webauthnCapabilitiesSampleRate]);
+
   useEffect(() => {
     if (!metricsEnabled) {
       return;

packages/fxa-settings/src/lib/config.ts

@@ -23,6 +23,7 @@ export interface Config {
       enabled: boolean;
       endpoint: string;
     };
+    webauthnCapabilitiesSampleRate?: number;
   };
   sentry: {
     dsn: string;
@@ -123,6 +124,7 @@ export function getDefault() {
     marketingEmailPreferencesUrl: 'https://basket.mozilla.org/fxa/',
     metrics: {
       navTiming: { enabled: false, endpoint: '/check-your-metrics-config' },
+      webauthnCapabilitiesSampleRate: 0.1,
     },
     mfa: {
       otp: {

packages/fxa-settings/src/lib/glean/index.ts

@@ -50,6 +50,7 @@ import * as sync from 'fxa-shared/metrics/glean/web/sync';
 import * as standard from 'fxa-shared/metrics/glean/web/standard';
 import * as utm from 'fxa-shared/metrics/glean/web/utm';
 import * as entrypointQuery from 'fxa-shared/metrics/glean/web/entrypoint';
+import * as webauthn from 'fxa-shared/metrics/glean/web/webauthn';
 import { Integration } from '../../models';
 import { MetricsFlow } from '../metrics-flow';
 import { currentAccount } from '../../lib/cache';
@@ -656,6 +657,29 @@ const recordEventMetric = (
     case 'third_party_auth_set_password_success':
       thirdPartyAuthSetPassword.success.record();
       break;
+    case 'webauthn_capabilities': {
+      const e = (gleanPingMetrics as any).event || {};
+      const extras: Record<string, any> = {};
+      if (typeof e['supported'] === 'boolean')
+        extras.supported = e['supported'];
+      if (typeof e['ppa'] === 'boolean') extras.ppa = e['ppa'];
+      if (typeof e['cg'] === 'boolean') extras.cg = e['cg'];
+      if (typeof e['rel'] === 'boolean') extras.rel = e['rel'];
+      if (typeof e['hyb'] === 'boolean') extras.hyb = e['hyb'];
+      if (typeof e['uvpa'] === 'boolean') extras.uvpa = e['uvpa'];
+      if (typeof e['prf'] === 'boolean') extras.prf = e['prf'];
+      if (typeof e['error_reason'] === 'string')
+        extras.error_reason = e['error_reason'];
+      if (typeof e['os_family'] === 'string') extras.os_family = e['os_family'];
+      if (typeof e['os_major'] === 'string') extras.os_major = e['os_major'];
+      if (typeof e['browser_family'] === 'string')
+        extras.browser_family = e['browser_family'];
+      if (typeof e['browser_major'] === 'string')
+        extras.browser_major = e['browser_major'];
+      if (typeof e['cpu_arm'] === 'boolean') extras.cpu_arm = e['cpu_arm'];
+      webauthn.capabilities.record(extras);
+      break;
+    }
   }
 };
 

packages/fxa-settings/src/lib/webauthnCapabilitiesProbe.test.ts

@@ -0,0 +1,120 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+import { maybeRecordWebAuthnCapabilities } from './webauthnCapabilitiesProbe';
+
+// Mock glean wrapper used by the probe
+jest.mock('./glean', () => ({
+  __esModule: true,
+  default: {
+    getEnabled: jest.fn(),
+    webauthn: {
+      capabilities: jest.fn(),
+    },
+  },
+}));
+
+const GleanMetrics = require('./glean').default as {
+  getEnabled: jest.Mock;
+  webauthn: { capabilities: jest.Mock };
+};
+
+function setUA(ua: string) {
+  Object.defineProperty(window.navigator, 'userAgent', {
+    value: ua,
+    configurable: true,
+  });
+}
+
+function setMathRandom(value: number) {
+  jest.spyOn(Math, 'random').mockReturnValue(value);
+}
+
+async function flush() {
+  await Promise.resolve();
+  jest.runAllTimers();
+}
+
+describe('webauthnCapabilitiesProbe', () => {
+  beforeEach(() => {
+    jest.useFakeTimers();
+    localStorage.clear();
+    jest.resetAllMocks();
+    GleanMetrics.getEnabled.mockReturnValue(true);
+    setUA(
+      'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36'
+    );
+    (global as any).PublicKeyCredential = undefined;
+  });
+
+  afterEach(() => {
+    jest.useRealTimers();
+  });
+
+  it('does nothing when telemetry disabled', () => {
+    GleanMetrics.getEnabled.mockReturnValue(false);
+    setMathRandom(0.01);
+    maybeRecordWebAuthnCapabilities(1);
+    expect(GleanMetrics.webauthn.capabilities).not.toHaveBeenCalled();
+  });
+
+  it('samples ~10%: skips when random > 0.1', () => {
+    setMathRandom(0.5);
+    maybeRecordWebAuthnCapabilities(0.1);
+    expect(GleanMetrics.webauthn.capabilities).not.toHaveBeenCalled();
+  });
+
+  it('dedupes for 30 days when key present', () => {
+    setMathRandom(0.01);
+    localStorage.setItem('webauthn:caps:v1', String(Date.now()));
+    maybeRecordWebAuthnCapabilities(1);
+    expect(GleanMetrics.webauthn.capabilities).not.toHaveBeenCalled();
+  });
+
+  it('emits supported=false when capability API missing', async () => {
+    setMathRandom(0.01);
+    maybeRecordWebAuthnCapabilities(1);
+    await flush();
+    expect(GleanMetrics.webauthn.capabilities).toHaveBeenCalledTimes(1);
+    const arg = GleanMetrics.webauthn.capabilities.mock.calls[0][0];
+    expect(arg.event.supported).toBe(false);
+    expect(typeof arg.event.error_reason).toBe('string');
+  });
+
+  it('emits supported=true with flags and device buckets', async () => {
+    setMathRandom(0.01);
+    (global as any).PublicKeyCredential = {
+      getClientCapabilities: jest.fn().mockResolvedValue({
+        passkeyPlatformAuthenticator: true,
+        conditionalGet: true,
+        relatedOrigins: false,
+        hybridTransport: true,
+        userVerifyingPlatformAuthenticator: true,
+        'extension:prf': false,
+      }),
+    };
+
+    maybeRecordWebAuthnCapabilities(1);
+    await flush();
+
+    expect(
+      (global as any).PublicKeyCredential.getClientCapabilities
+    ).toHaveBeenCalled();
+    expect(GleanMetrics.webauthn.capabilities).toHaveBeenCalledTimes(1);
+    const { event } = GleanMetrics.webauthn.capabilities.mock.calls[0][0];
+    expect(event.supported).toBe(true);
+    expect(event.ppa).toBe(true);
+    expect(event.cg).toBe(true);
+    expect(event.rel).toBe(false);
+    expect(event.hyb).toBe(true);
+    expect(event.uvpa).toBe(true);
+    expect(event.prf).toBe(false);
+    // device buckets derived from UA
+    expect(event.os_family).toBe('windows');
+    expect(event.os_major).toBe('10');
+    expect(event.browser_family).toBe('chrome');
+    expect(event.browser_major).toBe('127');
+    expect(typeof event.cpu_arm).toBe('boolean');
+  });
+});