catch incompatible tfa entries with a nice error

[pve-access-control.git] / src / PVE / AccessControl.pm

diff --git a/src/PVE/AccessControl.pm b/src/PVE/AccessControl.pm
index e94e8b184714d8dbc252a5030cdf0d51281ebf1e..2e9e2f69ae8cbafab2d3d9dad6b656889f4f578e 100644 (file)
--- a/src/PVE/AccessControl.pm
+++ b/src/PVE/AccessControl.pm
@@ -507,6 +507,8 @@ my $assemble_short_lived_ticket = sub {
 my $verify_short_lived_ticket = sub {
     my ($ticket, $prefix, $username, $path, $noerr) = @_;
 
+    $path = normalize_path($path);
+
     my $secret_data = "$username:$path";
 
     my ($rsa_pub, $rsa_mtime) = get_pubkey();
@@ -739,7 +741,9 @@ sub authenticate_2nd_old : prototype($$$) {
 
     my ($type, $tfa_data) = user_get_tfa($username, $realm, 0);
     if ($type) {
-       if ($type eq 'u2f') {
+       if ($type eq 'incompatible') {
+           die "old login api disabled, user has incompatible TFA entries\n";
+       } elsif ($type eq 'u2f') {
            # Note that if the user did not manage to complete the initial u2f registration
            # challenge we have a hash containing a 'challenge' entry in the user's tfa.cfg entry:
            $tfa_data = undef if exists $tfa_data->{challenge};