From c690c6fbd24eccce0ceb5e5fb400b99251a59667 Mon Sep 17 00:00:00 2001
From: Richard Steinmetz <richard@steinmetz.cloud>
Date: Tue, 17 Jun 2025 22:39:25 +0200
Subject: fix: update request token on two-factor pages

Signed-off-by: Richard Steinmetz <richard@steinmetz.cloud>
---
 core/Controller/TwoFactorChallengeController.php |  5 +++++
 core/src/twofactor-request-token.ts              | 25 ++++++++++++++++++++++++
 core/templates/twofactorselectchallenge.php      |  2 +-
 core/templates/twofactorsetupchallenge.php       |  2 +-
 core/templates/twofactorsetupselection.php       |  2 +-
 core/templates/twofactorshowchallenge.php        |  2 +-
 6 files changed, 34 insertions(+), 4 deletions(-)
 create mode 100644 core/src/twofactor-request-token.ts

(limited to 'core')

diff --git a/core/Controller/TwoFactorChallengeController.php b/core/Controller/TwoFactorChallengeController.php
index ef0f420fc82..4791139bb12 100644
--- a/core/Controller/TwoFactorChallengeController.php
+++ b/core/Controller/TwoFactorChallengeController.php
@@ -25,6 +25,7 @@ use OCP\IRequest;
 use OCP\ISession;
 use OCP\IURLGenerator;
 use OCP\IUserSession;
+use OCP\Util;
 use Psr\Log\LoggerInterface;
 
 #[OpenAPI(scope: OpenAPI::SCOPE_IGNORE)]
@@ -89,6 +90,7 @@ class TwoFactorChallengeController extends Controller {
 			'logout_url' => $this->getLogoutUrl(),
 			'hasSetupProviders' => !empty($setupProviders),
 		];
+		Util::addScript('core', 'twofactor-request-token');
 		return new StandaloneTemplateResponse($this->appName, 'twofactorselectchallenge', $data, 'guest');
 	}
 
@@ -141,6 +143,7 @@ class TwoFactorChallengeController extends Controller {
 		if ($provider instanceof IProvidesCustomCSP) {
 			$response->setContentSecurityPolicy($provider->getCSP());
 		}
+		Util::addScript('core', 'twofactor-request-token');
 		return $response;
 	}
 
@@ -204,6 +207,7 @@ class TwoFactorChallengeController extends Controller {
 			'redirect_url' => $redirect_url,
 		];
 
+		Util::addScript('core', 'twofactor-request-token');
 		return new StandaloneTemplateResponse($this->appName, 'twofactorsetupselection', $data, 'guest');
 	}
 
@@ -235,6 +239,7 @@ class TwoFactorChallengeController extends Controller {
 			'template' => $tmpl->fetchPage(),
 		];
 		$response = new StandaloneTemplateResponse($this->appName, 'twofactorsetupchallenge', $data, 'guest');
+		Util::addScript('core', 'twofactor-request-token');
 		return $response;
 	}
 
diff --git a/core/src/twofactor-request-token.ts b/core/src/twofactor-request-token.ts
new file mode 100644
index 00000000000..868ceec01e9
--- /dev/null
+++ b/core/src/twofactor-request-token.ts
@@ -0,0 +1,25 @@
+/**
+ * SPDX-FileCopyrightText: 2025 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+import { onRequestTokenUpdate } from '@nextcloud/auth'
+import { getBaseUrl } from '@nextcloud/router'
+
+document.addEventListener('DOMContentLoaded', () => {
+	onRequestTokenUpdate((token) => {
+		const cancelLink = window.document.getElementById('cancel-login')
+		if (!cancelLink) {
+			return
+		}
+
+		const href = cancelLink.getAttribute('href')
+		if (!href) {
+			return
+		}
+
+		const parsedHref = new URL(href, getBaseUrl())
+		parsedHref.searchParams.set('requesttoken', token)
+		cancelLink.setAttribute('href', parsedHref.pathname + parsedHref.search)
+	})
+})
diff --git a/core/templates/twofactorselectchallenge.php b/core/templates/twofactorselectchallenge.php
index 8f31db3f154..e979cfd58ab 100644
--- a/core/templates/twofactorselectchallenge.php
+++ b/core/templates/twofactorselectchallenge.php
@@ -76,7 +76,7 @@ $noProviders = empty($_['providers']);
 		</a>
 	</p>
 	<?php endif; ?>
-	<p><a class="two-factor-secondary" href="<?php print_unescaped($_['logout_url']); ?>">
+	<p><a id="cancel-login" class="two-factor-secondary" href="<?php print_unescaped($_['logout_url']); ?>">
 		<?php p($l->t('Cancel login')) ?>
 	</a></p>
 </div>
diff --git a/core/templates/twofactorsetupchallenge.php b/core/templates/twofactorsetupchallenge.php
index 09a143f1100..c575ca21343 100644
--- a/core/templates/twofactorsetupchallenge.php
+++ b/core/templates/twofactorsetupchallenge.php
@@ -14,7 +14,7 @@ $template = $_['template'];
 <div class="body-login-container update">
 	<h2 class="two-factor-header"><?php p($provider->getDisplayName()); ?></h2>
 	<?php print_unescaped($template); ?>
-	<p><a class="two-factor-secondary" href="<?php print_unescaped($_['logout_url']); ?>">
+	<p><a id="cancel-login" class="two-factor-secondary" href="<?php print_unescaped($_['logout_url']); ?>">
 			<?php p($l->t('Cancel login')) ?>
 	</a></p>
 </div>
diff --git a/core/templates/twofactorsetupselection.php b/core/templates/twofactorsetupselection.php
index 2eeaa49d6af..77139ab0e2a 100644
--- a/core/templates/twofactorsetupselection.php
+++ b/core/templates/twofactorsetupselection.php
@@ -35,7 +35,7 @@ declare(strict_types=1);
 		</li>
 	<?php endforeach; ?>
 	</ul>
-	<p><a class="two-factor-secondary" href="<?php print_unescaped($_['logout_url']); ?>">
+	<p><a id="cancel-login" class="two-factor-secondary" href="<?php print_unescaped($_['logout_url']); ?>">
 		<?php p($l->t('Cancel login')) ?>
 	</a></p>
 </div>
diff --git a/core/templates/twofactorshowchallenge.php b/core/templates/twofactorshowchallenge.php
index c0286c44c9c..6bc367d4025 100644
--- a/core/templates/twofactorshowchallenge.php
+++ b/core/templates/twofactorshowchallenge.php
@@ -38,7 +38,7 @@ $template = $_['template'];
 		</a>
 	</p>
 	<?php endif; ?>
-	<p><a class="two-factor-secondary" href="<?php print_unescaped($_['logout_url']); ?>">
+	<p><a id="cancel-login" class="two-factor-secondary" href="<?php print_unescaped($_['logout_url']); ?>">
 		<?php p($l->t('Cancel login')) ?>
 	</a></p>
 </div>
-- 
cgit v1.2.3