Merge pull request #53296 from nextcloud/backport/53292/stable30

Author: provokateurin

core/Controller/ClientFlowLoginController.php

@@ -19,6 +19,7 @@
 use OCP\AppFramework\Http\Attribute\NoAdminRequired;
 use OCP\AppFramework\Http\Attribute\NoCSRFRequired;
 use OCP\AppFramework\Http\Attribute\OpenAPI;
+use OCP\AppFramework\Http\Attribute\PasswordConfirmationRequired;
 use OCP\AppFramework\Http\Attribute\PublicPage;
 use OCP\AppFramework\Http\Attribute\UseSession;
 use OCP\AppFramework\Http\Response;
@@ -214,6 +215,7 @@ public function grantPage(string $stateToken = '',
 	 */
 	#[NoAdminRequired]
 	#[UseSession]
+	#[PasswordConfirmationRequired(strict: false)]
 	#[FrontpageRoute(verb: 'POST', url: '/login/flow')]
 	public function generateAppPassword(string $stateToken,
 		string $clientIdentifier = '',

core/Controller/ClientFlowLoginV2Controller.php

@@ -18,6 +18,7 @@
 use OCP\AppFramework\Http\Attribute\NoAdminRequired;
 use OCP\AppFramework\Http\Attribute\NoCSRFRequired;
 use OCP\AppFramework\Http\Attribute\OpenAPI;
+use OCP\AppFramework\Http\Attribute\PasswordConfirmationRequired;
 use OCP\AppFramework\Http\Attribute\PublicPage;
 use OCP\AppFramework\Http\Attribute\UseSession;
 use OCP\AppFramework\Http\JSONResponse;
@@ -219,6 +220,7 @@ public function apptokenRedirect(?string $stateToken, string $user, string $pass
 
 	#[NoAdminRequired]
 	#[UseSession]
+	#[PasswordConfirmationRequired(strict: false)]
 	#[FrontpageRoute(verb: 'POST', url: '/login/v2/grant')]
 	public function generateAppPassword(?string $stateToken): Response {
 		if ($stateToken === null) {

core/js/login/grant.js

@@ -2,11 +2,28 @@
  * SPDX-FileCopyrightText: 2018 Nextcloud GmbH and Nextcloud contributors
  * SPDX-License-Identifier: AGPL-3.0-or-later
  */
-document.querySelector('form').addEventListener('submit', function(e) {
+
+const form = document.querySelector('form')
+form.addEventListener('submit', function(event) {
 	const wrapper = document.getElementById('submit-wrapper')
 	if (wrapper === null) {
 		return
 	}
+
+	if (OC.PasswordConfirmation.requiresPasswordConfirmation()) {
+		// stop the event
+		event.preventDefault()
+		event.stopPropagation()
+
+		// handle password confirmation
+		OC.PasswordConfirmation.requirePasswordConfirmation(function () {
+			// when password is confirmed we submit the form
+			form.submit()
+		})
+
+		return false
+	}
+
 	Array.from(wrapper.getElementsByClassName('icon-confirm-white')).forEach(function(el) {
 		el.classList.remove('icon-confirm-white')
 		el.classList.add(OCA.Theming && OCA.Theming.inverted ? 'icon-loading-small' : 'icon-loading-small-dark')