fix(ctap2): do not send uv option together with pinUvAuthParam

libwebauthn/src/proto/ctap2/model/get_assertion.rs

@@ -405,6 +405,9 @@ impl Ctap2UserVerifiableRequest for Ctap2GetAssertionRequest {
         let uv_auth_param = uv_proto.authenticate(uv_auth_token, hash)?;
         self.pin_auth_proto = Some(uv_proto.version() as u32);
         self.pin_auth_param = Some(ByteBuf::from(uv_auth_param));
+        if let Some(ref mut options) = self.options {
+            options.require_user_verification = false;
+        }
         Ok(())
     }
 
@@ -688,6 +691,37 @@ mod tests {
         assert!(large_blob.blob.is_none());
     }
 
+    #[test]
+    fn pin_uv_auth_param_clears_uv_option() {
+        use crate::ops::webauthn::UserVerificationRequirement;
+        use crate::pin::PinUvAuthProtocolOne;
+
+        let mut request = make_request(vec![]);
+        request.user_verification = UserVerificationRequirement::Required;
+        let mut ctap2 = Ctap2GetAssertionRequest::from(request);
+        assert!(ctap2.options.unwrap().require_user_verification);
+
+        let proto = PinUvAuthProtocolOne::new();
+        ctap2
+            .calculate_and_set_uv_auth(&proto, &[0xAA; 32])
+            .unwrap();
+
+        assert!(ctap2.pin_auth_param.is_some());
+        assert!(!ctap2.options.unwrap().require_user_verification);
+
+        // Wire check: the options map (0x05) must not contain "uv".
+        let bytes = crate::proto::ctap2::cbor::to_vec(&ctap2).unwrap();
+        let parsed: BTreeMap<u64, Value> = crate::proto::ctap2::cbor::from_slice(&bytes).unwrap();
+        let Some(Value::Map(options)) = parsed.get(&0x05) else {
+            panic!("options map missing from serialized request");
+        };
+        assert!(!options.contains_key(&Value::Text("uv".to_string())));
+        assert_eq!(
+            options.get(&Value::Text("up".to_string())),
+            Some(&Value::Bool(true))
+        );
+    }
+
     #[test]
     fn decodes_unsigned_extension_outputs_at_index_0x08() {
         // 0x08 is unsignedExtensionOutputs (a CBOR map), not enterprise attestation.

libwebauthn/src/proto/ctap2/model/make_credential.rs

@@ -389,6 +389,9 @@ impl Ctap2UserVerifiableRequest for Ctap2MakeCredentialRequest {
         let uv_auth_param = uv_proto.authenticate(uv_auth_token, hash)?;
         self.pin_auth_proto = Some(uv_proto.version() as u32);
         self.pin_auth_param = Some(ByteBuf::from(uv_auth_param));
+        if let Some(ref mut options) = self.options {
+            options.deprecated_require_user_verification = None;
+        }
         Ok(())
     }
 
@@ -698,6 +701,33 @@ mod tests {
         assert_eq!(mc_in.salt_enc.len(), 16 + 64);
     }
 
+    #[test]
+    fn pin_uv_auth_param_clears_deprecated_uv_option() {
+        use crate::pin::PinUvAuthProtocolOne;
+
+        let info = Ctap2GetInfoResponse::default();
+        let req = mc_request_with_prf(None);
+        let mut ctap2 = Ctap2MakeCredentialRequest::from_webauthn_request(&req, &info).unwrap();
+
+        ctap2.ensure_uv_set();
+        assert_eq!(
+            ctap2.options.unwrap().deprecated_require_user_verification,
+            Some(true)
+        );
+
+        let proto = PinUvAuthProtocolOne::new();
+        ctap2
+            .calculate_and_set_uv_auth(&proto, &[0xAA; 32])
+            .unwrap();
+
+        assert!(ctap2.pin_auth_param.is_some());
+        assert!(ctap2
+            .options
+            .unwrap()
+            .deprecated_require_user_verification
+            .is_none());
+    }
+
     #[test]
     fn from_signed_extensions_decrypts_results_with_auth_data() {
         use crate::proto::ctap2::Ctap2UserVerificationOperation;