Display FIDO PIN Block Status and PIN retries

helper/helper/fido.py

@@ -88,7 +88,6 @@ class Ctap2Node(RpcNode):
         self.ctap = Ctap2(connection)
         self._info = self.ctap.info
         self.client_pin = ClientPin(self.ctap)
-        self._auth_blocked = False
         self._token = None
 
     def get_data(self):
@@ -96,7 +95,6 @@ class Ctap2Node(RpcNode):
         logger.debug(f"Info: {self._info}")
         data = dict(
             info=asdict(self._info),
-            auth_blocked=self._auth_blocked,
             unlocked=self._token is not None,
         )
         if self._info.options.get("clientPin"):
@@ -190,7 +188,6 @@ class Ctap2Node(RpcNode):
             if e.code == CtapError.ERR.USER_ACTION_TIMEOUT:
                 raise InactivityException()
         self._info = self.ctap.get_info()
-        self._auth_blocked = False
         self._token = None
         return dict()
 

lib/desktop/fido/state.dart

@@ -153,6 +153,7 @@ class _DesktopFidoStateNotifier extends FidoStateNotifier {
       return unlock(newPin);
     } on RpcError catch (e) {
       if (e.status == 'pin-validation') {
+        ref.invalidateSelf();
         return PinResult.failed(FidoPinFailureReason.invalidPin(
             e.body['retries'], e.body['auth_blocked']));
       }
@@ -176,6 +177,7 @@ class _DesktopFidoStateNotifier extends FidoStateNotifier {
     } on RpcError catch (e) {
       if (e.status == 'pin-validation') {
         _pinController.state = null;
+        ref.invalidateSelf();
         return PinResult.failed(FidoPinFailureReason.invalidPin(
             e.body['retries'], e.body['auth_blocked']));
       }

lib/fido/models.dart

@@ -27,7 +27,8 @@ class FidoState with _$FidoState {
 
   factory FidoState(
       {required Map<String, dynamic> info,
-      required bool unlocked}) = _FidoState;
+      required bool unlocked,
+      int? pinRetries}) = _FidoState;
 
   factory FidoState.fromJson(Map<String, dynamic> json) =>
       _$FidoStateFromJson(json);
@@ -47,6 +48,8 @@ class FidoState with _$FidoState {
   bool get alwaysUv => info['options']['alwaysUv'] == true;
 
   bool get forcePinChange => info['force_pin_change'] == true;
+
+  bool get pinBlocked => pinRetries == 0;
 }
 
 @freezed

lib/fido/models.freezed.dart

@@ -22,6 +22,7 @@ FidoState _$FidoStateFromJson(Map<String, dynamic> json) {
 mixin _$FidoState {
   Map<String, dynamic> get info => throw _privateConstructorUsedError;
   bool get unlocked => throw _privateConstructorUsedError;
+  int? get pinRetries => throw _privateConstructorUsedError;
 
   Map<String, dynamic> toJson() => throw _privateConstructorUsedError;
   @JsonKey(ignore: true)
@@ -34,7 +35,7 @@ abstract class $FidoStateCopyWith<$Res> {
   factory $FidoStateCopyWith(FidoState value, $Res Function(FidoState) then) =
       _$FidoStateCopyWithImpl<$Res, FidoState>;
   @useResult
-  $Res call({Map<String, dynamic> info, bool unlocked});
+  $Res call({Map<String, dynamic> info, bool unlocked, int? pinRetries});
 }
 
 /// @nodoc
@@ -52,6 +53,7 @@ class _$FidoStateCopyWithImpl<$Res, $Val extends FidoState>
   $Res call({
     Object? info = null,
     Object? unlocked = null,
+    Object? pinRetries = freezed,
   }) {
     return _then(_value.copyWith(
       info: null == info
@@ -62,6 +64,10 @@ class _$FidoStateCopyWithImpl<$Res, $Val extends FidoState>
           ? _value.unlocked
           : unlocked // ignore: cast_nullable_to_non_nullable
               as bool,
+      pinRetries: freezed == pinRetries
+          ? _value.pinRetries
+          : pinRetries // ignore: cast_nullable_to_non_nullable
+              as int?,
     ) as $Val);
   }
 }
@@ -74,7 +80,7 @@ abstract class _$$FidoStateImplCopyWith<$Res>
       __$$FidoStateImplCopyWithImpl<$Res>;
   @override
   @useResult
-  $Res call({Map<String, dynamic> info, bool unlocked});
+  $Res call({Map<String, dynamic> info, bool unlocked, int? pinRetries});
 }
 
 /// @nodoc
@@ -90,6 +96,7 @@ class __$$FidoStateImplCopyWithImpl<$Res>
   $Res call({
     Object? info = null,
     Object? unlocked = null,
+    Object? pinRetries = freezed,
   }) {
     return _then(_$FidoStateImpl(
       info: null == info
@@ -100,6 +107,10 @@ class __$$FidoStateImplCopyWithImpl<$Res>
           ? _value.unlocked
           : unlocked // ignore: cast_nullable_to_non_nullable
               as bool,
+      pinRetries: freezed == pinRetries
+          ? _value.pinRetries
+          : pinRetries // ignore: cast_nullable_to_non_nullable
+              as int?,
     ));
   }
 }
@@ -108,7 +119,9 @@ class __$$FidoStateImplCopyWithImpl<$Res>
 @JsonSerializable()
 class _$FidoStateImpl extends _FidoState {
   _$FidoStateImpl(
-      {required final Map<String, dynamic> info, required this.unlocked})
+      {required final Map<String, dynamic> info,
+      required this.unlocked,
+      this.pinRetries})
       : _info = info,
         super._();
 
@@ -125,10 +138,12 @@ class _$FidoStateImpl extends _FidoState {
 
   @override
   final bool unlocked;
+  @override
+  final int? pinRetries;
 
   @override
   String toString() {
-    return 'FidoState(info: $info, unlocked: $unlocked)';
+    return 'FidoState(info: $info, unlocked: $unlocked, pinRetries: $pinRetries)';
   }
 
   @override
@@ -138,13 +153,15 @@ class _$FidoStateImpl extends _FidoState {
             other is _$FidoStateImpl &&
             const DeepCollectionEquality().equals(other._info, _info) &&
             (identical(other.unlocked, unlocked) ||
-                other.unlocked == unlocked));
+                other.unlocked == unlocked) &&
+            (identical(other.pinRetries, pinRetries) ||
+                other.pinRetries == pinRetries));
   }
 
   @JsonKey(ignore: true)
   @override
-  int get hashCode => Object.hash(
+  int get hashCode => Object.hash(runtimeType,
-      runtimeType, const DeepCollectionEquality().hash(_info), unlocked);
+      const DeepCollectionEquality().hash(_info), unlocked, pinRetries);
 
   @JsonKey(ignore: true)
   @override
@@ -163,7 +180,8 @@ class _$FidoStateImpl extends _FidoState {
 abstract class _FidoState extends FidoState {
   factory _FidoState(
       {required final Map<String, dynamic> info,
-      required final bool unlocked}) = _$FidoStateImpl;
+      required final bool unlocked,
+      final int? pinRetries}) = _$FidoStateImpl;
   _FidoState._() : super._();
 
   factory _FidoState.fromJson(Map<String, dynamic> json) =
@@ -174,6 +192,8 @@ abstract class _FidoState extends FidoState {
   @override
   bool get unlocked;
   @override
+  int? get pinRetries;
+  @override
   @JsonKey(ignore: true)
   _$$FidoStateImplCopyWith<_$FidoStateImpl> get copyWith =>
       throw _privateConstructorUsedError;

lib/fido/models.g.dart

@@ -10,12 +10,14 @@ _$FidoStateImpl _$$FidoStateImplFromJson(Map<String, dynamic> json) =>
     _$FidoStateImpl(
       info: json['info'] as Map<String, dynamic>,
       unlocked: json['unlocked'] as bool,
+      pinRetries: json['pin_retries'] as int?,
     );
 
 Map<String, dynamic> _$$FidoStateImplToJson(_$FidoStateImpl instance) =>
     <String, dynamic>{
       'info': instance.info,
       'unlocked': instance.unlocked,
+      'pin_retries': instance.pinRetries,
     };
 
 _$FingerprintImpl _$$FingerprintImplFromJson(Map<String, dynamic> json) =>

lib/fido/views/key_actions.dart

@@ -48,6 +48,7 @@ Widget _fidoBuildActions(BuildContext context, DeviceNode node, FidoState state,
   final l10n = AppLocalizations.of(context)!;
   final colors = Theme.of(context).buttonTheme.colorScheme ??
       Theme.of(context).colorScheme;
+  final authBlocked = state.pinBlocked;
 
   return Column(
     children: [
@@ -86,25 +87,34 @@ Widget _fidoBuildActions(BuildContext context, DeviceNode node, FidoState state,
         l10n.s_manage,
         children: [
           ActionListItem(
-              key: keys.managePinAction,
+            key: keys.managePinAction,
-              feature: features.actionsPin,
+            feature: features.actionsPin,
-              icon: const Icon(Symbols.pin),
+            icon: const Icon(Symbols.pin),
-              title: state.hasPin ? l10n.s_change_pin : l10n.s_set_pin,
+            title: state.hasPin ? l10n.s_change_pin : l10n.s_set_pin,
-              subtitle: state.hasPin
+            subtitle: authBlocked
-                  ? (state.forcePinChange
+                ? l10n.l_pin_blocked
-                      ? l10n.s_pin_change_required
+                : state.hasPin
-                      : l10n.s_fido_pin_protection)
+                    ? (state.forcePinChange
-                  : l10n.s_fido_pin_protection,
+                        ? l10n.s_pin_change_required
-              trailing: state.alwaysUv && !state.hasPin || state.forcePinChange
+                        : state.pinRetries != null
-                  ? Icon(Symbols.warning_amber, color: colors.tertiary)
+                            ? l10n.l_attempts_remaining(state.pinRetries!)
-                  : null,
+                            : l10n.s_fido_pin_protection)
-              onTap: (context) {
+                    : l10n.s_fido_pin_protection,
-                Navigator.of(context).popUntil((route) => route.isFirst);
+            trailing: authBlocked ||
-                showBlurDialog(
+                    state.alwaysUv && !state.hasPin ||
-                  context: context,
+                    state.forcePinChange
-                  builder: (context) => FidoPinDialog(node.path, state),
+                ? Icon(Symbols.warning_amber, color: colors.tertiary)
-                );
+                : null,
-              }),
+            onTap: !authBlocked
+                ? (context) {
+                    Navigator.of(context).popUntil((route) => route.isFirst);
+                    showBlurDialog(
+                      context: context,
+                      builder: (context) => FidoPinDialog(node.path, state),
+                    );
+                  }
+                : null,
+          ),
         ],
       )
     ],

lib/fido/views/pin_dialog.dart

@@ -87,6 +87,8 @@ class _FidoPinDialogState extends ConsumerState<FidoPinDialog> {
     final hasPinComplexity =
         ref.read(currentDeviceDataProvider).valueOrNull?.info.pinComplexity ??
             false;
+    final pinRetries = ref.watch(fidoStateProvider(widget.devicePath)
+        .select((s) => s.whenOrNull(data: (state) => state.pinRetries)));
 
     return ResponsiveDialog(
       title: Text(hasPin ? l10n.s_change_pin : l10n.s_set_pin),
@@ -115,6 +117,9 @@ class _FidoPinDialogState extends ConsumerState<FidoPinDialog> {
                   enabled: !_isBlocked,
                   border: const OutlineInputBorder(),
                   labelText: l10n.s_current_pin,
+                  helperText: pinRetries != null && pinRetries <= 3
+                      ? l10n.l_attempts_remaining(pinRetries)
+                      : '', // Prevents dialog resizing
                   errorText: _currentIsWrong ? _currentPinError : null,
                   errorMaxLines: 3,
                   prefixIcon: const Icon(Symbols.pin),
@@ -249,8 +254,10 @@ class _FidoPinDialogState extends ConsumerState<FidoPinDialog> {
                   extentOffset: _currentPinController.text.length);
               _currentPinFocus.requestFocus();
               setState(() {
-                if (authBlocked) {
+                if (authBlocked || retries == 0) {
-                  _currentPinError = l10n.l_pin_soft_locked;
+                  _currentPinError = retries == 0
+                      ? l10n.l_pin_blocked_reset
+                      : l10n.l_pin_soft_locked;
                   _currentIsWrong = true;
                   _isBlocked = true;
                 } else {

lib/fido/views/pin_entry_form.dart

@@ -82,7 +82,7 @@ class _PinEntryFormState extends ConsumerState<PinEntryForm> {
 
   String? _getErrorText() {
     final l10n = AppLocalizations.of(context)!;
-    if (_retries == 0) {
+    if (widget._state.pinBlocked || _retries == 0) {
       return l10n.l_pin_blocked_reset;
     }
     if (_blocked) {
@@ -98,6 +98,8 @@ class _PinEntryFormState extends ConsumerState<PinEntryForm> {
   Widget build(BuildContext context) {
     final l10n = AppLocalizations.of(context)!;
     final noFingerprints = widget._state.bioEnroll == false;
+    final authBlocked = widget._state.pinBlocked;
+    final pinRetries = widget._state.pinRetries;
     return Padding(
       padding: const EdgeInsets.only(left: 18.0, right: 18, top: 8),
       child: Column(
@@ -113,12 +115,14 @@ class _PinEntryFormState extends ConsumerState<PinEntryForm> {
               autofillHints: const [AutofillHints.password],
               controller: _pinController,
               focusNode: _pinFocus,
-              enabled: !_blocked && (_retries ?? 1) > 0,
+              enabled: !authBlocked && !_blocked && (_retries ?? 1) > 0,
               decoration: AppInputDecoration(
                 border: const OutlineInputBorder(),
                 labelText: l10n.s_pin,
-                helperText: '', // Prevents dialog resizing
+                helperText: pinRetries != null && pinRetries <= 3
-                errorText: _pinIsWrong ? _getErrorText() : null,
+                    ? l10n.l_attempts_remaining(pinRetries)
+                    : '', // Prevents dialog resizing
+                errorText: _pinIsWrong || authBlocked ? _getErrorText() : null,
                 errorMaxLines: 3,
                 prefixIcon: const Icon(Symbols.pin),
                 suffixIcon: IconButton(

lib/l10n/app_de.arb

@@ -295,6 +295,7 @@
     "l_fido_pin_protection_optional": "Optionaler FIDO PIN Schutz",
     "l_enter_fido2_pin": "Geben Sie die FIDO2 PIN für Ihren YubiKey ein",
     "l_pin_blocked_reset": "PIN ist blockiert; setzen Sie die FIDO Anwendung auf Werkseinstellung zurück",
+    "l_pin_blocked": null,
     "l_set_pin_first": "Zuerst ist eine PIN erforderlich",
     "l_unlock_pin_first": "Zuerst mit PIN entsperren",
     "l_pin_soft_locked": "PIN wurde blockiert bis der YubiKey entfernt und wieder angeschlossen wird",

lib/l10n/app_en.arb

@@ -295,6 +295,7 @@
     "l_fido_pin_protection_optional": "Optional FIDO PIN protection",
     "l_enter_fido2_pin": "Enter the FIDO2 PIN for your YubiKey",
     "l_pin_blocked_reset": "PIN is blocked; factory reset the FIDO application",
+    "l_pin_blocked": "PIN is blocked",
     "l_set_pin_first": "A PIN is required first",
     "l_unlock_pin_first": "Unlock with PIN first",
     "l_pin_soft_locked": "PIN has been blocked until the YubiKey is removed and reinserted",

lib/l10n/app_fr.arb

@@ -295,6 +295,7 @@
     "l_fido_pin_protection_optional": "PIN de protection optionnel FIDO",
     "l_enter_fido2_pin": "Entrez le PIN FIDO2 de votre YubiKey",
     "l_pin_blocked_reset": "PIN bloqué; Réinitialisez à l'état d'usine le FIDO",
+    "l_pin_blocked": null,
     "l_set_pin_first": "Un PIN est d'abord requis",
     "l_unlock_pin_first": "Débloquez avec un PIN d'abord",
     "l_pin_soft_locked": "Le PIN est bloqué tant que votre YubiKey ne sera pas réinsérée",

lib/l10n/app_ja.arb

@@ -295,6 +295,7 @@
     "l_fido_pin_protection_optional": "任意FIDO PINによる保護",
     "l_enter_fido2_pin": "YubiKeyのFIDO2 PINを入力してください",
     "l_pin_blocked_reset": "PINはブロックされています。FIDOアプリケーションを出荷時設定にリセットしてください",
+    "l_pin_blocked": null,
     "l_set_pin_first": "最初にPINが必要です",
     "l_unlock_pin_first": "最初にPINでロックを解除してください",
     "l_pin_soft_locked": "YubiKeyを取り外して再挿入するまで、PINはブロックされています",

lib/l10n/app_pl.arb

@@ -295,6 +295,7 @@
     "l_fido_pin_protection_optional": "Opcjonalna ochrona FIDO kodem PIN",
     "l_enter_fido2_pin": "Wprowadź kod PIN FIDO2 klucza YubiKey",
     "l_pin_blocked_reset": "PIN jest zablokowany; przywróć ustawienia fabryczne funkcji FIDO",
+    "l_pin_blocked": null,
     "l_set_pin_first": "Najpierw wymagany jest kod PIN",
     "l_unlock_pin_first": "Najpierw odblokuj kodem PIN",
     "l_pin_soft_locked": "PIN został zablokowany do momentu ponownego podłączenia klucza YubiKey",