Merge pull request #655 from MultiColourPixel/main

Support FIDO2 authentication with devices that don’t have a PIN code
2026-03-25 08:55:46 +00:00 · 2025-06-09 22:10:12 -05:00 · 2025-06-09 22:10:12 -05:00 · b302365454
commit b302365454
parent 17f3d365b8 259ad0789a
5 changed files with 56 additions and 14 deletions
--- a/Xcodes.xcodeproj/project.pbxproj
+++ b/Xcodes.xcodeproj/project.pbxproj
@ -1493,7 +1493,7 @@
 			repositoryURL = "https://github.com/kinoroy/LibFido2Swift.git";
 			requirement = {
 				kind = upToNextMinorVersion;
-				minimumVersion = 0.1.0;
+				minimumVersion = 0.1.4;
 			};
 		};
 		CA9FF86B25951C6E00E47BAF /* XCRemoteSwiftPackageReference "data" */ = {
--- a/Xcodes.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved
+++ b/Xcodes.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved
@ -78,8 +78,8 @@
        "repositoryURL": "https://github.com/kinoroy/LibFido2Swift.git",
        "state": {
          "branch": null,
-          "revision": "b77e5c6451bea69d15615d6578936b11777d9a6c",
-          "version": "0.1.2"
+          "revision": "94d496d6f850dcbb3e8c4a27cd7eeabfad9f14e3",
+          "version": "0.1.4"
        }
      },
      {
--- a/Xcodes/Backend/AppState.swift
+++ b/Xcodes/Backend/AppState.swift
@ -305,12 +305,18 @@ class AppState: ObservableObject {
    }
    
    func handleTwoFactorOption(_ option: TwoFactorOption, authOptions: AuthOptionsResponse, serviceKey: String, sessionID: String, scnt: String) {
+        let sessionData = AppleSessionData(serviceKey: serviceKey, sessionID: sessionID, scnt: scnt)
+
+        if option == .securityKey, fido2DeviceIsPresent() && !fido2DeviceNeedsPin() {
+            createAndSubmitSecurityKeyAssertationWithPinCode(nil, sessionData: sessionData, authOptions: authOptions)
+        } else {
            self.presentedSheet = .twoFactor(.init(
                option: option,
                authOptions: authOptions,
-            sessionData: AppleSessionData(serviceKey: serviceKey, sessionID: sessionID, scnt: scnt)
+                sessionData: sessionData
            ))
        }
+    }

    func requestSMS(to trustedPhoneNumber: AuthOptionsResponse.TrustedPhoneNumber, authOptions: AuthOptionsResponse, sessionData: AppleSessionData) {        
        isProcessingAuthRequest = true
@ -355,9 +361,9 @@ class AppState: ObservableObject {
            .store(in: &cancellables)
    }
    
-    var fido2: FIDO2?
+    private lazy var fido2 = FIDO2()

-    func createAndSubmitSecurityKeyAssertationWithPinCode(_ pinCode: String, sessionData: AppleSessionData, authOptions: AuthOptionsResponse) {
+    func createAndSubmitSecurityKeyAssertationWithPinCode(_ pinCode: String?, sessionData: AppleSessionData, authOptions: AuthOptionsResponse) {
        self.presentedSheet = .securityKeyTouchToConfirm
        
        guard let fsaChallenge = authOptions.fsaChallenge else {
@ -379,8 +385,6 @@ class AppState: ObservableObject {

        Task {
            do {
-                let fido2 = FIDO2()
-                self.fido2 = fido2
                let response = try fido2.respondToChallenge(args: ChallengeArgs(rpId: rpId, validCredentials: validCreds, devPin: pinCode, challenge: challenge, origin: origin))
            
                Task { @MainActor in
@ -407,13 +411,31 @@ class AppState: ObservableObject {
                // we don't have to show an error
                // because the sheet will already be dismissed
            } catch {
+                Task { @MainActor in
                    authError = error
                }
            }
        }
+    }
+
+    func fido2DeviceIsPresent() -> Bool {
+        fido2.hasDeviceAttached()
+    }
+
+    func fido2DeviceNeedsPin() -> Bool {
+        do {
+            return try fido2.deviceHasPin()
+        } catch {
+            Task { @MainActor in
+                authError = error
+            }
+
+            return true
+        }
+    }
    
    func cancelSecurityKeyAssertationRequest() {
-        self.fido2?.cancel()
+        self.fido2.cancel()
    }
    
    private func handleAuthenticationFlowCompletion(_ completion: Subscribers.Completion<Error>) {
--- a/Xcodes/Frontend/SignIn/SignInSecurityKeyPinView.swift
+++ b/Xcodes/Frontend/SignIn/SignInSecurityKeyPinView.swift
@ -32,6 +32,9 @@ struct SignInSecurityKeyPinView: View {
                Button("Cancel", action: { isPresented = false })
                    .keyboardShortcut(.cancelAction)
                Spacer()
+
+                Button("PIN not set", action: submitWithoutPinCode)
+
                ProgressButton(isInProgress: appState.isProcessingAuthRequest,
                               action: submitPinCode) {
                    Text("Continue")
@ -50,6 +53,10 @@ struct SignInSecurityKeyPinView: View {
    func submitPinCode() {
        appState.createAndSubmitSecurityKeyAssertationWithPinCode(pin, sessionData: sessionData, authOptions: authOptions)
    }
+
+    func submitWithoutPinCode() {
+        appState.createAndSubmitSecurityKeyAssertationWithPinCode(nil, sessionData: sessionData, authOptions: authOptions)
+    }
 }

 #Preview {
--- a/Xcodes/Resources/Localizable.xcstrings
+++ b/Xcodes/Resources/Localizable.xcstrings
@ -237,6 +237,16 @@
        }
      }
    },
+    "%@ (%@)" : {
+      "localizations" : {
+        "en" : {
+          "stringUnit" : {
+            "state" : "new",
+            "value" : "%1$@ (%2$@)"
+          }
+        }
+      }
+    },
    "%@ %@ %@" : {
      "localizations" : {
        "ar" : {
@ -17907,6 +17917,9 @@
          }
        }
      }
+    },
+    "PIN not set" : {
+
    },
    "Platforms" : {
      "localizations" : {