Set pinProtocol for UV tokens when supported

This avoids situations where the authenticator is being used with extensions that require a pinProtocol, and the pinProtocol defaults to 1.
Yubico · Jul 30, 2023 · ff069fb · ff069fb
1 parent 963eae0
commit ff069fb
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/fido2/client.py b/fido2/client.py
@@ -533,8 +533,10 @@ def _get_auth_params(
         pin_token = None
         pin_auth = None
         internal_uv = False
+        client_pin = ClientPin(self.ctap2)
+        if client_pin.is_token_supported(self.info):
+            pin_protocol = client_pin.protocol
         if self._should_use_uv(user_verification, mc) or permissions:
-            client_pin = ClientPin(self.ctap2)
             allow_internal_uv = not permissions
             permissions |= (
                 ClientPin.PERMISSION.MAKE_CREDENTIAL
@@ -545,7 +547,6 @@ def _get_auth_params(
                 client_pin, permissions, rp_id, event, on_keepalive, allow_internal_uv
             )
             if pin_token:
-                pin_protocol = client_pin.protocol
                 pin_auth = client_pin.protocol.authenticate(pin_token, client_data.hash)
             else:
                 internal_uv = True