X-Git-Url: https://git.proxmox.com/?a=blobdiff_plain;f=src%2FPMG%2FAPI2%2FAccessControl.pm;h=ec79b6b84899a87f679a439de07222366b637517;hb=4423fc0875598b18fae11cd13243b4d9d2ef408f;hp=5774fab5fdaa46738f7282abc66668435e26ab63;hpb=5ef74b9e3acab5f153b10f417f88246a01cdfbf1;p=pmg-api.git

diff --git a/src/PMG/API2/AccessControl.pm b/src/PMG/API2/AccessControl.pm
index 5774fab..ec79b6b 100644
--- a/src/PMG/API2/AccessControl.pm
+++ b/src/PMG/API2/AccessControl.pm
@@ -120,14 +120,35 @@ my sub create_or_verify_ticket : prototype($$$$$$) {
 		my $rpcenv = PMG::RESTEnvironment->get();
 		$origin = 'https://'.$rpcenv->get_request_host(1);
 	    }
-	    my $must_save = $tfa_cfg->authentication_verify(
+	    my $result = $tfa_cfg->authentication_verify2(
 		$username,
 		$tfa_challenge,
 		$pw_or_ticket,
 		$origin,
 	    );
 
-	    $tfa_cfg->write() if $must_save;
+	    if (!$result) {
+		# Sanity check, should be unreachable.
+		die "2nd factor failed\n";
+	    }
+
+	    if ($result->{'needs-saving'}) {
+		$tfa_cfg->write();
+	    }
+
+	    if ($result->{'totp-limit-reached'}) {
+		# FIXME: Notify/Send-mail to the user (or admin/root if none configured)
+		die "failed 2nd factor: TOTP limit reached, locked\n";
+	    }
+	    if ($result->{'tfa-limit-reached'}) {
+		# FIXME: Notify/Send-mail to the user (or admin/root if none configured)
+		die "failed 2nd factor: TFA limit reached, user locked out\n";
+	    }
+	    if (!$result->{'result'}) {
+		# "Regular" failure.
+		die "failed 2nd factor\n";
+	    }
+	    # Otherwise TFA succeeded.
 	});
 
 	$tfa_challenge = undef;