+
+ # Yubico auth returns the authentication sub:
+ if (ref($result) eq 'CODE') {
+ $result = $result->();
+ }
+
+ return $result;
+}
+
+sub authenticate_yubico_new : prototype($$$) {
+ my ($tfa_cfg, $username, $realm, $tfa_challenge, $otp) = @_;
+
+ $tfa_challenge = verify_ticket($tfa_challenge, 0, $username);
+ $tfa_challenge = from_json($tfa_challenge);
+
+ if (!$tfa_challenge->{yubico}) {
+ die "no such challenge\n";
+ }
+
+ my $keys = $tfa_cfg->get_yubico_keys($username);
+ die "no keys configured\n" if !defined($keys) || !length($keys);
+
+ # Defer to after unlocking the TFA config:
+
+ # fixme: proxy support?
+ my $proxy;
+ PVE::OTP::yubico_verify_otp($otp, $keys, $realm->{url}, $realm->{id}, $realm->{key}, $proxy);
+
+ # return `undef` to clear the tfa challenge.
+ return undef;