Skip to content

feat: Retry WebAuthn operations when PUAT is required#500

Merged
DennisDyallo merged 6 commits into
yubikit-composite-device-newfrom
yubikit-webauthn-puat-retry
Jul 1, 2026
Merged

feat: Retry WebAuthn operations when PUAT is required#500
DennisDyallo merged 6 commits into
yubikit-composite-device-newfrom
yubikit-webauthn-puat-retry

Conversation

@DennisDyallo

Copy link
Copy Markdown
Collaborator

Summary

  • Retry WebAuthn MakeCredential/GetAssertion once when CTAP returns PuatRequired and UV was not already required.
  • Remint MakeCredential tokens after exclude-list preflight and preserve silent up=false probing.
  • Consolidate retry helpers and shared test helpers.

Verification

  • dotnet toolchain.cs -- test --project WebAuthn
  • dotnet toolchain.cs -- test --integration --project WebAuthn --smoke --filter "Category!=RequiresUserPresence"
  • Read-only review: no findings

@DennisDyallo DennisDyallo changed the title Retry WebAuthn operations when PUAT is required feat: Retry WebAuthn operations when PUAT is required Jun 24, 2026
@DennisDyallo DennisDyallo requested a review from Copilot June 26, 2026 12:29

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the WebAuthn client flow to handle CTAP PuatRequired responses by retrying MakeCredential/GetAssertion once with UV forced to Required, and refactors shared helper logic (token acquisition, retry/error mapping, and memory zeroing). It also consolidates and extends unit-test support to cover the new retry paths and exclude-list preflight behavior.

Changes:

  • Add “retry once with UV required” behavior for MakeCredential/GetAssertion when CTAP returns PuatRequired and UV was not already required.
  • Refactor WebAuthnClient internals (token acquisition helper, retry helpers, and pinUvAuthParam zeroing wrappers).
  • Add/adjust unit tests and shared test helpers for PUAT retry and exclude-list preflight/remint behavior.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 4 comments.

Show a summary per file
File Description
src/WebAuthn/src/Client/WebAuthnClient.cs Implements PUAT retry behavior, refactors token acquisition and adds request wrappers that zero pinUvAuthParam.
src/WebAuthn/src/Internal/ExcludeListPreflight.cs Zeros the computed pinUvAuthParam after exclude-list probing.
src/WebAuthn/src/Client/FidoSessionWebAuthnBackend.cs Ensures up option is mapped into FIDO2 options and zeroes copied pinUvAuthParam after session calls.
src/WebAuthn/tests/Yubico.YubiKit.WebAuthn.UnitTests/TestSupport/TestPinUvAuthProtocol.cs Adds reusable test protocol implementation for Span-based protocol calls.
src/WebAuthn/tests/Yubico.YubiKit.WebAuthn.UnitTests/Internal/ExcludeListPreflightTests.cs Switches to shared TestSupport protocol helper.
src/WebAuthn/tests/Yubico.YubiKit.WebAuthn.UnitTests/Client/WebAuthnClientMakeCredentialTests.cs Adds unit tests validating MakeCredential PUAT retry and exclude-list remint permission behavior.
src/WebAuthn/tests/Yubico.YubiKit.WebAuthn.UnitTests/Client/WebAuthnClientGetAssertionTests.cs Adds unit tests validating GetAssertion PUAT retry and “retry then no-credentials” behavior.

Comment thread src/WebAuthn/src/Internal/ExcludeListPreflight.cs Outdated
Comment thread src/WebAuthn/src/Client/FidoSessionWebAuthnBackend.cs Outdated
Comment thread src/WebAuthn/src/Client/WebAuthnClient.cs
Base automatically changed from yubikit-ctap-status-22-alignment to yubikit-performance June 29, 2026 21:29

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 7 out of 7 changed files in this pull request and generated no new comments.

Base automatically changed from yubikit-performance to yubikit-composite-device-new July 1, 2026 10:46
@DennisDyallo DennisDyallo marked this pull request as ready for review July 1, 2026 11:04
@DennisDyallo DennisDyallo merged commit 3239ecb into yubikit-composite-device-new Jul 1, 2026
4 checks passed
@DennisDyallo DennisDyallo deleted the yubikit-webauthn-puat-retry branch July 1, 2026 11:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Development

Successfully merging this pull request may close these issues.

2 participants