Handle empty allowCredentials the same as absent in finishAssertion

Author: emlun

NEWS

@@ -1,8 +1,16 @@
 == Version 2.4.2 (unreleased) ==
 
+Changes:
+
 * Updated README and JavaDoc to use the "passkey" term and provide more guidance
   around passkey use cases.
 
+Fixes:
+
+* `RelyingParty.finishAssertion` now behaves the same if
+  `StartAssertionOptions.allowCredentials` is explicitly set to a present, empty
+  list as when absent.
+
 
 == Version 2.4.1 ==
 

webauthn-server-core/src/main/java/com/yubico/webauthn/FinishAssertionSteps.java

@@ -111,6 +111,7 @@ public void validate() {
       request
           .getPublicKeyCredentialRequestOptions()
           .getAllowCredentials()
+          .filter(allowCredentials -> !allowCredentials.isEmpty())
           .ifPresent(
               allowed -> {
                 assertTrue(

webauthn-server-core/src/test/scala/com/yubico/webauthn/RelyingPartyAssertionSpec.scala

@@ -594,14 +594,21 @@ class RelyingPartyAssertionSpec
           }
 
           it("Succeeds if no credential IDs were requested.") {
-            val steps = finishAssertion(
-              allowCredentials = None,
-              credentialId = new ByteArray(Array(0, 1, 2, 3)),
-            )
-            val step: FinishAssertionSteps#Step5 = steps.begin
+            for {
+              allowCredentials <- List(
+                None,
+                Some(List.empty[PublicKeyCredentialDescriptor].asJava),
+              )
+            } {
+              val steps = finishAssertion(
+                allowCredentials = allowCredentials,
+                credentialId = new ByteArray(Array(0, 1, 2, 3)),
+              )
+              val step: FinishAssertionSteps#Step5 = steps.begin
 
-            step.validations shouldBe a[Success[_]]
-            step.tryNext shouldBe a[Success[_]]
+              step.validations shouldBe a[Success[_]]
+              step.tryNext shouldBe a[Success[_]]
+            }
           }
         }