From 4423fc0875598b18fae11cd13243b4d9d2ef408f Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Tue, 27 Jun 2023 16:13:57 +0200
Subject: [PATCH] tfa: enable lockout of users

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
---
 src/PMG/API2/AccessControl.pm | 25 +++++++++++++++++++++++--
 1 file changed, 23 insertions(+), 2 deletions(-)

diff --git a/src/PMG/API2/AccessControl.pm b/src/PMG/API2/AccessControl.pm
index 5774fab..ec79b6b 100644
--- a/src/PMG/API2/AccessControl.pm
+++ b/src/PMG/API2/AccessControl.pm
@@ -120,14 +120,35 @@ my sub create_or_verify_ticket : prototype($$$$$$) {
 		my $rpcenv = PMG::RESTEnvironment->get();
 		$origin = 'https://'.$rpcenv->get_request_host(1);
 	    }
-	    my $must_save = $tfa_cfg->authentication_verify(
+	    my $result = $tfa_cfg->authentication_verify2(
 		$username,
 		$tfa_challenge,
 		$pw_or_ticket,
 		$origin,
 	    );
 
-	    $tfa_cfg->write() if $must_save;
+	    if (!$result) {
+		# Sanity check, should be unreachable.
+		die "2nd factor failed\n";
+	    }
+
+	    if ($result->{'needs-saving'}) {
+		$tfa_cfg->write();
+	    }
+
+	    if ($result->{'totp-limit-reached'}) {
+		# FIXME: Notify/Send-mail to the user (or admin/root if none configured)
+		die "failed 2nd factor: TOTP limit reached, locked\n";
+	    }
+	    if ($result->{'tfa-limit-reached'}) {
+		# FIXME: Notify/Send-mail to the user (or admin/root if none configured)
+		die "failed 2nd factor: TFA limit reached, user locked out\n";
+	    }
+	    if (!$result->{'result'}) {
+		# "Regular" failure.
+		die "failed 2nd factor\n";
+	    }
+	    # Otherwise TFA succeeded.
 	});
 
 	$tfa_challenge = undef;
-- 
2.39.2