From 93c1d74a62f3364672b155edf72636d0e496e4c6 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Wed, 17 Nov 2021 12:34:40 +0100
Subject: [PATCH] catch incompatible tfa entries with a nice error

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
---
 src/PVE/API2/TFA.pm      | 3 +++
 src/PVE/AccessControl.pm | 4 +++-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/PVE/API2/TFA.pm b/src/PVE/API2/TFA.pm
index 657a74c..be696e1 100644
--- a/src/PVE/API2/TFA.pm
+++ b/src/PVE/API2/TFA.pm
@@ -185,6 +185,9 @@ __PACKAGE__->register_method({
 	if (!defined($tfa_type)) {
 	    raise('no u2f data available');
 	}
+	if ($tfa_type eq 'incompatible') {
+	    raise('tfa entries incompatible with old login api');
+	}
 
 	eval {
 	    if ($tfa_type eq 'u2f') {
diff --git a/src/PVE/AccessControl.pm b/src/PVE/AccessControl.pm
index ace2797..2e9e2f6 100644
--- a/src/PVE/AccessControl.pm
+++ b/src/PVE/AccessControl.pm
@@ -741,7 +741,9 @@ sub authenticate_2nd_old : prototype($$$) {
 
     my ($type, $tfa_data) = user_get_tfa($username, $realm, 0);
     if ($type) {
-	if ($type eq 'u2f') {
+	if ($type eq 'incompatible') {
+	    die "old login api disabled, user has incompatible TFA entries\n";
+	} elsif ($type eq 'u2f') {
 	    # Note that if the user did not manage to complete the initial u2f registration
 	    # challenge we have a hash containing a 'challenge' entry in the user's tfa.cfg entry:
 	    $tfa_data = undef if exists $tfa_data->{challenge};
-- 
2.39.2