From 18882d02dd8b5a455f18fe1a86b03f193f0a0f12 Mon Sep 17 00:00:00 2001
From: Daniel Hoffend <dh@dotlan.net>
Date: Thu, 21 Sep 2023 15:35:21 +0200
Subject: [PATCH] Don't accept invalid yubikey tokens

Summary: Don't accept empty/invalid yubikey token input when adding a factor

Test Plan: Use empty yubikey field or token < 12 chars

Reviewers: #roundcube_kolab_plugins_developers, mollekopf

Reviewed By: #roundcube_kolab_plugins_developers, mollekopf

Subscribers: #roundcube_kolab_plugins_developers

Differential Revision: https://git.kolab.org/D375
---
 plugins/kolab_2fa/lib/Kolab2FA/Driver/Yubikey.php | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/plugins/kolab_2fa/lib/Kolab2FA/Driver/Yubikey.php b/plugins/kolab_2fa/lib/Kolab2FA/Driver/Yubikey.php
index 7220b599..50922d47 100644
--- a/plugins/kolab_2fa/lib/Kolab2FA/Driver/Yubikey.php
+++ b/plugins/kolab_2fa/lib/Kolab2FA/Driver/Yubikey.php
@@ -107,6 +107,10 @@ class Yubikey extends Base
             // truncate the submitted yubikey code to 12 characters
             $value = substr($value, 0, 12);
         }
+        // invalid or no yubikey token provided
+        elseif ($key == 'yubikeyid') {
+            return false;
+        }
 
         return parent::set($key, $value, $persistent);
     }