Pass ClientPin.PERMISSIONS when 0.

dainnilsson · dainnilsson · commit e095fc4d930e · 2026-04-13T09:58:47.000+02:00
This will most likely be rejected by the Authenticator, but it seems
more correct to pass the value rather than ignore it.
diff --git a/fido2/ctap2/pin.py b/fido2/ctap2/pin.py
@@ -304,7 +304,7 @@ def get_pin_token(
         pin_hash = sha256(pin.encode())[:16]
         pin_hash_enc = self.protocol.encrypt(shared_secret, pin_hash)
 
-        if ClientPin.is_token_supported(self.ctap.info) and permissions:
+        if ClientPin.is_token_supported(self.ctap.info) and permissions is not None:
             cmd = ClientPin.CMD.GET_TOKEN_USING_PIN
         else:
             cmd = ClientPin.CMD.GET_TOKEN_USING_PIN_LEGACY
diff --git a/tests/device/test_credman.py b/tests/device/test_credman.py
@@ -155,7 +155,7 @@ def test_missing_permissions(ctap2, pin_protocol):
     if not ClientPin.is_token_supported(ctap2.info):
         pytest.skip("Permissions not supported")
 
-    credman = get_credman(ctap2, pin_protocol, ClientPin.PERMISSION(0))
+    credman = get_credman(ctap2, pin_protocol, ClientPin.PERMISSION.LARGE_BLOB_WRITE)
 
     with pytest.raises(CtapError, match="PIN_AUTH_INVALID"):
         credman.get_metadata()
