api: add /access/users/<userid>/unlock-tfa api call

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2025-10-04 10:16:34 +00:00 · 2023-05-30 13:39:15 +02:00 · 2023-05-30 13:39:15 +02:00 · 330b8dbbe1
commit 330b8dbbe1
parent 9036621e28
1 changed files with 32 additions and 0 deletions
--- a/src/PVE/API2/User.pm
+++ b/src/PVE/API2/User.pm
@ -556,6 +556,38 @@ __PACKAGE__->register_method ({
 	return $res;
    }});

+__PACKAGE__->register_method ({
+    name => 'unlock_tfa',
+    path => '{userid}/unlock-tfa',
+    method => 'PUT',
+    protected => 1,
+    description => "Unlock a user's TFA authentication.",
+    permissions => {
+	check => [ 'userid-group', ['User.Modify']],
+    },
+    parameters => {
+	additionalProperties => 0,
+	properties => {
+	    userid => get_standard_option('userid-completed'),
+	},
+    },
+    returns => { type => 'boolean' },
+    code => sub {
+	my ($param) = @_;
+
+	my $userid = extract_param($param, "userid");
+
+	my $user_was_locked = PVE::AccessControl::lock_tfa_config(sub {
+	    my $tfa_cfg = cfs_read_file('priv/tfa.cfg');
+	    my $was_locked = $tfa_cfg->api_unlock_tfa($userid);
+	    cfs_write_file('priv/tfa.cfg', $tfa_cfg)
+		if $was_locked;
+	    return $was_locked;
+	});
+
+	return $user_was_locked;
+    }});
+
 __PACKAGE__->register_method ({
    name => 'token_index',
    path => '{userid}/token',