From 330b8dbbe123607210b96cd346004e3237d6f70f Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Tue, 30 May 2023 13:39:15 +0200
Subject: [PATCH] api: add /access/users/<userid>/unlock-tfa api call

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
---
 src/PVE/API2/User.pm | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)

diff --git a/src/PVE/API2/User.pm b/src/PVE/API2/User.pm
index ed4cb70..56b5040 100644
--- a/src/PVE/API2/User.pm
+++ b/src/PVE/API2/User.pm
@@ -556,6 +556,38 @@ __PACKAGE__->register_method ({
 	return $res;
     }});
 
+__PACKAGE__->register_method ({
+    name => 'unlock_tfa',
+    path => '{userid}/unlock-tfa',
+    method => 'PUT',
+    protected => 1,
+    description => "Unlock a user's TFA authentication.",
+    permissions => {
+	check => [ 'userid-group', ['User.Modify']],
+    },
+    parameters => {
+	additionalProperties => 0,
+	properties => {
+	    userid => get_standard_option('userid-completed'),
+	},
+    },
+    returns => { type => 'boolean' },
+    code => sub {
+	my ($param) = @_;
+
+	my $userid = extract_param($param, "userid");
+
+	my $user_was_locked = PVE::AccessControl::lock_tfa_config(sub {
+	    my $tfa_cfg = cfs_read_file('priv/tfa.cfg');
+	    my $was_locked = $tfa_cfg->api_unlock_tfa($userid);
+	    cfs_write_file('priv/tfa.cfg', $tfa_cfg)
+		if $was_locked;
+	    return $was_locked;
+	});
+
+	return $user_was_locked;
+    }});
+
 __PACKAGE__->register_method ({
     name => 'token_index',
     path => '{userid}/token',