Explicitly allow some routes without 2FA

Signed-off-by: Christoph Wurst <[email protected]>
nextcloud · MichaIng · Nov 23, 2021 · Nov 17, 2021 · Nov 18, 2021 · c49d49c4b06e4537d4050f7c3be917e6fcb99731
commit c49d49c4b06e4537d4050f7c3be917e6fcb99731
diff --git a/core/Controller/OCJSController.php b/core/Controller/OCJSController.php
@@ -98,6 +98,7 @@ public function __construct($appName,
 
 	/**
 	 * @NoCSRFRequired
+	 * @NoTwoFactorRequired
 	 * @PublicPage
 	 *
 	 * @return DataDisplayResponse

diff --git a/core/Middleware/TwoFactorMiddleware.php b/core/Middleware/TwoFactorMiddleware.php
@@ -83,6 +83,12 @@ public function __construct(Manager $twoFactorManager, Session $userSession, ISe
 	 * @param string $methodName
 	 */
 	public function beforeController($controller, $methodName) {
+		if ($this->reflector->hasAnnotation('NoTwoFactorRequired')) {
+			// Route handler explicitly marked to work without finished 2FA are
+			// not blocked
+			return;
+		}
+
 		if ($controller instanceof APIController && $methodName === 'poll') {
 			// Allow polling the twofactor nextcloud notifications state
 			return;