From 33d7486516f62bd3f87aed1f8fed2fa6bdc21e8e Mon Sep 17 00:00:00 2001
From: BlackDex <black.dex@gmail.com>
Date: Thu, 26 Jun 2025 16:51:08 +0200
Subject: [PATCH] Fix an issue with yubico keys not validating

When adding or updating yubico otp keys there were some issues with the validation.
Looks like the web-vault sends all keys, not only filled-in keys, which triggered a check on empty keys.
Also, we should only return filled-in keys, not the empty ones too.

Fixes #5986

Signed-off-by: BlackDex <black.dex@gmail.com>
---
 src/api/core/two_factor/yubikey.rs | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/src/api/core/two_factor/yubikey.rs b/src/api/core/two_factor/yubikey.rs
index a6d9898d..2de69b40 100644
--- a/src/api/core/two_factor/yubikey.rs
+++ b/src/api/core/two_factor/yubikey.rs
@@ -145,15 +145,23 @@ async fn activate_yubikey(data: Json<EnableYubikeyData>, headers: Headers, mut c
 
     // Ensure they are valid OTPs
     for yubikey in &yubikeys {
-        if yubikey.len() == 12 {
-            // YubiKey ID
+        if yubikey.is_empty() || yubikey.len() == 12 {
             continue;
         }
 
         verify_yubikey_otp(yubikey.to_owned()).await.map_res("Invalid Yubikey OTP provided")?;
     }
 
-    let yubikey_ids: Vec<String> = yubikeys.into_iter().map(|x| (x[..12]).to_owned()).collect();
+    let yubikey_ids: Vec<String> = yubikeys
+        .into_iter()
+        .filter_map(|x| {
+            if x.len() >= 12 {
+                Some((x[..12]).to_owned())
+            } else {
+                None
+            }
+        })
+        .collect();
 
     let yubikey_metadata = YubikeyMetadata {
         keys: yubikey_ids,