Merge pull request #42479 from nextcloud/appapi-twofactor

bigcat88 · web-flow · commit cdc2723d97ff · 2023-12-29T11:29:29.000+03:00
AppAPI: allow to bypass Two-Factor
diff --git a/core/Middleware/TwoFactorMiddleware.php b/core/Middleware/TwoFactorMiddleware.php
@@ -100,7 +100,10 @@ public function beforeController($controller, $methodName) {
 		if ($this->userSession->isLoggedIn()) {
 			$user = $this->userSession->getUser();
 
-			if ($this->session->exists('app_password') || $this->twoFactorManager->isTwoFactorAuthenticated($user)) {
+			if ($this->session->exists('app_password')  // authenticated using an app password
+				|| $this->session->exists('app_api')  // authenticated using an AppAPI Auth
+				|| $this->twoFactorManager->isTwoFactorAuthenticated($user)) {
+
 				$this->checkTwoFactor($controller, $methodName, $user);
 			} elseif ($controller instanceof TwoFactorChallengeController) {
 				// Allow access to the two-factor controllers only if two-factor authentication
diff --git a/lib/private/Authentication/TwoFactorAuth/Manager.php b/lib/private/Authentication/TwoFactorAuth/Manager.php
@@ -318,8 +318,8 @@ public function needsSecondFactor(IUser $user = null): bool {
 			return false;
 		}
 
-		// If we are authenticated using an app password skip all this
-		if ($this->session->exists('app_password')) {
+		// If we are authenticated using an app password or AppAPI Auth, skip all this
+		if ($this->session->exists('app_password') || $this->session->get('app_api') === true) {
 			return false;
 		}
 
diff --git a/tests/lib/Authentication/TwoFactorAuth/ManagerTest.php b/tests/lib/Authentication/TwoFactorAuth/ManagerTest.php
@@ -629,13 +629,26 @@ public function testNeedsSecondFactorSessionAuth() {
 					return false;
 				} elseif ($var === 'app_password') {
 					return false;
+				} elseif ($var === 'app_api') {
+					return false;
 				}
 				return true;
 			});
+		$this->session->method('get')
+			->willReturnCallback(function ($var) {
+				if ($var === Manager::SESSION_UID_KEY) {
+					return 'user';
+				} elseif ($var === 'app_api') {
+					return true;
+				}
+				return null;
+			});
 		$this->session->expects($this->once())
 			->method('get')
-			->with(Manager::SESSION_UID_DONE)
-			->willReturn('user');
+			->willReturnMap([
+				[Manager::SESSION_UID_DONE, 'user'],
+				['app_api', true]
+			]);
 
 		$this->assertFalse($this->manager->needsSecondFactor($user));
 	}
@@ -695,8 +708,10 @@ public function testNeedsSecondFactorInvalidToken() {
 	public function testNeedsSecondFactorAppPassword() {
 		$user = $this->createMock(IUser::class);
 		$this->session->method('exists')
-			->with('app_password')
-			->willReturn(true);
+			->willReturnMap([
+				['app_password', true],
+				['app_api', true]
+			]);
 
 		$this->assertFalse($this->manager->needsSecondFactor($user));
 	}

Original file line number	Diff line number	Diff line change
`@@ -318,8 +318,8 @@ public function needsSecondFactor(IUser $user = null): bool {`
`318`	`318`	`return false;`
`319`	`319`	`}`
`320`	`320`
`321`		`- // If we are authenticated using an app password skip all this`
`322`		`- if ($this->session->exists('app_password')) {`
	`321`	`+ // If we are authenticated using an app password or AppAPI Auth, skip all this`
	`322`	`+ if ($this->session->exists('app_password') \|\| $this->session->get('app_api') === true) {`
`323`	`323`	`return false;`
`324`	`324`	`}`
`325`	`325`