GH#1357: feat(auth): add passwordless login with passkeys

[superdav42]

Summary

Adds native email-first passwordless authentication with passkey/WebAuthn support, email OTP fallback, auth tables, login/checkout UI integration, docs, and focused unit/E2E coverage.

Files Changed

README.md,assets/js/passwordless-auth.js,inc/auth/class-email-otp-service.php,inc/auth/class-passkey-credential-store.php,inc/auth/class-passkey-service.php,inc/auth/class-passwordless-auth-manager.php,inc/auth/class-webauthn-challenge-store.php,inc/auth/class-webauthn-helper.php,inc/checkout/class-checkout.php,inc/class-wp-ultimo.php,inc/database/email-otp-attempts/class-email-otp-attempts-schema.php,inc/database/email-otp-attempts/class-email-otp-attempts-table.php,inc/database/passkey-credentials/class-passkey-credentials-schema.php,inc/database/passkey-credentials/class-passkey-credentials-table.php,inc/database/webauthn-challenges/class-webauthn-challenges-schema.php,inc/database/webauthn-challenges/class-webauthn-challenges-table.php,inc/functions/helper.php,inc/loaders/class-table-loader.php,inc/ui/class-login-form-element.php,readme.txt,tests/WP_Ultimo/Auth/Passwordless_Auth_Test.php,tests/e2e/cypress/integration/login.spec.js,tests/e2e/cypress/support/commands/login.js,views/checkout/partials/inline-login-prompt.php

Runtime Testing

• Risk level: Low (agent prompts / infrastructure scripts)
• Verification: vendor/bin/phpcs on changed PHP files; vendor/bin/phpstan targeted passwordless analysis; ./node_modules/.bin/eslint assets/js/passwordless-auth.js --max-warnings=0; vendor/bin/phpunit --filter Passwordless_Auth_Test; browser-agent runtime checks for wp-login.php, custom login page, and register checkout inline prompt.

Resolves #1357

---

aidevops.sh v3.20.41 plugin for OpenCode v1.16.2 with gpt-5.5 spent 4h 16m and 1,842,331 tokens on this with the user in an interactive session.

[superdav42]

Completion Summary

• What: Adds native email-first passwordless authentication with passkey/WebAuthn support, email OTP fallback, auth tables, login/checkout UI integration, docs, and focused unit/E2E coverage.
• Issue: Add native passkey login with email OTP fallback #1357
• Files changed: README.md,assets/js/passwordless-auth.js,inc/auth/class-email-otp-service.php,inc/auth/class-passkey-credential-store.php,inc/auth/class-passkey-service.php,inc/auth/class-passwordless-auth-manager.php,inc/auth/class-webauthn-challenge-store.php,inc/auth/class-webauthn-helper.php,inc/checkout/class-checkout.php,inc/class-wp-ultimo.php,inc/database/email-otp-attempts/class-email-otp-attempts-schema.php,inc/database/email-otp-attempts/class-email-otp-attempts-table.php,inc/database/passkey-credentials/class-passkey-credentials-schema.php,inc/database/passkey-credentials/class-passkey-credentials-table.php,inc/database/webauthn-challenges/class-webauthn-challenges-schema.php,inc/database/webauthn-challenges/class-webauthn-challenges-table.php,inc/functions/helper.php,inc/loaders/class-table-loader.php,inc/ui/class-login-form-element.php,readme.txt,tests/WP_Ultimo/Auth/Passwordless_Auth_Test.php,tests/e2e/cypress/integration/login.spec.js,tests/e2e/cypress/support/commands/login.js,views/checkout/partials/inline-login-prompt.php
• Testing: vendor/bin/phpcs on changed PHP files; vendor/bin/phpstan targeted passwordless analysis; ./node_modules/.bin/eslint assets/js/passwordless-auth.js --max-warnings=0; vendor/bin/phpunit --filter Passwordless_Auth_Test; browser-agent runtime checks for wp-login.php, custom login page, and register checkout inline prompt.
• Key decisions: none

---

aidevops.sh v3.20.41 plugin for OpenCode v1.16.2 with gpt-5.5 spent 4h 16m and 1,842,331 tokens on this with the user in an interactive session.

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 6e9b9aaa-1d0d-45da-b716-88f8e4cd65f0

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feature/auto-20260608-193530

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🔨 Build Complete - Ready for Testing!

📦 Download Build Artifact (Recommended)

Download the zip build, upload to WordPress and test:

• Build: ultimate-multisite
• ⬇️ Download from GitHub Actions
• ⬇️ Download without Github Account (nightly.link)

🌐 Test in WordPress Playground (Very Experimental)

Click the link below to instantly test this PR in your browser - no installation needed!
Playground support for multisite is very limitied, hopefully it will get better in the future.

🚀 Launch in Playground

Login credentials: admin / password