Controller method annotation to be able to call a controller's method before verifying two factor challenge for 2FA #29608
Description
Is your feature request related to a problem? Please describe.
After logging in with with username and password, but before having verified the 2FA challenge, no API/Page controller method can be called by the page showing the 2FA challenge during TwoFactorChallengeController::showChallenge. All requests are redirected to "core.TwoFactorChallenge.selectChallenge". Meanwhile an anonymous user can call every controller method which is annotated with PublicPage.
One concrete example: I'd like to be able to call https:///my2fa/id to get a user's external user id of a 3rd party service. I'd like to be able to call this method after the user has authenticated with username and password but before the 2FA challenge is verified, since I need my plugin's controller method to start a remote session and to verify the 2FA auth challenge etc..
This was possible using the PublicPage annotation before NC 20.0.13 (#28742)
Describe the solution you'd like
I'd like to have an annotation for a controller method to mean "this method can be called after a username is known, before and after the second auth factor is verified". Or maybe the possibility that I can call a 2FA controller method even after the 2FA login.
Describe alternatives you've considered
Currently I have to duplicate my set of controllers for our 2FA plugin. One set for users that are about to login(2FA) and one set for users that are already logged in(2FA or password only). This is because https://github.com/nextcloud/server/blob/master/core/Middleware/TwoFactorMiddleware.php#L85 doesn't allow TwoFactorChallengeController to be called when a user is already logged in and 2fa auth isn't enabled yet and it also doesn't allow method calls for if 2fa auth is enabled for a user but the 2fa auth challenge isn't verified yet. One place where this results in a conflict is when rendering the settings panel for a 2fa plugin. I need to use my plugin's controller methods to determine if the user already has an external account to respond adequately when that user chooses to enable 2fa, but since it's not enabled yet my 2fa controller method call isn't allowed because "user already logged in".
This is a non trivial niche issue only affecting 2fa providers, but having to rely on undocumented implementation details(special handling of controllers based on their type) is not how this platform intends to be used I assume. Especially in the security context.
Thanks for reading