From ae59aeabc9c7323a69819cb2cd26f9935eceb31f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ou=C5=A1ek?= <brousek@ics.muni.cz>
Date: Tue, 29 Mar 2022 16:13:14 +0200
Subject: [PATCH] fix: throw NoPassive when trying to do 2FA in passive request

introduced in fe5daa27b9a50ad0bcd834aa0b17e91554e99752 but reverted without explanation in 9e320cfbc3160ee2bba217963db24d805f33ead5
---
 lib/Auth/Process/PrivacyideaAuthProc.php | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/lib/Auth/Process/PrivacyideaAuthProc.php b/lib/Auth/Process/PrivacyideaAuthProc.php
index 861e690..4aa449f 100644
--- a/lib/Auth/Process/PrivacyideaAuthProc.php
+++ b/lib/Auth/Process/PrivacyideaAuthProc.php
@@ -11,6 +11,7 @@ use SimpleSAML\Error\ConfigurationError;
 use SimpleSAML\Logger;
 use SimpleSAML\Module;
 use SimpleSAML\Module\privacyidea\Auth\Utils;
+use SimpleSAML\Module\saml\Error\NoPassive;
 use SimpleSAML\Utils\HTTP;
 
 /**
@@ -96,6 +97,10 @@ class PrivacyideaAuthProc extends ProcessingFilter
         $username = $state['Attributes'][$this->authProcConfig['uidKey']][0];
         $stateId = State::saveState($state, 'privacyidea:privacyidea');
 
+        if (isset($state['isPassive']) && true === $state['isPassive']) {
+            throw new NoPassive('Passive multi-factor authentication not supported.');
+        }
+
         // Check if it should be controlled that user has no tokens and a new token should be enrolled.
         if (!empty($this->authProcConfig['doEnrollToken']) && true === $this->authProcConfig['doEnrollToken']) {
             $stateId = $this->enrollToken($stateId, $username);
-- 
GitLab