Explicitly allow some routes without 2FA

Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>

diff --git a/core/Controller/OCJSController.php b/core/Controller/OCJSController.php
index 71f0941b46ce130e01c46fe54a6399dcc6b24f06..379b08bf22ea968cb64701f777cd3066079623e8 100644 (file)
--- a/core/Controller/OCJSController.php
+++ b/core/Controller/OCJSController.php
@@ -98,6 +98,7 @@ class OCJSController extends Controller {
 
        /**
         * @NoCSRFRequired
+        * @NoTwoFactorRequired
         * @PublicPage
         *
         * @return DataDisplayResponse

diff --git a/core/Middleware/TwoFactorMiddleware.php b/core/Middleware/TwoFactorMiddleware.php
index fbdb106b7bb596eab5da3e24ba0196c54b92e6d8..4c13a99a1aabb37bcefb43518a550fdfc8866026 100644 (file)
--- a/core/Middleware/TwoFactorMiddleware.php
+++ b/core/Middleware/TwoFactorMiddleware.php
@@ -83,6 +83,12 @@ class TwoFactorMiddleware extends Middleware {
         * @param string $methodName
         */
        public function beforeController($controller, $methodName) {
+               if ($this->reflector->hasAnnotation('NoTwoFactorRequired')) {
+                       // Route handler explicitly marked to work without finished 2FA are
+                       // not blocked
+                       return;
+               }
+
                if ($controller instanceof APIController && $methodName === 'poll') {
                        // Allow polling the twofactor nextcloud notifications state
                        return;