WebKit
diff --git a/‎Source/WebCore/Modules/webauthn/fido/FidoConstants.cpp‎
Lines changed: 1 addition & 0 deletions b/‎Source/WebCore/Modules/webauthn/fido/FidoConstants.cpp‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎Source/WebCore/Modules/webauthn/fido/FidoConstants.h‎
Lines changed: 1 addition & 0 deletions b/‎Source/WebCore/Modules/webauthn/fido/FidoConstants.h‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎Source/WebKit/UIProcess/WebAuthentication/Cocoa/AuthenticatorPresenterCoordinator.mm‎
Lines changed: 2 additions & 2 deletions b/‎Source/WebKit/UIProcess/WebAuthentication/Cocoa/AuthenticatorPresenterCoordinator.mm‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎Source/WebKit/UIProcess/WebAuthentication/Cocoa/CcidConnection.h‎
Lines changed: 14 additions & 9 deletions b/‎Source/WebKit/UIProcess/WebAuthentication/Cocoa/CcidConnection.h‎
Lines changed: 14 additions & 9 deletions
diff --git a/‎Source/WebKit/UIProcess/WebAuthentication/Cocoa/CcidConnection.mm‎
Lines changed: 141 additions & 18 deletions b/‎Source/WebKit/UIProcess/WebAuthentication/Cocoa/CcidConnection.mm‎
Lines changed: 141 additions & 18 deletions
diff --git a/‎Source/WebKit/UIProcess/WebAuthentication/Cocoa/CcidService.h‎
Lines changed: 2 additions & 1 deletion b/‎Source/WebKit/UIProcess/WebAuthentication/Cocoa/CcidService.h‎
Lines changed: 2 additions & 1 deletion
@@ -100,6 +100,7 @@ bool isCtapDeviceResponseCode(CtapDeviceResponseCode code)
     case CtapDeviceResponseCode::kCtap2ErrKeepAliveCancel:
     case CtapDeviceResponseCode::kCtap2ErrNoCredentials:
     case CtapDeviceResponseCode::kCtap2ErrUserActionTimeout:
+    case CtapDeviceResponseCode::kCtap2ErrUserPresenceRequired:
     case CtapDeviceResponseCode::kCtap2ErrNotAllowed:
     case CtapDeviceResponseCode::kCtap2ErrPinInvalid:
     case CtapDeviceResponseCode::kCtap2ErrPinBlocked:
 
@@ -110,6 +110,7 @@ enum class CtapDeviceResponseCode : uint8_t {
     kCtap2ErrPinTokenExpired = 0x38,
     kCtap2ErrRequestTooLarge = 0x39,
     kCtap2ErrActionTimeout = 0x3A,
+    kCtap2ErrUserPresenceRequired = 0x3B,
     kCtap2ErrOther = 0x7F,
     kCtap2ErrSpecLast = 0xDF,
     kCtap2ErrExtensionFirst = 0xE0,
 
@@ -115,12 +115,12 @@
     switch (status) {
     case WebAuthenticationStatus::PinBlocked: {
         auto error = adoptNS([[NSError alloc] initWithDomain:ASCAuthorizationErrorDomain code:ASCAuthorizationErrorAuthenticatorPermanentlyLocked userInfo:nil]);
-        m_credentialRequestHandler(nil, error.get());
+        [m_presenter updateInterfaceForUserVisibleError:error.get()];
         break;
     }
     case WebAuthenticationStatus::PinAuthBlocked: {
         auto error = adoptNS([[NSError alloc] initWithDomain:ASCAuthorizationErrorDomain code:ASCAuthorizationErrorAuthenticatorTemporarilyLocked userInfo:nil]);
-        m_credentialRequestHandler(nil, error.get());
+        [m_presenter updateInterfaceForUserVisibleError:error.get()];
         break;
     }
     case WebAuthenticationStatus::PinInvalid: {
 
@@ -27,11 +27,14 @@
 
 #if ENABLE(WEB_AUTHN)
 
+#include <wtf/Deque.h>
 #include <wtf/RetainPtr.h>
-#include <wtf/RunLoop.h>
 #include <wtf/ThreadSafeWeakPtr.h>
+#include <wtf/WeakPtr.h>
 
 OBJC_CLASS TKSmartCard;
+OBJC_CLASS TKSmartCardSlot;
+OBJC_CLASS WKSmartCardObserver;
 
 namespace WebKit {
 
@@ -40,27 +43,29 @@ using DataReceivedCallback = Function<void(Vector<uint8_t>&&)>;
 
 class CcidConnection : public ThreadSafeRefCountedAndCanMakeThreadSafeWeakPtr<CcidConnection> {
 public:
-    static Ref<CcidConnection> create(RetainPtr<TKSmartCard>&&, CcidService&);
+    static Ref<CcidConnection> create(RetainPtr<TKSmartCard>&&, RetainPtr<TKSmartCardSlot>&&, CcidService&);
     ~CcidConnection();
 
-    void transact(Vector<uint8_t>&& data, DataReceivedCallback&&) const;
-    void stop() const;
+    void transact(Vector<uint8_t>&& data, DataReceivedCallback&&);
+    void stop();
     bool contactless() const { return m_contactless; };
 
 private:
-    CcidConnection(RetainPtr<TKSmartCard>&&, CcidService&);
+    CcidConnection(RetainPtr<TKSmartCard>&&, RetainPtr<TKSmartCardSlot>&&, CcidService&);
 
-    void restartPolling();
     void startPolling();
-
     void detectContactless();
-
     void trySelectFidoApplet();
+    void processPendingRequests();
 
     const RetainPtr<TKSmartCard> m_smartCard;
+    RetainPtr<TKSmartCardSlot> m_slot;
     WeakPtr<CcidService> m_service;
-    RunLoop::Timer m_retryTimer;
+    Deque<std::pair<Vector<uint8_t>, DataReceivedCallback>> m_pendingRequests;
     bool m_contactless { false };
+    bool m_hasSession { false };
+    bool m_sessionPending { false };
+    RetainPtr<WKSmartCardObserver> m_observer;
 };
 
 } // namespace WebKit
 
@@ -28,30 +28,98 @@
 
 #if ENABLE(WEB_AUTHN)
 #import "CcidService.h"
+#import "Logging.h"
 #import <CryptoTokenKit/TKSmartCard.h>
 #import <WebCore/FidoConstants.h>
 #import <wtf/BlockPtr.h>
+#import <wtf/Function.h>
 #import <wtf/StdLibExtras.h>
 #import <wtf/cocoa/VectorCocoa.h>
 
+#define CCID_RELEASE_LOG(fmt, ...) RELEASE_LOG(WebAuthn, "%p - CcidConnection::" fmt, this, ##__VA_ARGS__)
+
+// SPI for TKSmartCardSlot reinsertion
+@interface TKSmartCardSlot (SPI)
+- (BOOL)simulateCardReinsertionWithError:(NSError **)error;
+@end
+
+@interface WKSmartCardObserver : NSObject
+- (instancetype)initWithCard:(TKSmartCard *)card invalidationHandler:(Function<void()>&&)handler;
+@end
+
+@implementation WKSmartCardObserver {
+    RetainPtr<TKSmartCard> _card;
+    Function<void()> _invalidationHandler;
+}
+
+- (instancetype)initWithCard:(TKSmartCard *)card invalidationHandler:(Function<void()>&&)handler
+{
+    if (!(self = [super init]))
+        return nil;
+    _card = card;
+    _invalidationHandler = WTF::move(handler);
+    [_card addObserver:self forKeyPath:@"valid" options:NSKeyValueObservingOptionNew context:nil];
+    return self;
+}
+
+- (void)dealloc
+{
+    [_card removeObserver:self forKeyPath:@"valid"];
+    [super dealloc];
+}
+
+- (void)observeValueForKeyPath:(NSString *)keyPath ofObject:(id)object change:(NSDictionary *)change context:(void *)context
+{
+    if ([keyPath isEqualToString:@"valid"]) {
+        BOOL valid = [[change objectForKey:NSKeyValueChangeNewKey] boolValue];
+        if (!valid) {
+            @synchronized(self) {
+                if (_invalidationHandler) {
+                    callOnMainRunLoop([handler = WTF::move(_invalidationHandler)] () mutable {
+                        handler();
+                    });
+                }
+            }
+        }
+    }
+}
+@end
+
 namespace WebKit {
 using namespace fido;
 
-Ref<CcidConnection> CcidConnection::create(RetainPtr<TKSmartCard>&& smartCard, CcidService& service)
+Ref<CcidConnection> CcidConnection::create(RetainPtr<TKSmartCard>&& smartCard, RetainPtr<TKSmartCardSlot>&& slot, CcidService& service)
 {
-    return adoptRef(*new CcidConnection(WTF::move(smartCard), service));
+    return adoptRef(*new CcidConnection(WTF::move(smartCard), WTF::move(slot), service));
 }
 
-CcidConnection::CcidConnection(RetainPtr<TKSmartCard>&& smartCard, CcidService& service)
+CcidConnection::CcidConnection(RetainPtr<TKSmartCard>&& smartCard, RetainPtr<TKSmartCardSlot>&& slot, CcidService& service)
     : m_smartCard(WTF::move(smartCard))
+    , m_slot(WTF::move(slot))
     , m_service(service)
-    , m_retryTimer(RunLoop::mainSingleton(), "CcidConnection::RetryTimer"_s, this, &CcidConnection::startPolling)
 {
+    CCID_RELEASE_LOG("created, smartCard=%p, slot=%p", m_smartCard.get(), m_slot.get());
+
+    m_observer = adoptNS([[WKSmartCardObserver alloc]
+        initWithCard:m_smartCard.get()
+        invalidationHandler:[weakThis = ThreadSafeWeakPtr { *this }] {
+            if (RefPtr protectedThis = weakThis.get()) {
+                RELEASE_LOG(WebAuthn, "%p - CcidConnection::invalidationHandler fired, m_hasSession=%d, m_sessionPending=%d", protectedThis.get(), protectedThis->m_hasSession, protectedThis->m_sessionPending);
+                protectedThis->m_sessionPending = false;
+                protectedThis->m_pendingRequests.clear();
+                if (protectedThis->m_hasSession) {
+                    [protectedThis->m_smartCard endSession];
+                    protectedThis->m_hasSession = false;
+                }
+            }
+        }]);
+
     startPolling();
 }
 
 CcidConnection::~CcidConnection()
 {
+    CCID_RELEASE_LOG("destroyed, m_hasSession=%d", m_hasSession);
     stop();
 }
 
@@ -69,6 +137,7 @@
         // Only contactless smart cards have uid, check for longer length than apdu status
         if (response.size() > 2)
             protectedThis->m_contactless = true;
+        protectedThis->trySelectFidoApplet();
     });
 }
 
@@ -98,36 +167,90 @@
     });
 }
 
-void CcidConnection::transact(Vector<uint8_t>&& data, DataReceivedCallback&& callback) const
+void CcidConnection::transact(Vector<uint8_t>&& data, DataReceivedCallback&& callback)
 {
-    [m_smartCard beginSessionWithReply:makeBlockPtr([this, protectedThis = Ref { *this }, data = WTF::move(data), callback = WTF::move(callback)] (BOOL success, NSError *error) mutable {
-        if (!success)
-            return;
-        [m_smartCard transmitRequest:toNSData(data).get() reply:makeBlockPtr([this, protectedThis = Ref { *this }, callback = WTF::move(callback)](NSData * _Nullable nsResponse, NSError * _Nullable error) mutable {
-            [m_smartCard endSession];
-            callOnMainRunLoop([response = makeVector(nsResponse), callback = WTF::move(callback)] () mutable {
+    CCID_RELEASE_LOG("transact, m_hasSession=%d, m_sessionPending=%d", m_hasSession, m_sessionPending);
+    if (m_sessionPending) {
+        CCID_RELEASE_LOG("session pending, queuing request");
+        m_pendingRequests.append({ WTF::move(data), WTF::move(callback) });
+        return;
+    }
+    if (m_hasSession) {
+        CCID_RELEASE_LOG("reusing session, calling transmitRequest");
+        [m_smartCard transmitRequest:toNSData(data).get() reply:makeBlockPtr([protectedThis = Ref { *this }, callback = WTF::move(callback)](NSData * _Nullable nsResponse, NSError * _Nullable error) mutable {
+            RELEASE_LOG(WebAuthn, "%p - CcidConnection::transmitRequest reply, error=%p", protectedThis.ptr(), error);
+            bool hasError = !!error;
+            callOnMainRunLoop([protectedThis = WTF::move(protectedThis), response = makeVector(nsResponse), callback = WTF::move(callback), hasError] () mutable {
+                if (hasError) {
+                    [protectedThis->m_smartCard endSession];
+                    protectedThis->m_hasSession = false;
+                }
                 callback(WTF::move(response));
             });
         }).get()];
-    }).get()];
+    } else {
+        CCID_RELEASE_LOG("no session, calling beginSessionWithReply");
+        m_sessionPending = true;
+        [m_smartCard beginSessionWithReply:makeBlockPtr([protectedThis = Ref { *this }, data = WTF::move(data), callback = WTF::move(callback)] (BOOL success, NSError *error) mutable {
+            RELEASE_LOG(WebAuthn, "%p - CcidConnection::beginSessionWithReply reply, success=%d, error=%p", protectedThis.ptr(), success, error);
+            if (!success) {
+                callOnMainRunLoop([protectedThis = WTF::move(protectedThis), callback = WTF::move(callback)] () mutable {
+                    protectedThis->m_sessionPending = false;
+                    callback({ });
+                    // Drain pending requests with empty callbacks on failure
+                    while (!protectedThis->m_pendingRequests.isEmpty()) {
+                        auto pending = protectedThis->m_pendingRequests.takeFirst();
+                        pending.second({ });
+                    }
+                });
+                return;
+            }
+            callOnMainRunLoop([protectedThis = WTF::move(protectedThis), data = WTF::move(data), callback = WTF::move(callback)] () mutable {
+                protectedThis->m_sessionPending = false;
+                protectedThis->m_hasSession = true;
+                RELEASE_LOG(WebAuthn, "%p - CcidConnection::session started", protectedThis.ptr());
+                [protectedThis->m_smartCard transmitRequest:toNSData(data).get() reply:makeBlockPtr([protectedThis = WTF::move(protectedThis), callback = WTF::move(callback)](NSData * _Nullable nsResponse, NSError * _Nullable error) mutable {
+                    RELEASE_LOG(WebAuthn, "%p - CcidConnection::transmitRequest reply, error=%p", protectedThis.ptr(), error);
+                    bool hasError = !!error;
+                    callOnMainRunLoop([protectedThis = WTF::move(protectedThis), response = makeVector(nsResponse), callback = WTF::move(callback), hasError] () mutable {
+                        if (hasError) {
+                            [protectedThis->m_smartCard endSession];
+                            protectedThis->m_hasSession = false;
+                        }
+                        callback(WTF::move(response));
+                        protectedThis->processPendingRequests();
+                    });
+                }).get()];
+            });
+        }).get()];
+    }
 }
 
 
-void CcidConnection::stop() const
+void CcidConnection::processPendingRequests()
 {
+    if (m_pendingRequests.isEmpty() || !m_hasSession)
+        return;
+    CCID_RELEASE_LOG("processPendingRequests, count=%zu", m_pendingRequests.size());
+    auto pending = m_pendingRequests.takeFirst();
+    transact(WTF::move(pending.first), WTF::move(pending.second));
 }
 
-// NearField polling is a one shot polling. It halts after tags are detected.
-// Therefore, a restart process is needed to resume polling after error.
-void CcidConnection::restartPolling()
+void CcidConnection::stop()
 {
-    m_retryTimer.startOneShot(1_s); // Magic number to give users enough time for reactions.
+    CCID_RELEASE_LOG("stop, m_hasSession=%d, m_sessionPending=%d", m_hasSession, m_sessionPending);
+    m_sessionPending = false;
+    m_pendingRequests.clear();
+    if (m_hasSession) {
+        CCID_RELEASE_LOG("ending session");
+        [m_smartCard endSession];
+        m_hasSession = false;
+    }
 }
 
 void CcidConnection::startPolling()
 {
     detectContactless();
-    trySelectFidoApplet();
 }
 
 } // namespace WebKit
 
@@ -51,7 +51,8 @@ class CcidService : public FidoService {
     void didConnectTag();
 
     void updateSlots(NSArray *slots);
-    void onValidCard(RetainPtr<TKSmartCard>&&);
+    void onValidCard(RetainPtr<TKSmartCard>&&, RetainPtr<TKSmartCardSlot>&&);
+    void onCardRemoved();
 
 protected:
     explicit CcidService(AuthenticatorTransportServiceObserver&);