From 03cff6f2bc56f53900e580d6e29921c83dbf684e Mon Sep 17 00:00:00 2001
From: Joas Schilling <coding@schilljs.com>
Date: Mon, 13 Apr 2026 15:09:10 +0200
Subject: [PATCH] fix(apppasswords): Require password also on delete and update

Signed-off-by: Joas Schilling <coding@schilljs.com>
---
 apps/settings/lib/Controller/AuthSettingsController.php | 2 ++
 apps/settings/src/store/authtoken.ts                    | 4 ++--
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/apps/settings/lib/Controller/AuthSettingsController.php b/apps/settings/lib/Controller/AuthSettingsController.php
index 8652a49fb1d..b5076456e0f 100644
--- a/apps/settings/lib/Controller/AuthSettingsController.php
+++ b/apps/settings/lib/Controller/AuthSettingsController.php
@@ -155,6 +155,7 @@ class AuthSettingsController extends Controller {
 	 * @return array|JSONResponse
 	 */
 	#[NoAdminRequired]
+	#[PasswordConfirmationRequired(strict: true)]
 	public function destroy($id) {
 		if ($this->checkAppToken()) {
 			return new JSONResponse([], Http::STATUS_BAD_REQUEST);
@@ -183,6 +184,7 @@ class AuthSettingsController extends Controller {
 	 * @return array|JSONResponse
 	 */
 	#[NoAdminRequired]
+	#[PasswordConfirmationRequired(strict: true)]
 	public function update($id, array $scope, string $name) {
 		if ($this->checkAppToken()) {
 			return new JSONResponse([], Http::STATUS_BAD_REQUEST);
diff --git a/apps/settings/src/store/authtoken.ts b/apps/settings/src/store/authtoken.ts
index efd3b49e32c..7e9fb267028 100644
--- a/apps/settings/src/store/authtoken.ts
+++ b/apps/settings/src/store/authtoken.ts
@@ -72,7 +72,7 @@ export const useAuthTokenStore = defineStore('auth-token', {
 		 * @param token Token to update
 		 */
 		async updateToken(token: IToken) {
-			const { data } = await axios.put(`${BASE_URL}/${token.id}`, token)
+			const { data } = await axios.put(`${BASE_URL}/${token.id}`, token, { confirmPassword: PwdConfirmationMode.Strict })
 			return data
 		},
 
@@ -105,7 +105,7 @@ export const useAuthTokenStore = defineStore('auth-token', {
 			this.tokens = this.tokens.filter(({ id }) => id !== token.id)
 
 			try {
-				await axios.delete(`${BASE_URL}/${token.id}`)
+				await axios.delete(`${BASE_URL}/${token.id}`, { confirmPassword: PwdConfirmationMode.Strict })
 				logger.debug('App token deleted')
 				return true
 			} catch (error) {