Adding upstream version 124.0.1.upstream/124.0.1

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

1 files changed, 1166 insertions, 0 deletions

diff --git a/dom/webauthn/MacOSWebAuthnService.mm b/dom/webauthn/MacOSWebAuthnService.mm
new file mode 100644
index 0000000000..79b9030541
--- /dev/null
+++ b/dom/webauthn/MacOSWebAuthnService.mm
@@ -0,0 +1,1166 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#import <AuthenticationServices/AuthenticationServices.h>
+
+#include "MacOSWebAuthnService.h"
+
+#include "CFTypeRefPtr.h"
+#include "WebAuthnAutoFillEntry.h"
+#include "WebAuthnEnumStrings.h"
+#include "WebAuthnResult.h"
+#include "WebAuthnTransportIdentifiers.h"
+#include "mozilla/Maybe.h"
+#include "mozilla/StaticPrefs_security.h"
+#include "mozilla/dom/CanonicalBrowsingContext.h"
+#include "nsCocoaUtils.h"
+#include "nsIWebAuthnPromise.h"
+#include "nsThreadUtils.h"
+
+// The documentation for the platform APIs used here can be found at:
+// https://developer.apple.com/documentation/authenticationservices/public-private_key_authentication/supporting_passkeys
+
+namespace {
+static mozilla::LazyLogModule gMacOSWebAuthnServiceLog("macoswebauthnservice");
+}  // namespace
+
+namespace mozilla::dom {
+class API_AVAILABLE(macos(13.3)) MacOSWebAuthnService;
+}  // namespace mozilla::dom
+
+// The following ASC* declarations are from the private framework
+// AuthenticationServicesCore. The full definitions can be found in WebKit's
+// source at Source/WebKit/Platform/spi/Cocoa/AuthenticationServicesCoreSPI.h.
+// Overriding ASAuthorizationController's _requestContextWithRequests is
+// currently the only way to provide the right information to the macOS
+// WebAuthn API (namely, the clientDataHash for requests made to physical
+// tokens).
+
+NS_ASSUME_NONNULL_BEGIN
+
+@class ASCPublicKeyCredentialDescriptor;
+@interface ASCPublicKeyCredentialDescriptor : NSObject <NSSecureCoding>
+- (instancetype)initWithCredentialID:(NSData*)credentialID
+                          transports:
+                              (nullable NSArray<NSString*>*)allowedTransports;
+@end
+
+@protocol ASCPublicKeyCredentialCreationOptions
+@property(nonatomic, copy) NSData* clientDataHash;
+@property(nonatomic, nullable, copy) NSData* challenge;
+@property(nonatomic, copy)
+    NSArray<ASCPublicKeyCredentialDescriptor*>* excludedCredentials;
+@end
+
+@protocol ASCPublicKeyCredentialAssertionOptions <NSCopying>
+@property(nonatomic, copy) NSData* clientDataHash;
+@end
+
+@protocol ASCCredentialRequestContext
+@property(nonatomic, nullable, copy) id<ASCPublicKeyCredentialCreationOptions>
+    platformKeyCredentialCreationOptions;
+@property(nonatomic, nullable, copy) id<ASCPublicKeyCredentialCreationOptions>
+    securityKeyCredentialCreationOptions;
+@property(nonatomic, nullable, copy) id<ASCPublicKeyCredentialAssertionOptions>
+    platformKeyCredentialAssertionOptions;
+@property(nonatomic, nullable, copy) id<ASCPublicKeyCredentialAssertionOptions>
+    securityKeyCredentialAssertionOptions;
+@end
+
+@interface ASAuthorizationController (Secrets)
+- (id<ASCCredentialRequestContext>)
+    _requestContextWithRequests:(NSArray<ASAuthorizationRequest*>*)requests
+                          error:(NSError**)outError;
+@end
+
+NSArray<NSString*>* TransportsByteToTransportsArray(const uint8_t aTransports)
+    API_AVAILABLE(macos(13.3)) {
+  NSMutableArray<NSString*>* transportsNS = [[NSMutableArray alloc] init];
+  if ((aTransports & MOZ_WEBAUTHN_AUTHENTICATOR_TRANSPORT_ID_USB) ==
+      MOZ_WEBAUTHN_AUTHENTICATOR_TRANSPORT_ID_USB) {
+    [transportsNS
+        addObject:
+            ASAuthorizationSecurityKeyPublicKeyCredentialDescriptorTransportUSB];
+  }
+  if ((aTransports & MOZ_WEBAUTHN_AUTHENTICATOR_TRANSPORT_ID_NFC) ==
+      MOZ_WEBAUTHN_AUTHENTICATOR_TRANSPORT_ID_NFC) {
+    [transportsNS
+        addObject:
+            ASAuthorizationSecurityKeyPublicKeyCredentialDescriptorTransportNFC];
+  }
+  if ((aTransports & MOZ_WEBAUTHN_AUTHENTICATOR_TRANSPORT_ID_BLE) ==
+      MOZ_WEBAUTHN_AUTHENTICATOR_TRANSPORT_ID_BLE) {
+    [transportsNS
+        addObject:
+            ASAuthorizationSecurityKeyPublicKeyCredentialDescriptorTransportBluetooth];
+  }
+  // TODO (bug 1859367): the platform doesn't have a definition for "internal"
+  // transport. When it does, this code should be updated to handle it.
+  return transportsNS;
+}
+
+NSArray* CredentialListsToCredentialDescriptorArray(
+    const nsTArray<nsTArray<uint8_t>>& aCredentialList,
+    const nsTArray<uint8_t>& aCredentialListTransports,
+    const Class credentialDescriptorClass) API_AVAILABLE(macos(13.3)) {
+  MOZ_ASSERT(aCredentialList.Length() == aCredentialListTransports.Length());
+  NSMutableArray* credentials = [[NSMutableArray alloc] init];
+  for (size_t i = 0; i < aCredentialList.Length(); i++) {
+    const nsTArray<uint8_t>& credentialId = aCredentialList[i];
+    const uint8_t& credentialTransports = aCredentialListTransports[i];
+    NSData* credentialIdNS = [NSData dataWithBytes:credentialId.Elements()
+                                            length:credentialId.Length()];
+    NSArray<NSString*>* credentialTransportsNS =
+        TransportsByteToTransportsArray(credentialTransports);
+    NSObject* credential = [[credentialDescriptorClass alloc]
+        initWithCredentialID:credentialIdNS
+                  transports:credentialTransportsNS];
+    [credentials addObject:credential];
+  }
+  return credentials;
+}
+
+// MacOSAuthorizationController is an ASAuthorizationController that overrides
+// _requestContextWithRequests so that the implementation can set some options
+// that aren't directly settable using the public API.
+API_AVAILABLE(macos(13.3))
+@interface MacOSAuthorizationController : ASAuthorizationController
+@end
+
+@implementation MacOSAuthorizationController {
+  nsTArray<uint8_t> mClientDataHash;
+  nsTArray<nsTArray<uint8_t>> mCredentialList;
+  nsTArray<uint8_t> mCredentialListTransports;
+}
+
+- (void)setRegistrationOptions:
+    (id<ASCPublicKeyCredentialCreationOptions>)registrationOptions {
+  registrationOptions.clientDataHash =
+      [NSData dataWithBytes:mClientDataHash.Elements()
+                     length:mClientDataHash.Length()];
+  // Unset challenge so that the implementation uses clientDataHash (the API
+  // returns an error otherwise).
+  registrationOptions.challenge = nil;
+  const Class publicKeyCredentialDescriptorClass =
+      NSClassFromString(@"ASCPublicKeyCredentialDescriptor");
+  NSArray<ASCPublicKeyCredentialDescriptor*>* excludedCredentials =
+      CredentialListsToCredentialDescriptorArray(
+          mCredentialList, mCredentialListTransports,
+          publicKeyCredentialDescriptorClass);
+  if ([excludedCredentials count] > 0) {
+    registrationOptions.excludedCredentials = excludedCredentials;
+  }
+}
+
+- (void)stashClientDataHash:(nsTArray<uint8_t>&&)clientDataHash
+              andCredentialList:(nsTArray<nsTArray<uint8_t>>&&)credentialList
+    andCredentialListTransports:(nsTArray<uint8_t>&&)credentialListTransports {
+  mClientDataHash = std::move(clientDataHash);
+  mCredentialList = std::move(credentialList);
+  mCredentialListTransports = std::move(credentialListTransports);
+}
+
+- (id<ASCCredentialRequestContext>)
+    _requestContextWithRequests:(NSArray<ASAuthorizationRequest*>*)requests
+                          error:(NSError**)outError {
+  id<ASCCredentialRequestContext> context =
+      [super _requestContextWithRequests:requests error:outError];
+
+  if (context.platformKeyCredentialCreationOptions) {
+    [self setRegistrationOptions:context.platformKeyCredentialCreationOptions];
+  }
+  if (context.securityKeyCredentialCreationOptions) {
+    [self setRegistrationOptions:context.securityKeyCredentialCreationOptions];
+  }
+
+  if (context.platformKeyCredentialAssertionOptions) {
+    id<ASCPublicKeyCredentialAssertionOptions> assertionOptions =
+        context.platformKeyCredentialAssertionOptions;
+    assertionOptions.clientDataHash =
+        [NSData dataWithBytes:mClientDataHash.Elements()
+                       length:mClientDataHash.Length()];
+    context.platformKeyCredentialAssertionOptions =
+        [assertionOptions copyWithZone:nil];
+  }
+  if (context.securityKeyCredentialAssertionOptions) {
+    id<ASCPublicKeyCredentialAssertionOptions> assertionOptions =
+        context.securityKeyCredentialAssertionOptions;
+    assertionOptions.clientDataHash =
+        [NSData dataWithBytes:mClientDataHash.Elements()
+                       length:mClientDataHash.Length()];
+    context.securityKeyCredentialAssertionOptions =
+        [assertionOptions copyWithZone:nil];
+  }
+
+  return context;
+}
+@end
+
+// MacOSAuthenticatorRequestDelegate is an ASAuthorizationControllerDelegate,
+// which can be set as an ASAuthorizationController's delegate to be called
+// back when a request for a platform authenticator attestation or assertion
+// response completes either with an attestation or assertion
+// (didCompleteWithAuthorization) or with an error (didCompleteWithError).
+API_AVAILABLE(macos(13.3))
+@interface MacOSAuthenticatorRequestDelegate
+    : NSObject <ASAuthorizationControllerDelegate>
+- (void)setCallback:(mozilla::dom::MacOSWebAuthnService*)callback;
+@end
+
+// MacOSAuthenticatorPresentationContextProvider is an
+// ASAuthorizationControllerPresentationContextProviding, which can be set as
+// an ASAuthorizationController's presentationContextProvider, and provides a
+// presentation anchor for the ASAuthorizationController. Basically, this
+// provides the API a handle to the window that made the request.
+API_AVAILABLE(macos(13.3))
+@interface MacOSAuthenticatorPresentationContextProvider
+    : NSObject <ASAuthorizationControllerPresentationContextProviding>
+@property(nonatomic, strong) NSWindow* window;
+@end
+
+namespace mozilla::dom {
+
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wnullability-completeness"
+class API_AVAILABLE(macos(13.3)) MacOSWebAuthnService final
+    : public nsIWebAuthnService {
+ public:
+  MacOSWebAuthnService()
+      : mTransactionState(Nothing(),
+                          "MacOSWebAuthnService::mTransactionState") {}
+
+  NS_DECL_THREADSAFE_ISUPPORTS
+  NS_DECL_NSIWEBAUTHNSERVICE
+
+  void FinishMakeCredential(const nsTArray<uint8_t>& aRawAttestationObject,
+                            const nsTArray<uint8_t>& aCredentialId,
+                            const nsTArray<nsString>& aTransports,
+                            const Maybe<nsString>& aAuthenticatorAttachment);
+
+  void FinishGetAssertion(const nsTArray<uint8_t>& aCredentialId,
+                          const nsTArray<uint8_t>& aSignature,
+                          const nsTArray<uint8_t>& aAuthenticatorData,
+                          const nsTArray<uint8_t>& aUserHandle,
+                          const Maybe<nsString>& aAuthenticatorAttachment);
+  void ReleasePlatformResources();
+  void AbortTransaction(nsresult aError);
+
+ private:
+  ~MacOSWebAuthnService() = default;
+
+  void PerformRequests(NSArray<ASAuthorizationRequest*>* aRequests,
+                       nsTArray<uint8_t>&& aClientDataHash,
+                       nsTArray<nsTArray<uint8_t>>&& aCredentialList,
+                       nsTArray<uint8_t>&& aCredentialListTransports,
+                       uint64_t aBrowsingContextId);
+
+  struct TransactionState {
+    uint64_t transactionId;
+    uint64_t browsingContextId;
+    Maybe<RefPtr<nsIWebAuthnSignArgs>> pendingSignArgs;
+    Maybe<RefPtr<nsIWebAuthnSignPromise>> pendingSignPromise;
+    Maybe<nsTArray<RefPtr<nsIWebAuthnAutoFillEntry>>> autoFillEntries;
+  };
+
+  using TransactionStateMutex = DataMutex<Maybe<TransactionState>>;
+  void DoGetAssertion(Maybe<nsTArray<uint8_t>>&& aSelectedCredentialId,
+                      const TransactionStateMutex::AutoLock& aGuard);
+
+  TransactionStateMutex mTransactionState;
+
+  // Main thread only:
+  ASAuthorizationWebBrowserPublicKeyCredentialManager* mCredentialManager = nil;
+  nsCOMPtr<nsIWebAuthnRegisterPromise> mRegisterPromise;
+  nsCOMPtr<nsIWebAuthnSignPromise> mSignPromise;
+  MacOSAuthorizationController* mAuthorizationController = nil;
+  MacOSAuthenticatorRequestDelegate* mRequestDelegate = nil;
+  MacOSAuthenticatorPresentationContextProvider* mPresentationContextProvider =
+      nil;
+};
+#pragma clang diagnostic pop
+
+}  // namespace mozilla::dom
+
+nsTArray<uint8_t> NSDataToArray(NSData* data) {
+  nsTArray<uint8_t> array(reinterpret_cast<const uint8_t*>(data.bytes),
+                          data.length);
+  return array;
+}
+
+@implementation MacOSAuthenticatorRequestDelegate {
+  RefPtr<mozilla::dom::MacOSWebAuthnService> mCallback;
+}
+
+- (void)setCallback:(mozilla::dom::MacOSWebAuthnService*)callback {
+  mCallback = callback;
+}
+
+- (void)authorizationController:(ASAuthorizationController*)controller
+    didCompleteWithAuthorization:(ASAuthorization*)authorization {
+  if ([authorization.credential
+          conformsToProtocol:
+              @protocol(ASAuthorizationPublicKeyCredentialRegistration)]) {
+    MOZ_LOG(gMacOSWebAuthnServiceLog, mozilla::LogLevel::Debug,
+            ("MacOSAuthenticatorRequestDelegate::didCompleteWithAuthorization: "
+             "got registration"));
+    id<ASAuthorizationPublicKeyCredentialRegistration> credential =
+        (id<ASAuthorizationPublicKeyCredentialRegistration>)
+            authorization.credential;
+    nsTArray<uint8_t> rawAttestationObject(
+        NSDataToArray(credential.rawAttestationObject));
+    nsTArray<uint8_t> credentialId(NSDataToArray(credential.credentialID));
+    nsTArray<nsString> transports;
+    mozilla::Maybe<nsString> authenticatorAttachment;
+    if ([credential isKindOfClass:
+                        [ASAuthorizationPlatformPublicKeyCredentialRegistration
+                            class]]) {
+      transports.AppendElement(u"internal"_ns);
+#if defined(MAC_OS_VERSION_13_5) && \
+    MAC_OS_X_VERSION_MAX_ALLOWED >= MAC_OS_VERSION_13_5
+      if (__builtin_available(macos 13.5, *)) {
+        ASAuthorizationPlatformPublicKeyCredentialRegistration*
+            platformCredential =
+                (ASAuthorizationPlatformPublicKeyCredentialRegistration*)
+                    credential;
+        switch (platformCredential.attachment) {
+          case ASAuthorizationPublicKeyCredentialAttachmentCrossPlatform:
+            authenticatorAttachment.emplace(u"cross-platform"_ns);
+            break;
+          case ASAuthorizationPublicKeyCredentialAttachmentPlatform:
+            authenticatorAttachment.emplace(u"platform"_ns);
+            break;
+          default:
+            break;
+        }
+      }
+#endif
+    } else {
+      authenticatorAttachment.emplace(u"cross-platform"_ns);
+    }
+    mCallback->FinishMakeCredential(rawAttestationObject, credentialId,
+                                    transports, authenticatorAttachment);
+  } else if ([authorization.credential
+                 conformsToProtocol:
+                     @protocol(ASAuthorizationPublicKeyCredentialAssertion)]) {
+    MOZ_LOG(gMacOSWebAuthnServiceLog, mozilla::LogLevel::Debug,
+            ("MacOSAuthenticatorRequestDelegate::didCompleteWithAuthorization: "
+             "got assertion"));
+    id<ASAuthorizationPublicKeyCredentialAssertion> credential =
+        (id<ASAuthorizationPublicKeyCredentialAssertion>)
+            authorization.credential;
+    nsTArray<uint8_t> credentialId(NSDataToArray(credential.credentialID));
+    nsTArray<uint8_t> signature(NSDataToArray(credential.signature));
+    nsTArray<uint8_t> rawAuthenticatorData(
+        NSDataToArray(credential.rawAuthenticatorData));
+    nsTArray<uint8_t> userHandle(NSDataToArray(credential.userID));
+    mozilla::Maybe<nsString> authenticatorAttachment;
+    if ([credential
+            isKindOfClass:[ASAuthorizationPlatformPublicKeyCredentialAssertion
+                              class]]) {
+#if defined(MAC_OS_VERSION_13_5) && \
+    MAC_OS_X_VERSION_MAX_ALLOWED >= MAC_OS_VERSION_13_5
+      if (__builtin_available(macos 13.5, *)) {
+        ASAuthorizationPlatformPublicKeyCredentialAssertion*
+            platformCredential =
+                (ASAuthorizationPlatformPublicKeyCredentialAssertion*)
+                    credential;
+        switch (platformCredential.attachment) {
+          case ASAuthorizationPublicKeyCredentialAttachmentCrossPlatform:
+            authenticatorAttachment.emplace(u"cross-platform"_ns);
+            break;
+          case ASAuthorizationPublicKeyCredentialAttachmentPlatform:
+            authenticatorAttachment.emplace(u"platform"_ns);
+            break;
+          default:
+            break;
+        }
+      }
+#endif
+    } else {
+      authenticatorAttachment.emplace(u"cross-platform"_ns);
+    }
+    mCallback->FinishGetAssertion(credentialId, signature, rawAuthenticatorData,
+                                  userHandle, authenticatorAttachment);
+  } else {
+    MOZ_LOG(
+        gMacOSWebAuthnServiceLog, mozilla::LogLevel::Error,
+        ("MacOSAuthenticatorRequestDelegate::didCompleteWithAuthorization: "
+         "authorization.credential is neither registration nor assertion!"));
+    MOZ_ASSERT_UNREACHABLE(
+        "should have ASAuthorizationPublicKeyCredentialRegistration or "
+        "ASAuthorizationPublicKeyCredentialAssertion");
+  }
+  mCallback->ReleasePlatformResources();
+  mCallback = nullptr;
+}
+
+- (void)authorizationController:(ASAuthorizationController*)controller
+           didCompleteWithError:(NSError*)error {
+  nsAutoString errorDescription;
+  nsCocoaUtils::GetStringForNSString(error.localizedDescription,
+                                     errorDescription);
+  nsAutoString errorDomain;
+  nsCocoaUtils::GetStringForNSString(error.domain, errorDomain);
+  MOZ_LOG(gMacOSWebAuthnServiceLog, mozilla::LogLevel::Warning,
+          ("MacOSAuthenticatorRequestDelegate::didCompleteWithError: domain "
+           "'%s' code %ld (%s)",
+           NS_ConvertUTF16toUTF8(errorDomain).get(), error.code,
+           NS_ConvertUTF16toUTF8(errorDescription).get()));
+  nsresult rv = NS_ERROR_DOM_NOT_ALLOWED_ERR;
+  // For some reason, the error for "the credential used in a registration was
+  // on the exclude list" is in the "WKErrorDomain" domain with code 8, which
+  // is presumably WKErrorDuplicateCredential.
+  const NSInteger WKErrorDuplicateCredential = 8;
+  if (errorDomain.EqualsLiteral("WKErrorDomain") &&
+      error.code == WKErrorDuplicateCredential) {
+    rv = NS_ERROR_DOM_INVALID_STATE_ERR;
+  } else if (error.domain == ASAuthorizationErrorDomain) {
+    switch (error.code) {
+      case ASAuthorizationErrorCanceled:
+        rv = NS_ERROR_DOM_ABORT_ERR;
+        break;
+      case ASAuthorizationErrorFailed:
+        // The message is right, but it's not about indexeddb.
+        // See https://webidl.spec.whatwg.org/#constrainterror
+        rv = NS_ERROR_DOM_INDEXEDDB_CONSTRAINT_ERR;
+        break;
+      case ASAuthorizationErrorUnknown:
+        rv = NS_ERROR_DOM_UNKNOWN_ERR;
+        break;
+      default:
+        // rv already has a default value
+        break;
+    }
+  }
+  mCallback->AbortTransaction(rv);
+  mCallback = nullptr;
+}
+@end
+
+@implementation MacOSAuthenticatorPresentationContextProvider
+@synthesize window = window;
+
+- (ASPresentationAnchor)presentationAnchorForAuthorizationController:
+    (ASAuthorizationController*)controller {
+  return window;
+}
+@end
+
+namespace mozilla::dom {
+
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wnullability-completeness"
+// Given a browsingContextId, attempts to determine the NSWindow associated
+// with that browser.
+nsresult BrowsingContextIdToNSWindow(uint64_t browsingContextId,
+                                     NSWindow** window) {
+  *window = nullptr;
+  RefPtr<BrowsingContext> browsingContext(
+      BrowsingContext::Get(browsingContextId));
+  if (!browsingContext) {
+    return NS_ERROR_NOT_AVAILABLE;
+  }
+  CanonicalBrowsingContext* canonicalBrowsingContext =
+      browsingContext->Canonical();
+  if (!canonicalBrowsingContext) {
+    return NS_ERROR_NOT_AVAILABLE;
+  }
+  nsCOMPtr<nsIWidget> widget(
+      canonicalBrowsingContext->GetParentProcessWidgetContaining());
+  if (!widget) {
+    return NS_ERROR_NOT_AVAILABLE;
+  }
+  *window = static_cast<NSWindow*>(widget->GetNativeData(NS_NATIVE_WINDOW));
+  return NS_OK;
+}
+#pragma clang diagnostic pop
+
+already_AddRefed<nsIWebAuthnService> NewMacOSWebAuthnServiceIfAvailable() {
+  MOZ_ASSERT(XRE_IsParentProcess());
+  if (!StaticPrefs::security_webauthn_enable_macos_passkeys()) {
+    MOZ_LOG(
+        gMacOSWebAuthnServiceLog, LogLevel::Debug,
+        ("macOS platform support for webauthn (passkeys) disabled by pref"));
+    return nullptr;
+  }
+  // This code checks for the entitlement
+  // 'com.apple.developer.web-browser.public-key-credential', which must be
+  // true to be able to use the platform APIs.
+  CFTypeRefPtr<SecTaskRef> entitlementTask(
+      CFTypeRefPtr<SecTaskRef>::WrapUnderCreateRule(
+          SecTaskCreateFromSelf(nullptr)));
+  CFTypeRefPtr<CFBooleanRef> entitlementValue(
+      CFTypeRefPtr<CFBooleanRef>::WrapUnderCreateRule(
+          reinterpret_cast<CFBooleanRef>(SecTaskCopyValueForEntitlement(
+              entitlementTask.get(),
+              CFSTR("com.apple.developer.web-browser.public-key-credential"),
+              nullptr))));
+  if (!entitlementValue || !CFBooleanGetValue(entitlementValue.get())) {
+    MOZ_LOG(
+        gMacOSWebAuthnServiceLog, LogLevel::Warning,
+        ("entitlement com.apple.developer.web-browser.public-key-credential "
+         "not present: platform passkey APIs will not be available"));
+    return nullptr;
+  }
+  nsCOMPtr<nsIWebAuthnService> service(new MacOSWebAuthnService());
+  return service.forget();
+}
+
+void MacOSWebAuthnService::AbortTransaction(nsresult aError) {
+  MOZ_ASSERT(NS_IsMainThread());
+  if (mRegisterPromise) {
+    Unused << mRegisterPromise->Reject(aError);
+    mRegisterPromise = nullptr;
+  }
+  if (mSignPromise) {
+    Unused << mSignPromise->Reject(aError);
+    mSignPromise = nullptr;
+  }
+  ReleasePlatformResources();
+}
+
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wnullability-completeness"
+NS_IMPL_ISUPPORTS(MacOSWebAuthnService, nsIWebAuthnService)
+#pragma clang diagnostic pop
+
+NS_IMETHODIMP
+MacOSWebAuthnService::MakeCredential(uint64_t aTransactionId,
+                                     uint64_t aBrowsingContextId,
+                                     nsIWebAuthnRegisterArgs* aArgs,
+                                     nsIWebAuthnRegisterPromise* aPromise) {
+  Reset();
+  auto guard = mTransactionState.Lock();
+  *guard = Some(TransactionState{
+      aTransactionId,
+      aBrowsingContextId,
+      Nothing(),
+      Nothing(),
+      Nothing(),
+  });
+  NS_DispatchToMainThread(NS_NewRunnableFunction(
+      "MacOSWebAuthnService::MakeCredential",
+      [self = RefPtr{this}, browsingContextId(aBrowsingContextId),
+       aArgs = nsCOMPtr{aArgs}, aPromise = nsCOMPtr{aPromise}]() {
+        self->mRegisterPromise = aPromise;
+
+        nsAutoString rpId;
+        Unused << aArgs->GetRpId(rpId);
+        NSString* rpIdNS = nsCocoaUtils::ToNSString(rpId);
+
+        nsTArray<uint8_t> challenge;
+        Unused << aArgs->GetChallenge(challenge);
+        NSData* challengeNS = [NSData dataWithBytes:challenge.Elements()
+                                             length:challenge.Length()];
+
+        nsTArray<uint8_t> userId;
+        Unused << aArgs->GetUserId(userId);
+        NSData* userIdNS = [NSData dataWithBytes:userId.Elements()
+                                          length:userId.Length()];
+
+        nsAutoString userName;
+        Unused << aArgs->GetUserName(userName);
+        NSString* userNameNS = nsCocoaUtils::ToNSString(userName);
+
+        nsAutoString userDisplayName;
+        Unused << aArgs->GetUserName(userDisplayName);
+        NSString* userDisplayNameNS = nsCocoaUtils::ToNSString(userDisplayName);
+
+        nsTArray<int32_t> coseAlgs;
+        Unused << aArgs->GetCoseAlgs(coseAlgs);
+        NSMutableArray* credentialParameters = [[NSMutableArray alloc] init];
+        for (const auto& coseAlg : coseAlgs) {
+          ASAuthorizationPublicKeyCredentialParameters* credentialParameter =
+              [[ASAuthorizationPublicKeyCredentialParameters alloc]
+                  initWithAlgorithm:coseAlg];
+          [credentialParameters addObject:credentialParameter];
+        }
+
+        nsTArray<nsTArray<uint8_t>> excludeList;
+        Unused << aArgs->GetExcludeList(excludeList);
+        nsTArray<uint8_t> excludeListTransports;
+        Unused << aArgs->GetExcludeListTransports(excludeListTransports);
+        if (excludeList.Length() != excludeListTransports.Length()) {
+          self->mRegisterPromise->Reject(NS_ERROR_INVALID_ARG);
+          return;
+        }
+
+        Maybe<ASAuthorizationPublicKeyCredentialUserVerificationPreference>
+            userVerificationPreference = Nothing();
+        nsAutoString userVerification;
+        Unused << aArgs->GetUserVerification(userVerification);
+        if (userVerification.EqualsLiteral(
+                MOZ_WEBAUTHN_USER_VERIFICATION_REQUIREMENT_REQUIRED)) {
+          userVerificationPreference.emplace(
+              ASAuthorizationPublicKeyCredentialUserVerificationPreferenceRequired);
+        } else if (userVerification.EqualsLiteral(
+                       MOZ_WEBAUTHN_USER_VERIFICATION_REQUIREMENT_PREFERRED)) {
+          userVerificationPreference.emplace(
+              ASAuthorizationPublicKeyCredentialUserVerificationPreferencePreferred);
+        } else if (
+            userVerification.EqualsLiteral(
+                MOZ_WEBAUTHN_USER_VERIFICATION_REQUIREMENT_DISCOURAGED)) {
+          userVerificationPreference.emplace(
+              ASAuthorizationPublicKeyCredentialUserVerificationPreferenceDiscouraged);
+        }
+
+        // The API doesn't support attestation for platform passkeys and shows
+        // no consent UI for non-none attestation for cross-platform devices,
+        // so this must always be none.
+        ASAuthorizationPublicKeyCredentialAttestationKind
+            attestationPreference =
+                ASAuthorizationPublicKeyCredentialAttestationKindNone;
+
+        // Initialize the platform provider with the rpId.
+        ASAuthorizationPlatformPublicKeyCredentialProvider* platformProvider =
+            [[ASAuthorizationPlatformPublicKeyCredentialProvider alloc]
+                initWithRelyingPartyIdentifier:rpIdNS];
+        // Make a credential registration request with the challenge, userName,
+        // and userId.
+        ASAuthorizationPlatformPublicKeyCredentialRegistrationRequest*
+            platformRegistrationRequest = [platformProvider
+                createCredentialRegistrationRequestWithChallenge:challengeNS
+                                                            name:userNameNS
+                                                          userID:userIdNS];
+        [platformProvider release];
+        platformRegistrationRequest.attestationPreference =
+            attestationPreference;
+        if (userVerificationPreference.isSome()) {
+          platformRegistrationRequest.userVerificationPreference =
+              *userVerificationPreference;
+        }
+
+        // Initialize the cross-platform provider with the rpId.
+        ASAuthorizationSecurityKeyPublicKeyCredentialProvider*
+            crossPlatformProvider =
+                [[ASAuthorizationSecurityKeyPublicKeyCredentialProvider alloc]
+                    initWithRelyingPartyIdentifier:rpIdNS];
+        // Make a credential registration request with the challenge,
+        // userDisplayName, userName, and userId.
+        ASAuthorizationSecurityKeyPublicKeyCredentialRegistrationRequest*
+            crossPlatformRegistrationRequest = [crossPlatformProvider
+                createCredentialRegistrationRequestWithChallenge:challengeNS
+                                                     displayName:
+                                                         userDisplayNameNS
+                                                            name:userNameNS
+                                                          userID:userIdNS];
+        [crossPlatformProvider release];
+        crossPlatformRegistrationRequest.attestationPreference =
+            attestationPreference;
+        crossPlatformRegistrationRequest.credentialParameters =
+            credentialParameters;
+        if (userVerificationPreference.isSome()) {
+          crossPlatformRegistrationRequest.userVerificationPreference =
+              *userVerificationPreference;
+        }
+        nsTArray<uint8_t> clientDataHash;
+        nsresult rv = aArgs->GetClientDataHash(clientDataHash);
+        if (NS_FAILED(rv)) {
+          self->mRegisterPromise->Reject(rv);
+          return;
+        }
+        nsAutoString authenticatorAttachment;
+        rv = aArgs->GetAuthenticatorAttachment(authenticatorAttachment);
+        if (NS_FAILED(rv) && rv != NS_ERROR_NOT_AVAILABLE) {
+          self->mRegisterPromise->Reject(rv);
+          return;
+        }
+        NSMutableArray* requests = [[NSMutableArray alloc] init];
+        if (authenticatorAttachment.EqualsLiteral(
+                MOZ_WEBAUTHN_AUTHENTICATOR_ATTACHMENT_PLATFORM)) {
+          [requests addObject:platformRegistrationRequest];
+        } else if (authenticatorAttachment.EqualsLiteral(
+                       MOZ_WEBAUTHN_AUTHENTICATOR_ATTACHMENT_CROSS_PLATFORM)) {
+          [requests addObject:crossPlatformRegistrationRequest];
+        } else {
+          // Regarding the value of authenticator attachment, according to the
+          // specification, "client platforms MUST ignore unknown values,
+          // treating an unknown value as if the member does not exist".
+          [requests addObject:platformRegistrationRequest];
+          [requests addObject:crossPlatformRegistrationRequest];
+        }
+        self->PerformRequests(
+            requests, std::move(clientDataHash), std::move(excludeList),
+            std::move(excludeListTransports), browsingContextId);
+      }));
+  return NS_OK;
+}
+
+void MacOSWebAuthnService::PerformRequests(
+    NSArray<ASAuthorizationRequest*>* aRequests,
+    nsTArray<uint8_t>&& aClientDataHash,
+    nsTArray<nsTArray<uint8_t>>&& aCredentialList,
+    nsTArray<uint8_t>&& aCredentialListTransports,
+    uint64_t aBrowsingContextId) {
+  MOZ_ASSERT(NS_IsMainThread());
+  // Create a MacOSAuthorizationController and initialize it with the requests.
+  MOZ_ASSERT(!mAuthorizationController);
+  mAuthorizationController = [[MacOSAuthorizationController alloc]
+      initWithAuthorizationRequests:aRequests];
+  [mAuthorizationController
+              stashClientDataHash:std::move(aClientDataHash)
+                andCredentialList:std::move(aCredentialList)
+      andCredentialListTransports:std::move(aCredentialListTransports)];
+
+  // Set up the delegate to run when the operation completes.
+  MOZ_ASSERT(!mRequestDelegate);
+  mRequestDelegate = [[MacOSAuthenticatorRequestDelegate alloc] init];
+  [mRequestDelegate setCallback:this];
+  mAuthorizationController.delegate = mRequestDelegate;
+
+  // Create a presentation context provider so the API knows which window
+  // made the request.
+  NSWindow* window = nullptr;
+  nsresult rv = BrowsingContextIdToNSWindow(aBrowsingContextId, &window);
+  if (NS_FAILED(rv)) {
+    AbortTransaction(NS_ERROR_DOM_INVALID_STATE_ERR);
+    return;
+  }
+  MOZ_ASSERT(!mPresentationContextProvider);
+  mPresentationContextProvider =
+      [[MacOSAuthenticatorPresentationContextProvider alloc] init];
+  mPresentationContextProvider.window = window;
+  mAuthorizationController.presentationContextProvider =
+      mPresentationContextProvider;
+
+  // Finally, perform the request.
+  [mAuthorizationController performRequests];
+}
+
+void MacOSWebAuthnService::FinishMakeCredential(
+    const nsTArray<uint8_t>& aRawAttestationObject,
+    const nsTArray<uint8_t>& aCredentialId,
+    const nsTArray<nsString>& aTransports,
+    const Maybe<nsString>& aAuthenticatorAttachment) {
+  MOZ_ASSERT(NS_IsMainThread());
+  if (!mRegisterPromise) {
+    return;
+  }
+
+  RefPtr<WebAuthnRegisterResult> result(new WebAuthnRegisterResult(
+      aRawAttestationObject, Nothing(), aCredentialId, aTransports,
+      aAuthenticatorAttachment));
+  Unused << mRegisterPromise->Resolve(result);
+  mRegisterPromise = nullptr;
+}
+
+NS_IMETHODIMP
+MacOSWebAuthnService::GetAssertion(uint64_t aTransactionId,
+                                   uint64_t aBrowsingContextId,
+                                   nsIWebAuthnSignArgs* aArgs,
+                                   nsIWebAuthnSignPromise* aPromise) {
+  Reset();
+
+  auto guard = mTransactionState.Lock();
+  *guard = Some(TransactionState{
+      aTransactionId,
+      aBrowsingContextId,
+      Some(RefPtr{aArgs}),
+      Some(RefPtr{aPromise}),
+      Nothing(),
+  });
+
+  bool conditionallyMediated;
+  Unused << aArgs->GetConditionallyMediated(&conditionallyMediated);
+  if (!conditionallyMediated) {
+    DoGetAssertion(Nothing(), guard);
+    return NS_OK;
+  }
+
+  // Using conditional mediation, so dispatch a task to collect any available
+  // passkeys.
+  NS_DispatchToMainThread(NS_NewRunnableFunction(
+      "platformCredentialsForRelyingParty",
+      [self = RefPtr{this}, aTransactionId, aArgs = nsCOMPtr{aArgs}]() {
+        // This handler is called when platformCredentialsForRelyingParty
+        // completes.
+        auto credentialsCompletionHandler = ^(
+            NSArray<ASAuthorizationWebBrowserPlatformPublicKeyCredential*>*
+                credentials) {
+          nsTArray<RefPtr<nsIWebAuthnAutoFillEntry>> autoFillEntries;
+          for (NSUInteger i = 0; i < credentials.count; i++) {
+            const auto& credential = credentials[i];
+            nsAutoString userName;
+            nsCocoaUtils::GetStringForNSString(credential.name, userName);
+            nsAutoString rpId;
+            nsCocoaUtils::GetStringForNSString(credential.relyingParty, rpId);
+            autoFillEntries.AppendElement(new WebAuthnAutoFillEntry(
+                nsIWebAuthnAutoFillEntry::PROVIDER_PLATFORM_MACOS, userName,
+                rpId, NSDataToArray(credential.credentialID)));
+          }
+          auto guard = self->mTransactionState.Lock();
+          if (guard->isSome() && guard->ref().transactionId == aTransactionId) {
+            guard->ref().autoFillEntries.emplace(std::move(autoFillEntries));
+          }
+        };
+        // This handler is called when
+        // requestAuthorizationForPublicKeyCredentials completes.
+        auto authorizationHandler = ^(
+            ASAuthorizationWebBrowserPublicKeyCredentialManagerAuthorizationState
+                authorizationState) {
+          // If authorized, list any available passkeys.
+          if (authorizationState ==
+              ASAuthorizationWebBrowserPublicKeyCredentialManagerAuthorizationStateAuthorized) {
+            nsAutoString rpId;
+            Unused << aArgs->GetRpId(rpId);
+            [self->mCredentialManager
+                platformCredentialsForRelyingParty:nsCocoaUtils::ToNSString(
+                                                       rpId)
+                                 completionHandler:
+                                     credentialsCompletionHandler];
+          }
+        };
+        if (!self->mCredentialManager) {
+          self->mCredentialManager =
+              [[ASAuthorizationWebBrowserPublicKeyCredentialManager alloc]
+                  init];
+        }
+        // Request authorization to examine any available passkeys. This will
+        // cause a permission prompt to appear once.
+        [self->mCredentialManager
+            requestAuthorizationForPublicKeyCredentials:authorizationHandler];
+      }));
+
+  return NS_OK;
+}
+
+void MacOSWebAuthnService::DoGetAssertion(
+    Maybe<nsTArray<uint8_t>>&& aSelectedCredentialId,
+    const TransactionStateMutex::AutoLock& aGuard) {
+  if (aGuard->isNothing() || aGuard->ref().pendingSignArgs.isNothing() ||
+      aGuard->ref().pendingSignPromise.isNothing()) {
+    return;
+  }
+
+  // Take the pending Args and Promise to prevent repeated calls to
+  // DoGetAssertion for this transaction.
+  RefPtr<nsIWebAuthnSignArgs> aArgs = aGuard->ref().pendingSignArgs.extract();
+  RefPtr<nsIWebAuthnSignPromise> aPromise =
+      aGuard->ref().pendingSignPromise.extract();
+  uint64_t aBrowsingContextId = aGuard->ref().browsingContextId;
+
+  NS_DispatchToMainThread(NS_NewRunnableFunction(
+      "MacOSWebAuthnService::MakeCredential",
+      [self = RefPtr{this}, browsingContextId(aBrowsingContextId), aArgs,
+       aPromise,
+       aSelectedCredentialId = std::move(aSelectedCredentialId)]() mutable {
+        self->mSignPromise = aPromise;
+
+        nsAutoString rpId;
+        Unused << aArgs->GetRpId(rpId);
+        NSString* rpIdNS = nsCocoaUtils::ToNSString(rpId);
+
+        nsTArray<uint8_t> challenge;
+        Unused << aArgs->GetChallenge(challenge);
+        NSData* challengeNS = [NSData dataWithBytes:challenge.Elements()
+                                             length:challenge.Length()];
+
+        nsTArray<nsTArray<uint8_t>> allowList;
+        nsTArray<uint8_t> allowListTransports;
+        if (aSelectedCredentialId.isSome()) {
+          allowList.AppendElement(aSelectedCredentialId.extract());
+          allowListTransports.AppendElement(
+              MOZ_WEBAUTHN_AUTHENTICATOR_TRANSPORT_ID_INTERNAL);
+        } else {
+          Unused << aArgs->GetAllowList(allowList);
+          Unused << aArgs->GetAllowListTransports(allowListTransports);
+        }
+        NSMutableArray* platformAllowedCredentials =
+            [[NSMutableArray alloc] init];
+        for (const auto& allowedCredentialId : allowList) {
+          NSData* allowedCredentialIdNS =
+              [NSData dataWithBytes:allowedCredentialId.Elements()
+                             length:allowedCredentialId.Length()];
+          ASAuthorizationPlatformPublicKeyCredentialDescriptor*
+              allowedCredential =
+                  [[ASAuthorizationPlatformPublicKeyCredentialDescriptor alloc]
+                      initWithCredentialID:allowedCredentialIdNS];
+          [platformAllowedCredentials addObject:allowedCredential];
+        }
+        const Class securityKeyPublicKeyCredentialDescriptorClass =
+            NSClassFromString(
+                @"ASAuthorizationSecurityKeyPublicKeyCredentialDescriptor");
+        NSArray<ASAuthorizationSecurityKeyPublicKeyCredentialDescriptor*>*
+            crossPlatformAllowedCredentials =
+                CredentialListsToCredentialDescriptorArray(
+                    allowList, allowListTransports,
+                    securityKeyPublicKeyCredentialDescriptorClass);
+
+        Maybe<ASAuthorizationPublicKeyCredentialUserVerificationPreference>
+            userVerificationPreference = Nothing();
+        nsAutoString userVerification;
+        Unused << aArgs->GetUserVerification(userVerification);
+        if (userVerification.EqualsLiteral(
+                MOZ_WEBAUTHN_USER_VERIFICATION_REQUIREMENT_REQUIRED)) {
+          userVerificationPreference.emplace(
+              ASAuthorizationPublicKeyCredentialUserVerificationPreferenceRequired);
+        } else if (userVerification.EqualsLiteral(
+                       MOZ_WEBAUTHN_USER_VERIFICATION_REQUIREMENT_PREFERRED)) {
+          userVerificationPreference.emplace(
+              ASAuthorizationPublicKeyCredentialUserVerificationPreferencePreferred);
+        } else if (
+            userVerification.EqualsLiteral(
+                MOZ_WEBAUTHN_USER_VERIFICATION_REQUIREMENT_DISCOURAGED)) {
+          userVerificationPreference.emplace(
+              ASAuthorizationPublicKeyCredentialUserVerificationPreferenceDiscouraged);
+        }
+
+        // Initialize the platform provider with the rpId.
+        ASAuthorizationPlatformPublicKeyCredentialProvider* platformProvider =
+            [[ASAuthorizationPlatformPublicKeyCredentialProvider alloc]
+                initWithRelyingPartyIdentifier:rpIdNS];
+        // Make a credential assertion request with the challenge.
+        ASAuthorizationPlatformPublicKeyCredentialAssertionRequest*
+            platformAssertionRequest = [platformProvider
+                createCredentialAssertionRequestWithChallenge:challengeNS];
+        [platformProvider release];
+        platformAssertionRequest.allowedCredentials =
+            platformAllowedCredentials;
+        if (userVerificationPreference.isSome()) {
+          platformAssertionRequest.userVerificationPreference =
+              *userVerificationPreference;
+        }
+
+        // Initialize the cross-platform provider with the rpId.
+        ASAuthorizationSecurityKeyPublicKeyCredentialProvider*
+            crossPlatformProvider =
+                [[ASAuthorizationSecurityKeyPublicKeyCredentialProvider alloc]
+                    initWithRelyingPartyIdentifier:rpIdNS];
+        // Make a credential assertion request with the challenge.
+        ASAuthorizationSecurityKeyPublicKeyCredentialAssertionRequest*
+            crossPlatformAssertionRequest = [crossPlatformProvider
+                createCredentialAssertionRequestWithChallenge:challengeNS];
+        [crossPlatformProvider release];
+        crossPlatformAssertionRequest.allowedCredentials =
+            crossPlatformAllowedCredentials;
+        if (userVerificationPreference.isSome()) {
+          crossPlatformAssertionRequest.userVerificationPreference =
+              *userVerificationPreference;
+        }
+        nsTArray<uint8_t> clientDataHash;
+        nsresult rv = aArgs->GetClientDataHash(clientDataHash);
+        if (NS_FAILED(rv)) {
+          self->mSignPromise->Reject(rv);
+          return;
+        }
+        nsTArray<nsTArray<uint8_t>> unusedCredentialIds;
+        nsTArray<uint8_t> unusedTransports;
+        // allowList and allowListTransports won't actually get used.
+        self->PerformRequests(
+            @[ platformAssertionRequest, crossPlatformAssertionRequest ],
+            std::move(clientDataHash), std::move(allowList),
+            std::move(allowListTransports), browsingContextId);
+      }));
+}
+
+void MacOSWebAuthnService::FinishGetAssertion(
+    const nsTArray<uint8_t>& aCredentialId, const nsTArray<uint8_t>& aSignature,
+    const nsTArray<uint8_t>& aAuthenticatorData,
+    const nsTArray<uint8_t>& aUserHandle,
+    const Maybe<nsString>& aAuthenticatorAttachment) {
+  MOZ_ASSERT(NS_IsMainThread());
+  if (!mSignPromise) {
+    return;
+  }
+
+  RefPtr<WebAuthnSignResult> result(new WebAuthnSignResult(
+      aAuthenticatorData, Nothing(), aCredentialId, aSignature, aUserHandle,
+      aAuthenticatorAttachment));
+  Unused << mSignPromise->Resolve(result);
+  mSignPromise = nullptr;
+}
+
+void MacOSWebAuthnService::ReleasePlatformResources() {
+  MOZ_ASSERT(NS_IsMainThread());
+  [mCredentialManager release];
+  mCredentialManager = nil;
+  [mAuthorizationController release];
+  mAuthorizationController = nil;
+  [mRequestDelegate release];
+  mRequestDelegate = nil;
+  [mPresentationContextProvider release];
+  mPresentationContextProvider = nil;
+}
+
+NS_IMETHODIMP
+MacOSWebAuthnService::Reset() {
+  auto guard = mTransactionState.Lock();
+  if (guard->isSome()) {
+    if (guard->ref().pendingSignPromise.isSome()) {
+      // This request was never dispatched to the platform API, so
+      // we need to reject the promise ourselves.
+      guard->ref().pendingSignPromise.ref()->Reject(
+          NS_ERROR_DOM_NOT_ALLOWED_ERR);
+    }
+    guard->reset();
+  }
+  NS_DispatchToMainThread(NS_NewRunnableFunction(
+      "MacOSWebAuthnService::Cancel", [self = RefPtr{this}] {
+        // cancel results in the delegate's didCompleteWithError method being
+        // called, which will release all platform resources.
+        [self->mAuthorizationController cancel];
+      }));
+  return NS_OK;
+}
+
+NS_IMETHODIMP
+MacOSWebAuthnService::GetIsUVPAA(bool* aAvailable) {
+  *aAvailable = true;
+  return NS_OK;
+}
+
+NS_IMETHODIMP
+MacOSWebAuthnService::Cancel(uint64_t aTransactionId) {
+  return NS_ERROR_NOT_IMPLEMENTED;
+}
+
+NS_IMETHODIMP
+MacOSWebAuthnService::HasPendingConditionalGet(uint64_t aBrowsingContextId,
+                                               const nsAString& aOrigin,
+                                               uint64_t* aRv) {
+  auto guard = mTransactionState.Lock();
+  if (guard->isNothing() ||
+      guard->ref().browsingContextId != aBrowsingContextId ||
+      guard->ref().pendingSignArgs.isNothing()) {
+    *aRv = 0;
+    return NS_OK;
+  }
+
+  nsString origin;
+  Unused << guard->ref().pendingSignArgs.ref()->GetOrigin(origin);
+  if (origin != aOrigin) {
+    *aRv = 0;
+    return NS_OK;
+  }
+
+  *aRv = guard->ref().transactionId;
+  return NS_OK;
+}
+
+NS_IMETHODIMP
+MacOSWebAuthnService::GetAutoFillEntries(
+    uint64_t aTransactionId, nsTArray<RefPtr<nsIWebAuthnAutoFillEntry>>& aRv) {
+  auto guard = mTransactionState.Lock();
+  if (guard->isNothing() || guard->ref().transactionId != aTransactionId ||
+      guard->ref().pendingSignArgs.isNothing() ||
+      guard->ref().autoFillEntries.isNothing()) {
+    return NS_ERROR_NOT_AVAILABLE;
+  }
+  aRv.Assign(guard->ref().autoFillEntries.ref());
+  return NS_OK;
+}
+
+NS_IMETHODIMP
+MacOSWebAuthnService::SelectAutoFillEntry(
+    uint64_t aTransactionId, const nsTArray<uint8_t>& aCredentialId) {
+  auto guard = mTransactionState.Lock();
+  if (guard->isNothing() || guard->ref().transactionId != aTransactionId ||
+      guard->ref().pendingSignArgs.isNothing()) {
+    return NS_ERROR_NOT_AVAILABLE;
+  }
+
+  nsTArray<nsTArray<uint8_t>> allowList;
+  Unused << guard->ref().pendingSignArgs.ref()->GetAllowList(allowList);
+  if (!allowList.IsEmpty() && !allowList.Contains(aCredentialId)) {
+    return NS_ERROR_FAILURE;
+  }
+
+  Maybe<nsTArray<uint8_t>> id;
+  id.emplace();
+  id.ref().Assign(aCredentialId);
+  DoGetAssertion(std::move(id), guard);
+
+  return NS_OK;
+}
+
+NS_IMETHODIMP
+MacOSWebAuthnService::ResumeConditionalGet(uint64_t aTransactionId) {
+  auto guard = mTransactionState.Lock();
+  if (guard->isNothing() || guard->ref().transactionId != aTransactionId ||
+      guard->ref().pendingSignArgs.isNothing()) {
+    return NS_ERROR_NOT_AVAILABLE;
+  }
+  DoGetAssertion(Nothing(), guard);
+  return NS_OK;
+}
+
+NS_IMETHODIMP
+MacOSWebAuthnService::PinCallback(uint64_t aTransactionId,
+                                  const nsACString& aPin) {
+  return NS_ERROR_NOT_IMPLEMENTED;
+}
+
+NS_IMETHODIMP
+MacOSWebAuthnService::ResumeMakeCredential(uint64_t aTransactionId,
+                                           bool aForceNoneAttestation) {
+  return NS_ERROR_NOT_IMPLEMENTED;
+}
+
+NS_IMETHODIMP
+MacOSWebAuthnService::SelectionCallback(uint64_t aTransactionId,
+                                        uint64_t aIndex) {
+  return NS_ERROR_NOT_IMPLEMENTED;
+}
+
+NS_IMETHODIMP
+MacOSWebAuthnService::AddVirtualAuthenticator(
+    const nsACString& protocol, const nsACString& transport,
+    bool hasResidentKey, bool hasUserVerification, bool isUserConsenting,
+    bool isUserVerified, uint64_t* _retval) {
+  return NS_ERROR_NOT_IMPLEMENTED;
+}
+
+NS_IMETHODIMP
+MacOSWebAuthnService::RemoveVirtualAuthenticator(uint64_t authenticatorId) {
+  return NS_ERROR_NOT_IMPLEMENTED;
+}
+
+NS_IMETHODIMP
+MacOSWebAuthnService::AddCredential(uint64_t authenticatorId,
+                                    const nsACString& credentialId,
+                                    bool isResidentCredential,
+                                    const nsACString& rpId,
+                                    const nsACString& privateKey,
+                                    const nsACString& userHandle,
+                                    uint32_t signCount) {
+  return NS_ERROR_NOT_IMPLEMENTED;
+}
+
+NS_IMETHODIMP
+MacOSWebAuthnService::GetCredentials(
+    uint64_t authenticatorId,
+    nsTArray<RefPtr<nsICredentialParameters>>& _retval) {
+  return NS_ERROR_NOT_IMPLEMENTED;
+}
+
+NS_IMETHODIMP
+MacOSWebAuthnService::RemoveCredential(uint64_t authenticatorId,
+                                       const nsACString& credentialId) {
+  return NS_ERROR_NOT_IMPLEMENTED;
+}
+
+NS_IMETHODIMP
+MacOSWebAuthnService::RemoveAllCredentials(uint64_t authenticatorId) {
+  return NS_ERROR_NOT_IMPLEMENTED;
+}
+
+NS_IMETHODIMP
+MacOSWebAuthnService::SetUserVerified(uint64_t authenticatorId,
+                                      bool isUserVerified) {
+  return NS_ERROR_NOT_IMPLEMENTED;
+}
+
+NS_IMETHODIMP
+MacOSWebAuthnService::Listen() { return NS_ERROR_NOT_IMPLEMENTED; }
+
+NS_IMETHODIMP
+MacOSWebAuthnService::RunCommand(const nsACString& cmd) {
+  return NS_ERROR_NOT_IMPLEMENTED;
+}
+
+}  // namespace mozilla::dom
+
+NS_ASSUME_NONNULL_END