AppAPI: allowed to bypass Two-Factor

Signed-off-by: Alexander Piskun <bigcat88@icloud.com>
author: Alexander Piskun <bigcat88@icloud.com> 2023-12-25 18:12:54 +0300
committer: Alexander Piskun <bigcat88@icloud.com> 2023-12-28 20:59:02 +0300
commit: 26d343d33aa763b7126937680769525e51638b90 (patch)
tree: 0a5496fb3938a4873de535322cfebad948d95398 /core
parent: 17cb5dadcd6be4bf26c5d7bb012db01722ce1ec0 (diff)
download: nextcloud-server-26d343d33aa763b7126937680769525e51638b90.tar.gz
nextcloud-server-26d343d33aa763b7126937680769525e51638b90.zip
1 files changed, 4 insertions, 1 deletions
diff --git a/core/Middleware/TwoFactorMiddleware.php b/core/Middleware/TwoFactorMiddleware.php
index f421528dff7..4b5618eb23d 100644
--- a/core/Middleware/TwoFactorMiddleware.php
+++ b/core/Middleware/TwoFactorMiddleware.php
@@ -100,7 +100,10 @@ class TwoFactorMiddleware extends Middleware {
 		if ($this->userSession->isLoggedIn()) {
 			$user = $this->userSession->getUser();
 
-			if ($this->session->exists('app_password') || $this->twoFactorManager->isTwoFactorAuthenticated($user)) {
+			if ($this->session->exists('app_password')  // authenticated using an app password
+				|| $this->session->exists('app_api')  // authenticated using an AppAPI Auth
+				|| $this->twoFactorManager->isTwoFactorAuthenticated($user)) {
+
 				$this->checkTwoFactor($controller, $methodName, $user);
 			} elseif ($controller instanceof TwoFactorChallengeController) {
 				// Allow access to the two-factor controllers only if two-factor authentication
author	Alexander Piskun <bigcat88@icloud.com>	2023-12-25 18:12:54 +0300
committer	Alexander Piskun <bigcat88@icloud.com>	2023-12-28 20:59:02 +0300
commit	26d343d33aa763b7126937680769525e51638b90 (patch)
tree	0a5496fb3938a4873de535322cfebad948d95398 /core
parent	17cb5dadcd6be4bf26c5d7bb012db01722ce1ec0 (diff)
download	nextcloud-server-26d343d33aa763b7126937680769525e51638b90.tar.gz nextcloud-server-26d343d33aa763b7126937680769525e51638b90.zip