[stable32] fix: Add missing PasswordConfirmationRequired attributes

apps/oauth2/lib/Controller/SettingsController.php

@@ -13,6 +13,7 @@
 use OCA\OAuth2\Db\ClientMapper;
 use OCP\AppFramework\Controller;
 use OCP\AppFramework\Http;
+use OCP\AppFramework\Http\Attribute\PasswordConfirmationRequired;
 use OCP\AppFramework\Http\JSONResponse;
 use OCP\Authentication\Token\IProvider as IAuthTokenProvider;
 use OCP\IL10N;
@@ -40,6 +41,7 @@ public function __construct(
 		parent::__construct($appName, $request);
 	}
 
+	#[PasswordConfirmationRequired(strict: true)]
 	public function addClient(string $name,
 		string $redirectUri): JSONResponse {
 		if (filter_var($redirectUri, FILTER_VALIDATE_URL) === false) {
@@ -66,6 +68,7 @@ public function addClient(string $name,
 		return new JSONResponse($result);
 	}
 
+	#[PasswordConfirmationRequired]
 	public function deleteClient(int $id): JSONResponse {
 		$client = $this->clientMapper->getByUid($id);
 

apps/provisioning_api/lib/Controller/AppsController.php

@@ -109,7 +109,7 @@ public function getAppInfo(string $app): DataResponse {
 	 *
 	 * 200: App enabled successfully
 	 */
-	#[PasswordConfirmationRequired]
+	#[PasswordConfirmationRequired(strict: true)]
 	public function enable(string $app): DataResponse {
 		try {
 			$app = $this->verifyAppId($app);

apps/settings/lib/Controller/AppSettingsController.php

@@ -565,7 +565,7 @@ public function enableApp(string $appId, array $groups = []): JSONResponse {
 	 * @param array $groups
 	 * @return JSONResponse
 	 */
-	#[PasswordConfirmationRequired]
+	#[PasswordConfirmationRequired(strict: true)]
 	public function enableApps(array $appIds, array $groups = []): JSONResponse {
 		try {
 			$updateRequired = false;

apps/settings/lib/Controller/AuthorizedGroupController.php

@@ -10,6 +10,7 @@
 use OCA\Settings\Service\AuthorizedGroupService;
 use OCA\Settings\Service\NotFoundException;
 use OCP\AppFramework\Controller;
+use OCP\AppFramework\Http\Attribute\PasswordConfirmationRequired;
 use OCP\AppFramework\Http\DataResponse;
 use OCP\DB\Exception;
 use OCP\IRequest;
@@ -27,6 +28,7 @@ public function __construct(
 	 * @throws NotFoundException
 	 * @throws Exception
 	 */
+	#[PasswordConfirmationRequired(strict: true)]
 	public function saveSettings(array $newGroups, string $class): DataResponse {
 		$currentGroups = $this->authorizedGroupService->findExistingGroupsForClass($class);
 

apps/settings/lib/Controller/TwoFactorSettingsController.php

@@ -11,6 +11,7 @@
 use OC\Authentication\TwoFactorAuth\EnforcementState;
 use OC\Authentication\TwoFactorAuth\MandatoryTwoFactor;
 use OCP\AppFramework\Controller;
+use OCP\AppFramework\Http\Attribute\PasswordConfirmationRequired;
 use OCP\AppFramework\Http\JSONResponse;
 use OCP\IRequest;
 
@@ -31,6 +32,7 @@ public function index(): JSONResponse {
 		return new JSONResponse($this->mandatoryTwoFactor->getState());
 	}
 
+	#[PasswordConfirmationRequired(strict: true)]
 	public function update(bool $enforced, array $enforcedGroups = [], array $excludedGroups = []): JSONResponse {
 		$this->mandatoryTwoFactor->setState(
 			new EnforcementState($enforced, $enforcedGroups, $excludedGroups)

core/Controller/TwoFactorApiController.php

@@ -11,6 +11,7 @@
 use OC\Authentication\TwoFactorAuth\ProviderManager;
 use OCP\AppFramework\Http;
 use OCP\AppFramework\Http\Attribute\ApiRoute;
+use OCP\AppFramework\Http\Attribute\PasswordConfirmationRequired;
 use OCP\AppFramework\Http\DataResponse;
 use OCP\AppFramework\OCSController;
 use OCP\Authentication\TwoFactorAuth\IRegistry;
@@ -60,6 +61,7 @@ public function state(string $user): DataResponse {
 	 * 404: user not found
 	 */
 	#[ApiRoute(verb: 'POST', url: '/enable', root: '/twofactor')]
+	#[PasswordConfirmationRequired]
 	public function enable(string $user, array $providers = []): DataResponse {
 		$userObject = $this->userManager->get($user);
 		if ($userObject !== null) {
@@ -84,6 +86,7 @@ public function enable(string $user, array $providers = []): DataResponse {
 	 * 404: user not found
 	 */
 	#[ApiRoute(verb: 'POST', url: '/disable', root: '/twofactor')]
+	#[PasswordConfirmationRequired(strict: true)]
 	public function disable(string $user, array $providers = []): DataResponse {
 		$userObject = $this->userManager->get($user);
 		if ($userObject !== null) {

core/openapi-administration.json

@@ -290,7 +290,7 @@
             "post": {
                 "operationId": "two_factor_api-enable",
                 "summary": "Enable two factor authentication providers for specific user",
-                "description": "This endpoint requires admin access",
+                "description": "This endpoint requires admin access\nThis endpoint requires password confirmation",
                 "tags": [
                     "two_factor_api"
                 ],
@@ -468,7 +468,7 @@
             "post": {
                 "operationId": "two_factor_api-disable",
                 "summary": "Disable two factor authentication providers for specific user",
-                "description": "This endpoint requires admin access",
+                "description": "This endpoint requires admin access\nThis endpoint requires password confirmation",
                 "tags": [
                     "two_factor_api"
                 ],

core/openapi-full.json

@@ -11637,7 +11637,7 @@
             "post": {
                 "operationId": "two_factor_api-enable",
                 "summary": "Enable two factor authentication providers for specific user",
-                "description": "This endpoint requires admin access",
+                "description": "This endpoint requires admin access\nThis endpoint requires password confirmation",
                 "tags": [
                     "two_factor_api"
                 ],
@@ -11815,7 +11815,7 @@
             "post": {
                 "operationId": "two_factor_api-disable",
                 "summary": "Disable two factor authentication providers for specific user",
-                "description": "This endpoint requires admin access",
+                "description": "This endpoint requires admin access\nThis endpoint requires password confirmation",
                 "tags": [
                     "two_factor_api"
                 ],

cypress/e2e/settings/apps.cy.ts

@@ -163,6 +163,9 @@ describe('Settings: App management', { testIsolation: true }, () => {
 			.find('span')
 			.contains('admin')
 			.click()
+
+		handlePasswordConfirmation(admin.password)
+
 		cy.get('span.name-parts__first')
 			.contains('admin')
 			.should('be.visible')

openapi.json

@@ -15161,7 +15161,7 @@
             "post": {
                 "operationId": "core-two_factor_api-enable",
                 "summary": "Enable two factor authentication providers for specific user",
-                "description": "This endpoint requires admin access",
+                "description": "This endpoint requires admin access\nThis endpoint requires password confirmation",
                 "tags": [
                     "core/two_factor_api"
                 ],
@@ -15339,7 +15339,7 @@
             "post": {
                 "operationId": "core-two_factor_api-disable",
                 "summary": "Disable two factor authentication providers for specific user",
-                "description": "This endpoint requires admin access",
+                "description": "This endpoint requires admin access\nThis endpoint requires password confirmation",
                 "tags": [
                     "core/two_factor_api"
                 ],