device/fido: only send the single matching credential ID.

When prelighting credential IDs for getting an assertion, only send the
matching credential ID on the following up=1 request, rather than the
whole matching batch.

Change-Id: I41534e82306b82c2332b44deb6466a9ee46c2905
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2250893
Commit-Queue: Adam Langley <agl@chromium.org>
Reviewed-by: Martin Kreichgauer <martinkr@google.com>
Cr-Commit-Position: refs/heads/master@{#780525}

device/fido/get_assertion_task.cc

@@ -203,13 +203,11 @@ void GetAssertionTask::HandleResponseToSilentRequest(
 
   // One credential from the previous batch was recognized by the device. As
   // this authentication was a silent authentication (i.e. user touch was not
-  // provided), try again with only that batch, user presence enforced and with
+  // provided), try again with that credential, user presence enforced, and with
   // the original user verification configuration.
-  // TODO(martinkr): We could get the exact credential ID that was recognized
-  // from |response_data| and send only that.
   if (response_code == CtapDeviceResponseCode::kSuccess) {
     CtapGetAssertionRequest request = request_;
-    request.allow_list = allow_list_batches_.at(current_allow_list_batch_ - 1);
+    request.allow_list = {*response_data->credential()};
     sign_operation_ = std::make_unique<Ctap2DeviceOperation<
         CtapGetAssertionRequest, AuthenticatorGetAssertionResponse>>(
         device(), std::move(request),