From cb6496737929ba84c1f66d2942e606b3a9cacb8c Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Tue, 16 May 2023 13:48:45 +0200
Subject: [PATCH] api: drop old verify_tfa api call

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
---
 src/PVE/API2/TFA.pm | 77 ---------------------------------------------
 1 file changed, 77 deletions(-)

diff --git a/src/PVE/API2/TFA.pm b/src/PVE/API2/TFA.pm
index bee4dee..a4ea6dd 100644
--- a/src/PVE/API2/TFA.pm
+++ b/src/PVE/API2/TFA.pm
@@ -152,83 +152,6 @@ my sub set_user_tfa_enabled : prototype($$$) {
     }, "enabling TFA for the user failed");
 }
 
-### OLD API
-
-__PACKAGE__->register_method({
-    name => 'verify_tfa',
-    path => '',
-    method => 'POST',
-    permissions => { user => 'all' },
-    protected => 1, # else we can't access shadow files
-    allowtoken => 0, # we don't want tokens to access TFA information
-    description => 'Finish a u2f challenge.',
-    parameters => {
-	additionalProperties => 0,
-	properties => {
-	    response => {
-		type => 'string',
-		description => 'The response to the current authentication challenge.',
-	    },
-	}
-    },
-    returns => {
-	type => 'object',
-	properties => {
-	    ticket => { type => 'string' },
-	    # cap
-	}
-    },
-    code => sub {
-	my ($param) = @_;
-
-	my $rpcenv = PVE::RPCEnvironment::get();
-	my $authuser = $rpcenv->get_user();
-	my ($username, undef, $realm) = PVE::AccessControl::verify_username($authuser);
-
-	my ($tfa_type, $tfa_data) = PVE::AccessControl::user_get_tfa($username, $realm, 0);
-	if (!defined($tfa_type)) {
-	    raise('no u2f data available');
-	}
-	if ($tfa_type eq 'incompatible') {
-	    raise('tfa entries incompatible with old login api');
-	}
-
-	eval {
-	    if ($tfa_type eq 'u2f') {
-		my $challenge = $rpcenv->get_u2f_challenge()
-		   or raise('no active challenge');
-
-		my $keyHandle = $tfa_data->{keyHandle};
-		my $publicKey = $tfa_data->{publicKey};
-		raise("incomplete u2f setup")
-		    if !defined($keyHandle) || !defined($publicKey);
-
-		my $u2f = PVE::API2::AccessControl::get_u2f_instance($rpcenv, $publicKey, $keyHandle);
-		$u2f->set_challenge($challenge);
-
-		my ($counter, $present) = $u2f->auth_verify($param->{response});
-		# Do we want to do anything with these?
-	    } else {
-		# sanity check before handing off to the verification code:
-		my $keys = $tfa_data->{keys} or die "missing tfa keys\n";
-		my $config = $tfa_data->{config} or die "bad tfa entry\n";
-		PVE::AccessControl::verify_one_time_pw($tfa_type, $authuser, $keys, $config, $param->{response});
-	    }
-	};
-	if (my $err = $@) {
-	    my $clientip = $rpcenv->get_client_ip() || '';
-	    syslog('err', "authentication verification failure; rhost=$clientip user=$authuser msg=$err");
-	    die PVE::Exception->new("authentication failure\n", code => 401);
-	}
-
-	return {
-	    ticket => PVE::AccessControl::assemble_ticket($authuser),
-	    cap => $rpcenv->compute_api_permission($authuser),
-	}
-    }});
-
-### END OLD API
-
 __PACKAGE__->register_method ({
     name => 'list_user_tfa',
     path => '{userid}',
-- 
2.39.2