api: add /access/users/<userid>/unlock-tfa api call

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>

diff --git a/src/PVE/API2/User.pm b/src/PVE/API2/User.pm
index ed4cb707809663b67e57464a225c1654382b07b0..56b50407dad77ea671f90ae1b9f6b3e7bf1fb5f7 100644 (file)
--- a/src/PVE/API2/User.pm
+++ b/src/PVE/API2/User.pm
@@ -556,6 +556,38 @@ __PACKAGE__->register_method ({
        return $res;
     }});
 
+__PACKAGE__->register_method ({
+    name => 'unlock_tfa',
+    path => '{userid}/unlock-tfa',
+    method => 'PUT',
+    protected => 1,
+    description => "Unlock a user's TFA authentication.",
+    permissions => {
+       check => [ 'userid-group', ['User.Modify']],
+    },
+    parameters => {
+       additionalProperties => 0,
+       properties => {
+           userid => get_standard_option('userid-completed'),
+       },
+    },
+    returns => { type => 'boolean' },
+    code => sub {
+       my ($param) = @_;
+
+       my $userid = extract_param($param, "userid");
+
+       my $user_was_locked = PVE::AccessControl::lock_tfa_config(sub {
+           my $tfa_cfg = cfs_read_file('priv/tfa.cfg');
+           my $was_locked = $tfa_cfg->api_unlock_tfa($userid);
+           cfs_write_file('priv/tfa.cfg', $tfa_cfg)
+               if $was_locked;
+           return $was_locked;
+       });
+
+       return $user_was_locked;
+    }});
+
 __PACKAGE__->register_method ({
     name => 'token_index',
     path => '{userid}/token',