$agent->default_header('Cookie', $cookie);
}
+sub two_factor_auth_login {
+ my ($self, $type, $challenge) = @_;
+
+ if ($type eq 'PVE:tfa') {
+ raise("TFA-enabled login currently works only with a TTY.") if !-t STDIN;
+ print "\nEnter OTP code for user $self->{username}: ";
+ my $tfa_response = <STDIN>;
+ chomp $tfa_response;
+ return $self->post('/api2/json/access/tfa', {response => $tfa_response});
+ } elsif ($type eq 'PVE:u2f') {
+ # TODO: implement u2f-enabled join
+ raise("U2F-enabled login is currently not implemented.");
+ } else {
+ raise("Authentication type '$type' not recognized, aborting!");
+ }
+}
+
sub login {
my ($self) = @_;
$uri->path('/api2/json/access/ticket');
my $ua = $self->{useragent};
+ my $username = $self->{username} // 'unknown',
delete $self->{last_unknown_fingerprint};
my $exec_login = sub {
return $ua->post($uri, {
- username => $self->{username} || 'unknown',
+ username => $username,
password => $self->{password} || ''});
};
my $res = from_json($response->decoded_content, {utf8 => 1, allow_nonref => 1});
my $data = $extract_data->($res);
-
- # TODO: make it possible to use tfa
- if ($data->{ticket} =~ m/^PVE:tfa!/) {
- die "TFA in API is not yet implemented! Try disabling TFA for the user.\n";
- }
-
$self->update_ticket($data->{ticket});
$self->update_csrftoken($data->{CSRFPreventionToken});
+ # handle two-factor login
+ my $tfa_ticket_re = qr/^([^\s!]+)![^!]*(!([0-9a-zA-Z\/.=_\-+]+))?$/;
+ if ($data->{ticket} =~ m/$tfa_ticket_re/) {
+ my ($type, $challenge) = ($1, $2);
+ $data = $self->two_factor_auth_login($type, $challenge);
+ $self->update_ticket($data->{ticket});
+ }
+
return $data;
}
delete $self->{last_unknown_fingerprint};
my $ticket = $self->{ticket};
+ my $apitoken = $self->{apitoken};
my $ua = $self->{useragent};
# fixme: check ticket lifetime?
- if (!$ticket && $self->{username} && $self->{password}) {
+ if (!$ticket && !$apitoken && $self->{username} && $self->{password}) {
$self->login();
}
$self->{useragent}->default_header('Accept-Encoding' => 'gzip'); # allow gzip
- $self->update_ticket($param{ticket}) if $param{ticket};
+ if ($param{apitoken} && $param{password}) {
+ warn "password will be ignored in favor of API token\n";
+ delete $self->{password};
+ }
+ if ($param{ticket}) {
+ if ($param{apitoken}) {
+ warn "ticket will be ignored in favor of API token\n";
+ } else {
+ $self->update_ticket($param{ticket});
+ }
+ }
$self->update_csrftoken($param{csrftoken}) if $param{csrftoken};
+ if ($param{apitoken}) {
+ my $agent = $self->{useragent};
+
+ $self->{apitoken} = $param{apitoken};
+
+ $agent->default_header('Authorization', $param{apitoken});
+ }
return $self;
}