Merge pull request #53292 from nextcloud/fix/loginflow

3 files changed, 22 insertions, 1 deletions

diff --git a/core/Controller/ClientFlowLoginController.php b/core/Controller/ClientFlowLoginController.php
index affb60f2b2e..0e6e1fc8404 100644
--- a/core/Controller/ClientFlowLoginController.php
+++ b/core/Controller/ClientFlowLoginController.php
@@ -17,6 +17,7 @@ use OCP\AppFramework\Http\Attribute\FrontpageRoute;
 use OCP\AppFramework\Http\Attribute\NoAdminRequired;
 use OCP\AppFramework\Http\Attribute\NoCSRFRequired;
 use OCP\AppFramework\Http\Attribute\OpenAPI;
+use OCP\AppFramework\Http\Attribute\PasswordConfirmationRequired;
 use OCP\AppFramework\Http\Attribute\PublicPage;
 use OCP\AppFramework\Http\Attribute\UseSession;
 use OCP\AppFramework\Http\ContentSecurityPolicy;
@@ -214,6 +215,7 @@ class ClientFlowLoginController extends Controller {
 
 	#[NoAdminRequired]
 	#[UseSession]
+	#[PasswordConfirmationRequired(strict: false)]
 	#[FrontpageRoute(verb: 'POST', url: '/login/flow')]
 	public function generateAppPassword(
 		string $stateToken,
diff --git a/core/Controller/ClientFlowLoginV2Controller.php b/core/Controller/ClientFlowLoginV2Controller.php
index e21a0cb250d..84212002895 100644
--- a/core/Controller/ClientFlowLoginV2Controller.php
+++ b/core/Controller/ClientFlowLoginV2Controller.php
@@ -19,6 +19,7 @@ use OCP\AppFramework\Http\Attribute\FrontpageRoute;
 use OCP\AppFramework\Http\Attribute\NoAdminRequired;
 use OCP\AppFramework\Http\Attribute\NoCSRFRequired;
 use OCP\AppFramework\Http\Attribute\OpenAPI;
+use OCP\AppFramework\Http\Attribute\PasswordConfirmationRequired;
 use OCP\AppFramework\Http\Attribute\PublicPage;
 use OCP\AppFramework\Http\Attribute\UseSession;
 use OCP\AppFramework\Http\JSONResponse;
@@ -228,6 +229,7 @@ class ClientFlowLoginV2Controller extends Controller {
 
 	#[NoAdminRequired]
 	#[UseSession]
+	#[PasswordConfirmationRequired(strict: false)]
 	#[FrontpageRoute(verb: 'POST', url: '/login/v2/grant')]
 	public function generateAppPassword(?string $stateToken): Response {
 		if ($stateToken === null) {
diff --git a/core/js/login/grant.js b/core/js/login/grant.js
index a8c788397a8..c6134504421 100644
--- a/core/js/login/grant.js
+++ b/core/js/login/grant.js
@@ -2,11 +2,28 @@
  * SPDX-FileCopyrightText: 2018 Nextcloud GmbH and Nextcloud contributors
  * SPDX-License-Identifier: AGPL-3.0-or-later
  */
-document.querySelector('form').addEventListener('submit', function(e) {
+
+const form = document.querySelector('form')
+form.addEventListener('submit', function(event) {
 	const wrapper = document.getElementById('submit-wrapper')
 	if (wrapper === null) {
 		return
 	}
+
+	if (OC.PasswordConfirmation.requiresPasswordConfirmation()) {
+		// stop the event
+		event.preventDefault()
+		event.stopPropagation()
+
+		// handle password confirmation
+		OC.PasswordConfirmation.requirePasswordConfirmation(function () {
+			// when password is confirmed we submit the form
+			form.submit()
+		})
+
+		return false
+	}
+
 	Array.from(wrapper.getElementsByClassName('icon-confirm-white')).forEach(function(el) {
 		el.classList.remove('icon-confirm-white')
 		el.classList.add(OCA.Theming && OCA.Theming.inverted ? 'icon-loading-small' : 'icon-loading-small-dark')