fix #2758: reject 'tfa' cookies

return false on authOK when the ticket is a tfa ticket
(starts with PVE:tfa!)

when a user now loads the page with only a tfa ticket, it shows the
login window again

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>

diff --git a/Utils.js b/Utils.js
index 22eddd2c3ef83b7c8e5badbf134be57a336cb22b..cae25b231efcb74cd9da48355a01aa76cc1ee544 100644 (file)
--- a/Utils.js
+++ b/Utils.js
@@ -207,7 +207,8 @@ Ext.define('Proxmox.Utils', { utilities: {
        if (Proxmox.LoggedOut) {
            return undefined;
        }
-       return (Proxmox.UserName !== '') && Ext.util.Cookies.get(Proxmox.Setup.auth_cookie_name);
+       let cookie = Ext.util.Cookies.get(Proxmox.Setup.auth_cookie_name);
+       return (Proxmox.UserName !== '') && (cookie && !cookie.startsWith("PVE:tfa!"));
     },
 
     authClear: function() {