fix(ble): enumerate undiscovered peripherals and refuse unbonded before any BLE link

list_fido_devices filtered on Peripheral::services(), which per btleplug
docs is empty until discover_services() is called, so unconnected
peripherals were dropped even when their advertised UUIDs included the
FIDO service. Filter on PeripheralProperties::services (advertised
UUIDs) instead, and run a brief scan first so adapter.peripherals()
returns currently-advertising authenticators.

supported_fido_revisions performed a GATT read without first calling
Peripheral::connect() / discover_services(), so the characteristic
lookup found nothing on a peripheral whose services had not been
discovered in the current process. Enforce bonding here too (it's only
a bluez D-Bus lookup) so unbonded peripherals are refused before any
BLE link is opened.

Both bugs predate PR #202 and only surface when the peripheral is not
already an actively-connected, services-discovered device in the
current btleplug session.

Author: AlfioEmanueleFresta

libwebauthn/src/transport/ble/btleplug/manager.rs

@@ -151,19 +151,29 @@ async fn discover_properties(
     Ok(result)
 }
 
+/// Brief scan window so btleplug's adapter.peripherals() observes
+/// currently-advertising FIDO authenticators before we enumerate.
+const SCAN_DURATION: std::time::Duration = std::time::Duration::from_secs(3);
+
 #[instrument(level = Level::DEBUG, skip_all)]
 pub async fn list_fido_devices() -> Result<Vec<FidoDevice>, Error> {
     let adapter = get_adapter().await?;
+    adapter
+        .start_scan(ScanFilter {
+            services: vec![FIDO_PROFILE_UUID],
+        })
+        .await
+        .or(Err(Error::ConnectionFailed))?;
+    tokio::time::sleep(SCAN_DURATION).await;
+    let _ = adapter.stop_scan().await;
     let peripherals: Vec<Peripheral> = adapter
         .peripherals()
         .await
-        .or(Err(Error::ConnectionFailed))?
-        .into_iter()
-        .filter(|p| p.services().iter().any(|s| s.uuid == FIDO_PROFILE_UUID))
-        .collect();
-    let with_properties = discover_properties(peripherals)
+        .or(Err(Error::ConnectionFailed))?;
+    let with_properties: Vec<FidoDevice> = discover_properties(peripherals)
         .await?
         .into_iter()
+        .filter(|(_, props)| props.services.contains(&FIDO_PROFILE_UUID))
         .map(|(peripheral, properties)| FidoDevice {
             peripheral,
             properties,
@@ -191,6 +201,15 @@ pub async fn get_device(peripheral: Peripheral) -> Result<Option<FidoDevice>, Er
 pub async fn supported_fido_revisions(
     peripheral: &Peripheral,
 ) -> Result<SupportedRevisions, Error> {
+    enforce_bonded(peripheral).await?;
+    peripheral
+        .connect()
+        .await
+        .or(Err(Error::ConnectionFailed))?;
+    peripheral
+        .discover_services()
+        .await
+        .or(Err(Error::ConnectionFailed))?;
     let services = discover_services(peripheral).await?;
     let revision = peripheral
         .read(&services.service_revision_bitfield)