Fix: IRMA session gets stuck in communicating status when user is req…

…uested to confirm PIN
privacybydesign · Oct 25, 2023 · c85f904 · c85f904
1 parent 9434e4b
commit c85f904
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 7 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## Unreleased
+### Fixed
+- IRMA session gets stuck in communicating status when user is requested to confirm PIN in `irmaclient`
 
 ## [0.14.1] - 2023-10-18
 ### Fixed

diff --git a/irmaclient/keyshare.go b/irmaclient/keyshare.go
@@ -165,7 +165,9 @@ func newKeyshareSession(
 	}
 
 	ks.sessionHandler.KeysharePin()
-	return ks, ks.VerifyPin(-1)
+	authenticated := make(chan bool, 1)
+	ks.VerifyPin(-1, authenticated)
+	return ks, <-authenticated
 }
 
 func (kss *keyshareServer) tokenValid(conf *irma.Configuration) bool {
@@ -191,29 +193,37 @@ func (kss *keyshareServer) tokenValid(conf *irma.Configuration) bool {
 
 // VerifyPin asks for a pin, repeatedly if necessary, informing the handler of success or failure.
 // It returns whether the authentication was successful or not.
-func (ks *keyshareSession) VerifyPin(attempts int) bool {
+func (ks *keyshareSession) VerifyPin(attempts int, authenticated chan bool) {
 	ks.pinRequestor.RequestPin(attempts, PinHandler(func(proceed bool, pin string) {
 		if !proceed {
 			ks.sessionHandler.KeyshareCancelled()
+			authenticated <- false
 			return
 		}
 		success, attemptsRemaining, blocked, manager, err := ks.verifyPinAttempt(pin)
 		if err != nil {
 			ks.sessionHandler.KeyshareError(&manager, err)
+			authenticated <- false
 			return
 		}
 		if blocked != 0 {
 			ks.sessionHandler.KeyshareBlocked(manager, blocked)
+			authenticated <- false
 			return
 		}
 		if success {
-			ks.sessionHandler.KeysharePinOK()
+			if ok := ks.keyshareServer.tokenValid(ks.client.Configuration); ok {
+				ks.sessionHandler.KeysharePinOK()
+				authenticated <- true
+			} else {
+				ks.sessionHandler.KeyshareError(&manager, errors.New("keyshare token invalid after successful authentication"))
+				authenticated <- false
+			}
 			return
 		}
 		// Not successful but no error and not yet blocked: try again
-		ks.VerifyPin(attemptsRemaining)
+		ks.VerifyPin(attemptsRemaining, authenticated)
 	}))
-	return ks.keyshareServer.tokenValid(ks.client.Configuration)
 }
 
 // challengeRequestJWTExpiry is the expiry of the JWT sent to the keyshareserver at
@@ -370,8 +380,9 @@ func (ks *keyshareSession) GetCommitments() {
 				// (but only if we did not ask for a PIN earlier)
 				ks.pinCheck = false
 				ks.sessionHandler.KeysharePin()
-				authenticated := ks.VerifyPin(-1)
-				if authenticated {
+				authenticated := make(chan bool, 1)
+				ks.VerifyPin(-1, authenticated)
+				if <-authenticated {
 					ks.GetCommitments()
 				}
 				return