tfa: don't return a challenge if all 2nd factors are disabled

[proxmox.git] / proxmox-tfa / src / api / mod.rs

diff --git a/proxmox-tfa/src/api/mod.rs b/proxmox-tfa/src/api/mod.rs
index 6800eab15b21cead42531cf7eeb3b21732447893..e30c744937f21ca5aa243081318ffb10295bee30 100644 (file)
--- a/proxmox-tfa/src/api/mod.rs
+++ b/proxmox-tfa/src/api/mod.rs
@@ -566,7 +566,7 @@ impl TfaUserData {
             return Ok(None);
         }
 
-        Ok(Some(TfaChallenge {
+        let challenge = TfaChallenge {
             totp: self.totp.iter().any(|e| e.info.enable),
             recovery: self.recovery_state(),
             webauthn: match webauthn {
@@ -578,7 +578,14 @@ impl TfaUserData {
                 None => None,
             },
             yubico: self.yubico.iter().any(|e| e.info.enable),
-        }))
+        };
+
+        // This happens if 2nd factors exist but are all disabled.
+        if challenge.is_empty() {
+            return Ok(None);
+        }
+
+        Ok(Some(challenge))
     }
 
     /// Get the recovery state.
@@ -863,6 +870,16 @@ pub struct TfaChallenge {
     pub yubico: bool,
 }
 
+impl TfaChallenge {
+    pub fn is_empty(&self) -> bool {
+        !self.totp
+            && self.recovery.is_none()
+            && self.u2f.is_none()
+            && self.webauthn.is_none()
+            && !self.yubico
+    }
+}
+
 fn bool_is_false(v: &bool) -> bool {
     !v
 }