Take MP reprompt into account when asserting credential

crates/bitwarden-fido/src/authenticator.rs

@@ -2,7 +2,7 @@
 
 use bitwarden_core::{Client, VaultLocked};
 use bitwarden_crypto::{CryptoError, KeyContainer, KeyEncryptable};
-use bitwarden_vault::{CipherError, CipherView};
+use bitwarden_vault::{CipherError, CipherRepromptType, CipherView};
 use itertools::Itertools;
 use log::error;
 use passkey::{
@@ -20,7 +20,7 @@
 };
 use crate::{
     fill_with_credential, string_to_guid_bytes, try_from_credential_full, Fido2CallbackError,
-    FillCredentialError, InvalidGuid,
+    FillCredentialError, InvalidGuid, Verification,
 };
 
 #[derive(Debug, Error)]
@@ -631,6 +631,22 @@
                     user_verified: verification != UV::Discouraged,
                 })
             }
+            UIHint::RequestExistingCredential(cipher)
+                if matches!(cipher.cipher.reprompt, CipherRepromptType::Password) =>
+            {
+                let result = self
+                    .authenticator
+                    .user_interface
+                    .check_user(options, map_ui_hint(hint))
+                    .await
+                    .map_err(|_| Ctap2Error::OperationDenied)?;
+
+                if !result.user_verified {
+                    return Err(Ctap2Error::UserVerificationInvalid);
+                }
+
+                Ok(result)
+            }
             _ => {
                 self.authenticator
                     .user_interface
@@ -639,7 +655,7 @@
             }
         };
 
-        let result = result.map_err(|e| {
+        let result = result.map_err(|e: Fido2CallbackError| {
             error!("Error checking user: {e:?}");
             Ctap2Error::UserVerificationInvalid
         })?;