From ffe19e152b4bc334a188f7e35fcaf1bf51853ca2 Mon Sep 17 00:00:00 2001
From: Fabian Kaczmarczyck <kaczmarczyck@google.com>
Date: Tue, 24 Nov 2020 17:17:18 +0100
Subject: [PATCH] moves UP check in GetAssertion before NO_CREDENTIALS

---
 src/ctap/mod.rs | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/src/ctap/mod.rs b/src/ctap/mod.rs
index 1f91f4f..98058ce 100644
--- a/src/ctap/mod.rs
+++ b/src/ctap/mod.rs
@@ -736,15 +736,17 @@ where
         }
         credentials.sort_unstable_by_key(|c| c.creation_order);
 
+        // This check comes before CTAP2_ERR_NO_CREDENTIALS in CTAP 2.0.
+        // For CTAP 2.1, it was moved to a later protocol step.
+        if options.up {
+            (self.check_user_presence)(cid)?;
+        }
+
         let (credential, remaining_credentials) = credentials
             .split_last()
             .ok_or(Ctap2StatusCode::CTAP2_ERR_NO_CREDENTIALS)?;
         self.next_credentials = remaining_credentials.to_vec();
 
-        if options.up {
-            (self.check_user_presence)(cid)?;
-        }
-
         self.increment_global_signature_counter()?;
 
         let assertion_input = AssertionInput {