fix: throw NoPassive when trying to do 2FA in passive request

introduced in fe5daa27 but reverted without explanation in 9e320cfb

lib/Auth/Process/PrivacyideaAuthProc.php

@@ -11,6 +11,7 @@ use SimpleSAML\Error\ConfigurationError;
 use SimpleSAML\Logger;
 use SimpleSAML\Module;
 use SimpleSAML\Module\privacyidea\Auth\Utils;
+use SimpleSAML\Module\saml\Error\NoPassive;
 use SimpleSAML\Utils\HTTP;
 
 /**
@@ -96,6 +97,10 @@ class PrivacyideaAuthProc extends ProcessingFilter
         $username = $state['Attributes'][$this->authProcConfig['uidKey']][0];
         $stateId = State::saveState($state, 'privacyidea:privacyidea');
 
+        if (isset($state['isPassive']) && true === $state['isPassive']) {
+            throw new NoPassive('Passive multi-factor authentication not supported.');
+        }
+
         // Check if it should be controlled that user has no tokens and a new token should be enrolled.
         if (!empty($this->authProcConfig['doEnrollToken']) && true === $this->authProcConfig['doEnrollToken']) {
             $stateId = $this->enrollToken($stateId, $username);