From c9d7bce44708b76bfa4577f9e6f78218a81c34ee Mon Sep 17 00:00:00 2001
From: Joas Schilling <coding@schilljs.com>
Date: Mon, 13 Apr 2026 15:09:10 +0200
Subject: [PATCH] fix(apppasswords): Require password also on delete and update

Signed-off-by: Joas Schilling <coding@schilljs.com>
---
 apps/settings/lib/Controller/AuthSettingsController.php | 2 ++
 apps/settings/src/store/authtoken.ts                    | 4 ++--
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/apps/settings/lib/Controller/AuthSettingsController.php b/apps/settings/lib/Controller/AuthSettingsController.php
index 4cbb277401f..f39deeddd4e 100644
--- a/apps/settings/lib/Controller/AuthSettingsController.php
+++ b/apps/settings/lib/Controller/AuthSettingsController.php
@@ -173,6 +173,7 @@ class AuthSettingsController extends Controller {
 	 * @return array|JSONResponse
 	 */
 	#[NoAdminRequired]
+	#[PasswordConfirmationRequired(strict: true)]
 	public function destroy($id) {
 		if ($this->checkAppToken()) {
 			return new JSONResponse([], Http::STATUS_BAD_REQUEST);
@@ -201,6 +202,7 @@ class AuthSettingsController extends Controller {
 	 * @return array|JSONResponse
 	 */
 	#[NoAdminRequired]
+	#[PasswordConfirmationRequired(strict: true)]
 	public function update($id, array $scope, string $name) {
 		if ($this->checkAppToken()) {
 			return new JSONResponse([], Http::STATUS_BAD_REQUEST);
diff --git a/apps/settings/src/store/authtoken.ts b/apps/settings/src/store/authtoken.ts
index 9ea81e69e52..7546dd76608 100644
--- a/apps/settings/src/store/authtoken.ts
+++ b/apps/settings/src/store/authtoken.ts
@@ -77,7 +77,7 @@ export const useAuthTokenStore = defineStore('auth-token', {
 		 * @param token Token to update
 		 */
 		async updateToken(token: IToken) {
-			const { data } = await axios.put(`${BASE_URL}/${token.id}`, token)
+			const { data } = await axios.put(`${BASE_URL}/${token.id}`, token, { confirmPassword: PwdConfirmationMode.Strict })
 			return data
 		},
 
@@ -111,7 +111,7 @@ export const useAuthTokenStore = defineStore('auth-token', {
 			this.tokens = this.tokens.filter(({ id }) => id !== token.id)
 
 			try {
-				await axios.delete(`${BASE_URL}/${token.id}`)
+				await axios.delete(`${BASE_URL}/${token.id}`, { confirmPassword: PwdConfirmationMode.Strict })
 				logger.debug('App token deleted')
 				return true
 			} catch (error) {