[pbs-devel] [PATCH proxmox-backup] auth: request a write lock when exposing the `LockedTfaConfig`

Fri Apr 12 14:31:56 CEST 2024

this function is called every time a user tries to log in to check
whether a tfa challenge is required. since the tfa config may need to
be written by the auth api (e.g. when a recovery key is used) this
needs to use a write lock instead of a read lock in order to avoid
potential races.

Signed-off-by: Stefan Sterz <s.sterz at proxmox.com>
---
 src/auth.rs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/auth.rs b/src/auth.rs
index 04fb3a1d..e27d90d5 100644
--- a/src/auth.rs
+++ b/src/auth.rs
@@ -327,7 +327,7 @@ impl proxmox_auth_api::api::AuthContext for PbsAuthContext {
     /// Access the TFA config with an exclusive lock.
     fn tfa_config_write_lock(&self) -> Result<Box<dyn LockedTfaConfig>, Error> {
         Ok(Box::new(PbsLockedTfaConfig {
-            _lock: crate::config::tfa::read_lock()?,
+            _lock: crate::config::tfa::write_lock()?,
             config: crate::config::tfa::read()?,
         }))
     }
-- 
2.39.2



