users: add endpoint for unlocking the TFA of a user

add /access/users/<userid>/unlock-tfa api call which can be used for
unlocking a user after their TFA got locked due to many failed
consecutive retries.

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>

diff --git a/src/PMG/API2/Users.pm b/src/PMG/API2/Users.pm
index 0398e930c5eb5bef0eb616c009204a5e177f0773..243d19a736410cc689c9e2328aa0ed80a98244d8 100644 (file)
--- a/src/PMG/API2/Users.pm
+++ b/src/PMG/API2/Users.pm
@@ -13,6 +13,7 @@ use PVE::Exception qw(raise_perm_exc);
 
 use PMG::RESTEnvironment;
 use PMG::UserConfig;
+use PMG::TFAConfig;
 
 use base qw(PVE::RESTHandler);
 
@@ -229,4 +230,34 @@ __PACKAGE__->register_method ({
        return undef;
     }});
 
+__PACKAGE__->register_method ({
+    name => 'unlock_tfa',
+    path => '{userid}/unlock-tfa',
+    method => 'PUT',
+    protected => 1,
+    description => "Unlock a user's TFA authentication.",
+    permissions => { check => [ 'admin' ] },
+    parameters => {
+       additionalProperties => 0,
+       properties => {
+           userid => get_standard_option('userid'),
+       },
+    },
+    returns => { type => 'boolean' },
+    code => sub {
+        my ($param) = @_;
+
+        my $userid = extract_param($param, "userid");
+
+       my $user_was_locked = PMG::TFAConfig::lock_config(sub {
+           my $tfa_cfg = PMG::TFAConfig->new();
+           my $was_locked = $tfa_cfg->api_unlock_tfa($userid);
+           $tfa_cfg->write() if $was_locked;
+           return $was_locked;
+       });
+
+       return $user_was_locked;
+    }});
+
+
 1;