Skip to content

Commit cdc2723

Browse files
authored
Merge pull request #42479 from nextcloud/appapi-twofactor
AppAPI: allow to bypass Two-Factor
2 parents b15b12d + 26d343d commit cdc2723

File tree

3 files changed

+25
-7
lines changed

3 files changed

+25
-7
lines changed

core/Middleware/TwoFactorMiddleware.php

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -100,7 +100,10 @@ public function beforeController($controller, $methodName) {
100100
if ($this->userSession->isLoggedIn()) {
101101
$user = $this->userSession->getUser();
102102

103-
if ($this->session->exists('app_password') || $this->twoFactorManager->isTwoFactorAuthenticated($user)) {
103+
if ($this->session->exists('app_password') // authenticated using an app password
104+
|| $this->session->exists('app_api') // authenticated using an AppAPI Auth
105+
|| $this->twoFactorManager->isTwoFactorAuthenticated($user)) {
106+
104107
$this->checkTwoFactor($controller, $methodName, $user);
105108
} elseif ($controller instanceof TwoFactorChallengeController) {
106109
// Allow access to the two-factor controllers only if two-factor authentication

lib/private/Authentication/TwoFactorAuth/Manager.php

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -318,8 +318,8 @@ public function needsSecondFactor(IUser $user = null): bool {
318318
return false;
319319
}
320320

321-
// If we are authenticated using an app password skip all this
322-
if ($this->session->exists('app_password')) {
321+
// If we are authenticated using an app password or AppAPI Auth, skip all this
322+
if ($this->session->exists('app_password') || $this->session->get('app_api') === true) {
323323
return false;
324324
}
325325

tests/lib/Authentication/TwoFactorAuth/ManagerTest.php

Lines changed: 19 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -629,13 +629,26 @@ public function testNeedsSecondFactorSessionAuth() {
629629
return false;
630630
} elseif ($var === 'app_password') {
631631
return false;
632+
} elseif ($var === 'app_api') {
633+
return false;
632634
}
633635
return true;
634636
});
637+
$this->session->method('get')
638+
->willReturnCallback(function ($var) {
639+
if ($var === Manager::SESSION_UID_KEY) {
640+
return 'user';
641+
} elseif ($var === 'app_api') {
642+
return true;
643+
}
644+
return null;
645+
});
635646
$this->session->expects($this->once())
636647
->method('get')
637-
->with(Manager::SESSION_UID_DONE)
638-
->willReturn('user');
648+
->willReturnMap([
649+
[Manager::SESSION_UID_DONE, 'user'],
650+
['app_api', true]
651+
]);
639652

640653
$this->assertFalse($this->manager->needsSecondFactor($user));
641654
}
@@ -695,8 +708,10 @@ public function testNeedsSecondFactorInvalidToken() {
695708
public function testNeedsSecondFactorAppPassword() {
696709
$user = $this->createMock(IUser::class);
697710
$this->session->method('exists')
698-
->with('app_password')
699-
->willReturn(true);
711+
->willReturnMap([
712+
['app_password', true],
713+
['app_api', true]
714+
]);
700715

701716
$this->assertFalse($this->manager->needsSecondFactor($user));
702717
}

0 commit comments

Comments
 (0)