fido: Add user handle to credential search parameters

iinuwa · iinuwa · commit 4e5cb4ab7d62 · 2025-12-10T15:02:13.000-06:00
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/crates/bitwarden-fido/Cargo.toml b/crates/bitwarden-fido/Cargo.toml
@@ -27,8 +27,8 @@ chrono = { workspace = true }
 coset = ">=0.3.7, <0.4"
 itertools = ">=0.13.0, <0.15"
 p256 = ">=0.13.2, <0.14"
-passkey = { git = "https://github.com/bitwarden/passkey-rs", rev = "eddb5d5599c81a0674f37e5f2935eb7ec4e9e423" }
-passkey-client = { git = "https://github.com/bitwarden/passkey-rs", rev = "eddb5d5599c81a0674f37e5f2935eb7ec4e9e423", features = [
+passkey = { git = "https://github.com/bitwarden/passkey-rs", rev = "739d10d34e66a8dfaa16fc8ca15189950a43eb16" }
+passkey-client = { git = "https://github.com/bitwarden/passkey-rs", rev = "739d10d34e66a8dfaa16fc8ca15189950a43eb16", features = [
     "android-asset-validation",
 ] }
 reqwest = { workspace = true }
diff --git a/crates/bitwarden-fido/src/authenticator.rs b/crates/bitwarden-fido/src/authenticator.rs
@@ -255,9 +255,13 @@ impl<'a> Fido2Authenticator<'a> {
     pub async fn silently_discover_credentials(
         &mut self,
         rp_id: String,
+        user_handle: Option<Vec<u8>>,
     ) -> Result<Vec<Fido2CredentialAutofillView>, SilentlyDiscoverCredentialsError> {
         let key_store = self.client.internal.get_key_store();
-        let result = self.credential_store.find_credentials(None, rp_id).await?;
+        let result = self
+            .credential_store
+            .find_credentials(None, rp_id, user_handle)
+            .await?;
 
         let mut ctx = key_store.context();
         result
@@ -353,7 +357,7 @@ impl passkey::authenticator::CredentialStore for CredentialStoreImpl<'_> {
         &self,
         ids: Option<&[passkey::types::webauthn::PublicKeyCredentialDescriptor]>,
         rp_id: &str,
-        _user_handle: Option<&[u8]>,
+        user_handle: Option<&[u8]>,
     ) -> Result<Vec<Self::PasskeyItem>, StatusCode> {
         #[derive(Debug, Error)]
         enum InnerError {
@@ -370,14 +374,15 @@ impl passkey::authenticator::CredentialStore for CredentialStoreImpl<'_> {
             this: &CredentialStoreImpl<'_>,
             ids: Option<&[passkey::types::webauthn::PublicKeyCredentialDescriptor]>,
             rp_id: &str,
+            user_handle: Option<&[u8]>,
         ) -> Result<Vec<CipherViewContainer>, InnerError> {
             let ids: Option<Vec<Vec<u8>>> =
                 ids.map(|ids| ids.iter().map(|id| id.id.clone().into()).collect());
 
             let ciphers = this
                 .authenticator
                 .credential_store
-                .find_credentials(ids, rp_id.to_string())
+                .find_credentials(ids, rp_id.to_string(), user_handle.map(|h| h.to_vec()))
                 .await?;
 
             // Remove any that don't have Fido2 credentials
@@ -420,7 +425,7 @@ impl passkey::authenticator::CredentialStore for CredentialStoreImpl<'_> {
             }
         }
 
-        inner(self, ids, rp_id).await.map_err(|error| {
+        inner(self, ids, rp_id, user_handle).await.map_err(|error| {
             error!(%error, "Error finding credentials.");
             VendorError::try_from(0xF0)
                 .expect("Valid vendor error code")
diff --git a/crates/bitwarden-fido/src/traits.rs b/crates/bitwarden-fido/src/traits.rs
@@ -42,7 +42,7 @@ pub trait Fido2CredentialStore: Send + Sync {
         &self,
         ids: Option<Vec<Vec<u8>>>,
         rip_id: String,
-        // TODO: Add user_handle
+        user_handle: Option<Vec<u8>>,
     ) -> Result<Vec<CipherView>, Fido2CallbackError>;
 
     async fn all_credentials(&self) -> Result<Vec<CipherListView>, Fido2CallbackError>;
diff --git a/crates/bitwarden-uniffi/src/platform/fido2.rs b/crates/bitwarden-uniffi/src/platform/fido2.rs
@@ -92,13 +92,14 @@ impl ClientFido2Authenticator {
     pub async fn silently_discover_credentials(
         &self,
         rp_id: String,
+        user_handle: Option<Vec<u8>>,
     ) -> Result<Vec<Fido2CredentialAutofillView>> {
         let ui = UniffiTraitBridge(self.1.as_ref());
         let cs = UniffiTraitBridge(self.2.as_ref());
         let mut auth = self.0.create_authenticator(&ui, &cs);
 
         let result = auth
-            .silently_discover_credentials(rp_id)
+            .silently_discover_credentials(rp_id, user_handle)
             .await
             .map_err(Error::SilentlyDiscoverCredentials)?;
         Ok(result)
@@ -241,6 +242,7 @@ pub trait Fido2CredentialStore: Send + Sync {
         &self,
         ids: Option<Vec<Vec<u8>>>,
         rip_id: String,
+        user_handle: Option<Vec<u8>>,
     ) -> Result<Vec<CipherView>, Fido2CallbackError>;
 
     async fn all_credentials(&self) -> Result<Vec<CipherListView>, Fido2CallbackError>;
@@ -260,9 +262,10 @@ impl bitwarden_fido::Fido2CredentialStore for UniffiTraitBridge<&dyn Fido2Creden
         &self,
         ids: Option<Vec<Vec<u8>>>,
         rip_id: String,
+        user_handle: Option<Vec<u8>>,
     ) -> Result<Vec<CipherView>, BitFido2CallbackError> {
         self.0
-            .find_credentials(ids, rip_id)
+            .find_credentials(ids, rip_id, user_handle)
             .await
             .map_err(Into::into)
     }
