mysql server has gone away --> Token Validation succeeds

[martinhaase]

Hi Jordan,
the TokenValidator is calling getTokenList, which succeeds also if the PI server has no connection to its database, as piConnection:getTokenList does not call checkAPISuccess. This means, in case of an unstable database, that 2FA is bypassed. We see this as an security issue, the plugin should not let the flow succeed in this case.
Regards,
Martin

[wraezor]

This is a design choice. Currently this implementation is designed to fail open in the case you identified (missing database server) but also in other cases, such as Shibboleth being unable to securely contact the privacyIDEA server (due to bad certificate, etc).

I don't have any plans presently to fix this, but I am open to a pull request if someone else would like to try.