tfa: don't return a challenge if all 2nd factors are disabled

Instead, this should allow the user to login without them. Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2023-04-18 11:24:00 +02:00 · 2023-04-18 11:24:00 +02:00 · 4b3d171b2d
commit 4b3d171b2d
parent ea1d023a61
1 changed files with 19 additions and 2 deletions
--- a/proxmox-tfa/src/api/mod.rs
+++ b/proxmox-tfa/src/api/mod.rs
@ -566,7 +566,7 @@ impl TfaUserData {
            return Ok(None);
        }

-        Ok(Some(TfaChallenge {
+        let challenge = TfaChallenge {
            totp: self.totp.iter().any(|e| e.info.enable),
            recovery: self.recovery_state(),
            webauthn: match webauthn {
@ -578,7 +578,14 @@ impl TfaUserData {
                None => None,
            },
            yubico: self.yubico.iter().any(|e| e.info.enable),
-        }))
+        };
+
+        // This happens if 2nd factors exist but are all disabled.
+        if challenge.is_empty() {
+            return Ok(None);
+        }
+
+        Ok(Some(challenge))
    }

    /// Get the recovery state.
@ -863,6 +870,16 @@ pub struct TfaChallenge {
    pub yubico: bool,
 }

+impl TfaChallenge {
+    pub fn is_empty(&self) -> bool {
+        !self.totp
+            && self.recovery.is_none()
+            && self.u2f.is_none()
+            && self.webauthn.is_none()
+            && !self.yubico
+    }
+}
+
 fn bool_is_false(v: &bool) -> bool {
    !v
 }