Merge pull request #59602 from nextcloud/bugfix/noid/require-password-confirmation-on-delete

fix(apppasswords): Require password also on delete and update

Author: nickvergessen

apps/settings/lib/Controller/AuthSettingsController.php

@@ -173,6 +173,7 @@ private function checkAppToken(): bool {
 	 * @return array|JSONResponse
 	 */
 	#[NoAdminRequired]
+	#[PasswordConfirmationRequired(strict: true)]
 	public function destroy($id) {
 		if ($this->checkAppToken()) {
 			return new JSONResponse([], Http::STATUS_BAD_REQUEST);
@@ -201,6 +202,7 @@ public function destroy($id) {
 	 * @return array|JSONResponse
 	 */
 	#[NoAdminRequired]
+	#[PasswordConfirmationRequired(strict: true)]
 	public function update($id, array $scope, string $name) {
 		if ($this->checkAppToken()) {
 			return new JSONResponse([], Http::STATUS_BAD_REQUEST);

apps/settings/src/store/authtoken.ts

@@ -77,7 +77,7 @@ export const useAuthTokenStore = defineStore('auth-token', {
 		 * @param token Token to update
 		 */
 		async updateToken(token: IToken) {
-			const { data } = await axios.put(`${BASE_URL}/${token.id}`, token)
+			const { data } = await axios.put(`${BASE_URL}/${token.id}`, token, { confirmPassword: PwdConfirmationMode.Strict })
 			return data
 		},
 
@@ -111,7 +111,7 @@ export const useAuthTokenStore = defineStore('auth-token', {
 			this.tokens = this.tokens.filter(({ id }) => id !== token.id)
 
 			try {
-				await axios.delete(`${BASE_URL}/${token.id}`)
+				await axios.delete(`${BASE_URL}/${token.id}`, { confirmPassword: PwdConfirmationMode.Strict })
 				logger.debug('App token deleted')
 				return true
 			} catch (error) {