Disable CTAP2 pre-flight requests for hybrid transport

AlfioEmanueleFresta · AlfioEmanueleFresta · commit 44e60b53ac8c · 2025-05-05T14:32:46.000+01:00
diff --git a/libwebauthn/src/transport/cable/channel.rs b/libwebauthn/src/transport/cable/channel.rs
@@ -104,6 +104,11 @@ impl<'d> Channel for CableChannel<'d> {
     fn get_state_sender(&self) -> &mpsc::Sender<UxUpdate> {
         &self.tx
     }
+
+    fn supports_preflight() -> bool {
+        // Disable pre-flight requests, as hybrid transport authenticators do not support silent requests.
+        false
+    }
 }
 
 impl<'d> Ctap2AuthTokenStore for CableChannel<'d> {
diff --git a/libwebauthn/src/transport/channel.rs b/libwebauthn/src/transport/channel.rs
@@ -47,6 +47,11 @@ pub trait Channel: Send + Sync + Display + Ctap2AuthTokenStore {
 
     async fn cbor_send(&mut self, request: &CborRequest, timeout: Duration) -> Result<(), Error>;
     async fn cbor_recv(&mut self, timeout: Duration) -> Result<CborResponse, Error>;
+
+    /// Allows channels to disable support for pre-flight requests
+    fn supports_preflight() -> bool {
+        true
+    }
 }
 
 #[derive(Debug, Clone, PartialEq, Eq)]
diff --git a/libwebauthn/src/webauthn.rs b/libwebauthn/src/webauthn.rs
@@ -125,10 +125,12 @@ where
         let get_info_response = self.ctap2_get_info().await?;
         let mut ctap2_request =
             Ctap2MakeCredentialRequest::from_webauthn_request(op, &get_info_response)?;
-        if let Some(exclude_list) = &op.exclude {
-            let filtered_exclude_list =
-                ctap2_preflight(self, exclude_list, &op.hash, &op.relying_party.id).await;
-            ctap2_request.exclude = Some(filtered_exclude_list);
+        if Self::supports_preflight() {
+            if let Some(exclude_list) = &op.exclude {
+                let filtered_exclude_list =
+                    ctap2_preflight(self, exclude_list, &op.hash, &op.relying_party.id).await;
+                ctap2_request.exclude = Some(filtered_exclude_list);
+            }
         }
         let response = loop {
             let uv_auth_used =
@@ -183,21 +185,24 @@ where
         let get_info_response = self.ctap2_get_info().await?;
         let mut ctap2_request =
             Ctap2GetAssertionRequest::from_webauthn_request(op, &get_info_response)?;
-        let filtered_allow_list =
-            ctap2_preflight(self, &op.allow, &op.hash, &op.relying_party_id).await;
-        if filtered_allow_list.is_empty() && !op.allow.is_empty() {
-            // We filtered out everything in preflight, meaning none of the allowed
-            // credentials are present on this device. So we error out here
-            // But the spec requires some form of user interaction, so we run a
-            // dummy request, ignore the result and error out.
-            warn!("Preflight removed all credentials from the allow-list. Sending dummy request and erroring out.");
-            let dummy_request = Ctap2MakeCredentialRequest::dummy();
-            self.send_state_update(UxUpdate::PresenceRequired).await;
-            let _ = self.ctap2_make_credential(&dummy_request, op.timeout).await;
-            return Err(Error::Ctap(CtapError::NoCredentials));
+
+        if Self::supports_preflight() {
+            let filtered_allow_list =
+                ctap2_preflight(self, &op.allow, &op.hash, &op.relying_party_id).await;
+            if filtered_allow_list.is_empty() && !op.allow.is_empty() {
+                // We filtered out everything in preflight, meaning none of the allowed
+                // credentials are present on this device. So we error out here
+                // But the spec requires some form of user interaction, so we run a
+                // dummy request, ignore the result and error out.
+                warn!("Preflight removed all credentials from the allow-list. Sending dummy request and erroring out.");
+                let dummy_request = Ctap2MakeCredentialRequest::dummy();
+                self.send_state_update(UxUpdate::PresenceRequired).await;
+                let _ = self.ctap2_make_credential(&dummy_request, op.timeout).await;
+                return Err(Error::Ctap(CtapError::NoCredentials));
+            }
+            ctap2_request.allow = filtered_allow_list;
         }
 
-        ctap2_request.allow = filtered_allow_list;
         let response = loop {
             let uv_auth_used =
                 user_verification(self, op.user_verification, &mut ctap2_request, op.timeout)

Original file line number	Diff line number	Diff line change
`@@ -104,6 +104,11 @@ impl<'d> Channel for CableChannel<'d> {`
`104`	`104`	`fn get_state_sender(&self) -> &mpsc::Sender<UxUpdate> {`
`105`	`105`	`&self.tx`
`106`	`106`	`}`
	`107`	`+`
	`108`	`+ fn supports_preflight() -> bool {`
	`109`	`+ // Disable pre-flight requests, as hybrid transport authenticators do not support silent requests.`
	`110`	`+ false`
	`111`	`+ }`
`107`	`112`	`}`
`108`	`113`
`109`	`114`	`impl<'d> Ctap2AuthTokenStore for CableChannel<'d> {`