auth: request a write lock when exposing the LockedTfaConfig

this function is called every time a user tries to log in to check
whether a tfa challenge is required. since the tfa config may need to
be written by the auth api (e.g. when a recovery key is used) this
needs to use a write lock instead of a read lock in order to avoid
potential races.

Signed-off-by: Stefan Sterz <s.sterz@proxmox.com>

src/auth.rs

@@ -405,7 +405,7 @@ impl proxmox_auth_api::api::AuthContext for PbsAuthContext {
     /// Access the TFA config with an exclusive lock.
     fn tfa_config_write_lock(&self) -> Result<Box<dyn LockedTfaConfig>, Error> {
         Ok(Box::new(PbsLockedTfaConfig {
-            _lock: crate::config::tfa::read_lock()?,
+            _lock: crate::config::tfa::write_lock()?,
             config: crate::config::tfa::read()?,
         }))
     }