api: include tfa lock status in user list

Like in PVE. This means that /access/users is now a 'protected' call to get access to 'tfa.cfg'. Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2023-06-23 14:30:36 +02:00 · 2023-06-23 14:30:36 +02:00 · 902a0e8cb5
commit 902a0e8cb5
parent f486f8485c
1 changed files with 19 additions and 0 deletions
--- a/pbs-api-types/src/user.rs
+++ b/pbs-api-types/src/user.rs
@ -73,9 +73,20 @@ pub const EMAIL_SCHEMA: Schema = StringSchema::new("E-Mail Address.")
                type: ApiToken
            },
        },
+        "totp-locked": {
+            type: bool,
+            optional: true,
+            default: false,
+            description: "True if the user is currently locked out of TOTP factors",
+        },
+        "tfa-locked-until": {
+            optional: true,
+            description: "Contains a timestamp until when a user is locked out of 2nd factors",
+        },
    }
 )]
 #[derive(Serialize, Deserialize, Clone, PartialEq)]
+#[serde(rename_all = "kebab-case")]
 /// User properties with added list of ApiTokens
 pub struct UserWithTokens {
    pub userid: Userid,
@ -93,6 +104,14 @@ pub struct UserWithTokens {
    pub email: Option<String>,
    #[serde(skip_serializing_if = "Vec::is_empty", default)]
    pub tokens: Vec<ApiToken>,
+    #[serde(skip_serializing_if = "bool_is_false")]
+    pub totp_locked: bool,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub tfa_locked_until: Option<i64>,
+}
+
+fn bool_is_false(b: &bool) -> bool {
+    !b
 }

 #[api(