catch incompatible tfa entries with a nice error

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>

diff --git a/src/PVE/API2/TFA.pm b/src/PVE/API2/TFA.pm
index 657a74ce1355e8b2251a7b42943f37085ee46e0b..be696e1f19ee891edc63af6b512c181b49497f92 100644 (file)
--- a/src/PVE/API2/TFA.pm
+++ b/src/PVE/API2/TFA.pm
@@ -185,6 +185,9 @@ __PACKAGE__->register_method({
        if (!defined($tfa_type)) {
            raise('no u2f data available');
        }
        if (!defined($tfa_type)) {
            raise('no u2f data available');
        }

+       if ($tfa_type eq 'incompatible') {
+           raise('tfa entries incompatible with old login api');
+       }

 
        eval {
            if ($tfa_type eq 'u2f') {
 
        eval {
            if ($tfa_type eq 'u2f') {

diff --git a/src/PVE/AccessControl.pm b/src/PVE/AccessControl.pm
index ace27971c27b565076cbb1a439da3b9b42102985..2e9e2f69ae8cbafab2d3d9dad6b656889f4f578e 100644 (file)
--- a/src/PVE/AccessControl.pm
+++ b/src/PVE/AccessControl.pm
@@ -741,7 +741,9 @@ sub authenticate_2nd_old : prototype($$$) {
 
     my ($type, $tfa_data) = user_get_tfa($username, $realm, 0);
     if ($type) {
 
     my ($type, $tfa_data) = user_get_tfa($username, $realm, 0);
     if ($type) {

-       if ($type eq 'u2f') {
+       if ($type eq 'incompatible') {
+           die "old login api disabled, user has incompatible TFA entries\n";
+       } elsif ($type eq 'u2f') {

            # Note that if the user did not manage to complete the initial u2f registration
            # challenge we have a hash containing a 'challenge' entry in the user's tfa.cfg entry:
            $tfa_data = undef if exists $tfa_data->{challenge};
            # Note that if the user did not manage to complete the initial u2f registration
            # challenge we have a hash containing a 'challenge' entry in the user's tfa.cfg entry:
            $tfa_data = undef if exists $tfa_data->{challenge};