fix: catch PinRequiredError instead of bare ValueError

orglnte · orglnte · commit eb3e4cc46d43 · 2026-03-30T11:59:57.000+02:00
The fido2 library raises PinRequiredError when a PIN is needed.
Catching ValueError swallowed unrelated errors (bad challenges,
malformed credentials) and silently misinterpreted them as PIN
prompts.
diff --git a/fido2client/client.py b/fido2client/client.py
@@ -11,7 +11,7 @@
 
 import cbor2 as cbor
 import requests
-from fido2.client import Fido2Client
+from fido2.client import Fido2Client, PinRequiredError
 from fido2.hid import CtapHidDevice
 
 from .exceptions import (
@@ -224,7 +224,7 @@ def _complete(
             assertions, client_data = fido2_client.get_assertion(
                 begin_data.rp_id, challenge, allow_list
             )
-        except ValueError:
+        except PinRequiredError:
             assertions, client_data = fido2_client.get_assertion(
                 begin_data.rp_id,
                 challenge,
diff --git a/tests/test_client.py b/tests/test_client.py
@@ -6,6 +6,7 @@
 import cbor2
 import pytest
 import requests
+from fido2.client import PinRequiredError
 
 from fido2client import Fido2HttpClient
 from fido2client.exceptions import (
@@ -223,7 +224,7 @@ def test_pin_fallback(mock_device):
     with patch("fido2client.client.Fido2Client") as MockFido2Client:
         instance = MockFido2Client.return_value
         instance.get_assertion.side_effect = [
-            ValueError("PIN required"),
+            PinRequiredError(),
             ([assertion], client_data),
         ]
 
