add fixme comments about pending pve-rs improvements

Alternatively we could potentially move the realm-tfa check to after
`authentication_challenge`.

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>

diff --git a/src/PVE/AccessControl.pm b/src/PVE/AccessControl.pm
index da018e559bb2a7eb937132a7e200cb75423d883d..c38a1e5a02bf3fce26b3967fd12f6aedabbf1dea 100644 (file)
--- a/src/PVE/AccessControl.pm
+++ b/src/PVE/AccessControl.pm
@@ -753,6 +753,9 @@ sub authenticate_2nd_new_do : prototype($$$$) {
     my ($username, $realm, $tfa_response, $tfa_challenge) = @_;
     my ($tfa_cfg, $realm_tfa) = user_get_tfa($username, $realm);
 
+    # FIXME: `$tfa_cfg` is now usually never undef - use cheap check for
+    # whether the user has *any* entries here instead whe it is available in
+    # pve-rs
     if (!defined($tfa_cfg)) {
        return undef;
     }
@@ -2004,6 +2007,7 @@ sub user_get_tfa : prototype($$$) {
     }
 
     if ($realm_tfa) {
+       # FIXME: pve-rs should provide a cheaper check for this
        my $entries = $tfa_cfg->api_list_user_tfa($username);
        die "missing required 2nd keys\n"
            if scalar(@$entries) == 0;