Add pin_token to prepare_inputs

fido2/client.py

@@ -710,7 +710,7 @@ def _do_make():
             extension_inputs = {}
             try:
                 for ext in used_extensions:
-                    auth_input = ext.prepare_inputs()
+                    auth_input = ext.prepare_inputs(pin_token)
                     if auth_input:
                         extension_inputs.update(auth_input)
             except ValueError as e:
@@ -856,7 +856,7 @@ def _do_auth():
             extension_inputs = {}
             try:
                 for ext in used_extensions:
-                    inputs = ext.prepare_inputs(selected_cred)
+                    inputs = ext.prepare_inputs(selected_cred, pin_token)
                     if inputs:
                         extension_inputs.update(inputs)
             except ValueError as e:

fido2/ctap2/extensions.py

@@ -99,7 +99,7 @@ class RegistrationExtensionProcessor(ExtensionProcessor):
     :param permissions: PinUvAuthToken permissions required by the extension.
     """
 
-    def prepare_inputs(self) -> Optional[Dict[str, Any]]:
+    def prepare_inputs(self, pin_token: Optional[bytes]) -> Optional[Dict[str, Any]]:
         "Prepare authenticator extension inputs, to be passed to the Authenenticator."
         return self._inputs
 
@@ -122,7 +122,9 @@ class AuthenticationExtensionProcessor(ExtensionProcessor):
     """
 
     def prepare_inputs(
-        self, selected: Optional[PublicKeyCredentialDescriptor]
+        self,
+        selected: Optional[PublicKeyCredentialDescriptor],
+        pin_token: Optional[bytes],
     ) -> Optional[Dict[str, Any]]:
         "Prepare authenticator extension inputs, to be passed to the Authenenticator."
         return self._inputs
@@ -201,7 +203,7 @@ def make_credential(
         ext = self
 
         class Processor(RegistrationExtensionProcessor):
-            def prepare_inputs(self):
+            def prepare_inputs(self, pin_token):
                 processed = ext.process_create_input(inputs)
                 self._has_input = processed is not None
                 return {ext.NAME: processed} if self._has_input else None
@@ -236,7 +238,7 @@ def get_assertion(
         class Processor(AuthenticationExtensionProcessor):
             _has_input: bool
 
-            def prepare_inputs(self, selected):
+            def prepare_inputs(self, selected, pin_token):
                 processed = ext.process_get_input(inputs)
                 self._has_input = processed is not None
                 return {ext.NAME: processed} if self._has_input else None
@@ -362,7 +364,7 @@ def make_credential(self, ctap, options, pin_protocol):
         if self.is_supported(ctap) and (prf or hmac):
 
             class Processor(RegistrationExtensionProcessor):
-                def prepare_inputs(self):
+                def prepare_inputs(self, pin_token):
                     return {HmacSecretExtension.NAME: True}
 
                 def prepare_outputs(self, response, pin_token):
@@ -384,12 +386,12 @@ def get_assertion(self, ctap, options, pin_protocol):
             else None
         )
 
-        if self.is_supported(ctap) and (prf or hmac):
+        if pin_protocol and self.is_supported(ctap) and (prf or hmac):
             client_pin = ClientPin(ctap, pin_protocol)
             key_agreement, shared_secret = client_pin._get_shared_secret()
 
             class Processing(AuthenticationExtensionProcessor):
-                def prepare_inputs(self, selected):
+                def prepare_inputs(self, selected, pin_token):
                     if prf:
                         secrets = prf.eval
                         by_creds = prf.eval_by_credential
@@ -553,7 +555,7 @@ def make_credential(self, ctap, options, pin_protocol):
                 raise ValueError("Authenticator does not support large blob storage")
 
             class Processor(RegistrationExtensionProcessor):
-                def prepare_inputs(self):
+                def prepare_inputs(self, pin_token):
                     return {LargeBlobExtension.NAME: True}
 
                 def prepare_outputs(self, response, pin_token):