auth: tfa: fail if realm requires TFA but no challenge is generated

[pve-access-control.git] / src / PVE / AccessControl.pm

diff --git a/src/PVE/AccessControl.pm b/src/PVE/AccessControl.pm
index c38a1e5a02bf3fce26b3967fd12f6aedabbf1dea..cc0f00b16c581e2100b71ec19dcde3b1cff82e69 100644 (file)
--- a/src/PVE/AccessControl.pm
+++ b/src/PVE/AccessControl.pm
@@ -808,6 +808,10 @@ sub authenticate_2nd_new_do : prototype($$$$) {
        $tfa_challenge = undef;
     } else {
        $tfa_challenge = $tfa_cfg->authentication_challenge($username);
+
+       die "missing required 2nd keys\n"
+           if $realm_tfa && !defined($tfa_challenge);
+
        if (defined($tfa_response)) {
            if (defined($tfa_challenge)) {
                $tfa_done = 1;
@@ -2006,13 +2010,6 @@ sub user_get_tfa : prototype($$$) {
        add_old_keys_to_realm_tfa($username, $tfa_cfg, $realm_tfa, $keys);
     }
 
-    if ($realm_tfa) {
-       # FIXME: pve-rs should provide a cheaper check for this
-       my $entries = $tfa_cfg->api_list_user_tfa($username);
-       die "missing required 2nd keys\n"
-           if scalar(@$entries) == 0;
-    }
-
     return ($tfa_cfg, $realm_tfa);
 }