1 files changed, 13 insertions, 4 deletions

diff --git a/core/Controller/CSRFTokenController.php b/core/Controller/CSRFTokenController.php
index 9a87fe51c47..edf7c26e94c 100644
--- a/core/Controller/CSRFTokenController.php
+++ b/core/Controller/CSRFTokenController.php
@@ -12,11 +12,12 @@ use OC\Security\CSRF\CsrfTokenManager;
 use OCP\AppFramework\Controller;
 use OCP\AppFramework\Http;
 use OCP\AppFramework\Http\Attribute\FrontpageRoute;
+use OCP\AppFramework\Http\Attribute\NoCSRFRequired;
 use OCP\AppFramework\Http\Attribute\OpenAPI;
+use OCP\AppFramework\Http\Attribute\PublicPage;
 use OCP\AppFramework\Http\JSONResponse;
 use OCP\IRequest;
 
-#[OpenAPI(scope: OpenAPI::SCOPE_IGNORE)]
 class CSRFTokenController extends Controller {
 	public function __construct(
 		string $appName,
@@ -27,11 +28,19 @@ class CSRFTokenController extends Controller {
 	}
 
 	/**
-	 * @NoAdminRequired
-	 * @NoCSRFRequired
-	 * @PublicPage
+	 * Returns a new CSRF token.
+	 *
+	 * @return JSONResponse<Http::STATUS_OK, array{token: string}, array{}>|JSONResponse<Http::STATUS_FORBIDDEN, list<empty>, array{}>
+	 *
+	 * 200: CSRF token returned
+	 * 403: Strict cookie check failed
+	 *
+	 * @NoTwoFactorRequired
 	 */
+	#[PublicPage]
+	#[NoCSRFRequired]
 	#[FrontpageRoute(verb: 'GET', url: '/csrftoken')]
+	#[OpenAPI(scope: OpenAPI::SCOPE_DEFAULT)]
 	public function index(): JSONResponse {
 		if (!$this->request->passesStrictCookieCheck()) {
 			return new JSONResponse([], Http::STATUS_FORBIDDEN);