From ea67cd70c9d8b22f4b5596766528832ab8610c8e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= <f.gruenbichler@proxmox.com>
Date: Fri, 19 Nov 2021 14:10:57 +0100
Subject: [PATCH] tfa: handle incompatible challenge data
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

by returning default data, in case the challenge data is not parseable.
this allows a new challenge to be started for the userid in question
without manual cleanup.

currently this can be triggered if an ongoing challenge created with
webauthn-rs 0.2.5 is stored in /run and attempted to be read
post-upgrade.

Reported-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
 src/config/tfa.rs | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/src/config/tfa.rs b/src/config/tfa.rs
index 0e0b7638..cb34f26c 100644
--- a/src/config/tfa.rs
+++ b/src/config/tfa.rs
@@ -256,13 +256,17 @@ impl proxmox_tfa::api::OpenUserChallengeData for UserAccess {
         let inner = if data.is_empty() {
             Default::default()
         } else {
-            serde_json::from_slice(&data).map_err(|err| {
-                format_err!(
-                    "failed to parse challenge data for user {}: {}",
-                    userid,
-                    err
-                )
-            })?
+            match serde_json::from_slice(&data) {
+                Ok(inner) => inner,
+                Err(err) => {
+                    eprintln!(
+                        "failed to parse challenge data for user {}: {}",
+                        userid,
+                        err
+                    );
+                    Default::default()
+                },
+            }
         };
 
         Ok(TfaUserChallengeData {