fix(frontend): add strict password confirmation for sensitive admin actions

Register axios password confirmation interceptors in the apps management, admin delegation, admin security, and OAuth2 settings bundles, and pass PwdConfirmationMode.Strict on requests to endpoints protected with #[PasswordConfirmationRequired(strict: true)], so that the user password is verified via Basic auth on the request itself rather than relying on the session timestamp. Signed-off-by: Peter Ringelmann <peter.ringelmann@nextcloud.com>
2026-05-28 04:32:30 -04:00 · 2026-03-23 17:42:57 +01:00 · 2026-03-23 17:42:57 +01:00 · dfaf200838
commit dfaf200838
parent 62b9c22b54
9 changed files with 90 additions and 69 deletions
--- a/apps/oauth2/src/settings-admin.ts
+++ b/apps/oauth2/src/settings-admin.ts
@ -3,12 +3,16 @@
 * SPDX-License-Identifier: AGPL-3.0-or-later
 */

+import axios from '@nextcloud/axios'
 import { loadState } from '@nextcloud/initial-state'
+import { addPasswordConfirmationInterceptors } from '@nextcloud/password-confirmation'
 import { createApp } from 'vue'
 import AdminSettings from './views/AdminSettings.vue'

 import 'vite/modulepreload-polyfill'

+addPasswordConfirmationInterceptors(axios)
+
 const clients = loadState('oauth2', 'clients')

 const app = createApp(AdminSettings, {
--- a/apps/oauth2/src/views/AdminSettings.vue
+++ b/apps/oauth2/src/views/AdminSettings.vue
@ -8,6 +8,7 @@ import axios, { isAxiosError } from '@nextcloud/axios'
 import { getCapabilities } from '@nextcloud/capabilities'
 import { loadState } from '@nextcloud/initial-state'
 import { t } from '@nextcloud/l10n'
+import { PwdConfirmationMode } from '@nextcloud/password-confirmation'
 import { generateUrl } from '@nextcloud/router'
 import { ref } from 'vue'
 import NcButton from '@nextcloud/vue/components/NcButton'
@ -56,7 +57,7 @@ async function addClient() {
 		const { data } = await axios.post(generateUrl('apps/oauth2/clients'), {
 			name: newClient.value.name,
 			redirectUri: newClient.value.redirectUri,
-		})
+		}, { confirmPassword: PwdConfirmationMode.Strict })
 		clients.value.push(data)
 		showSecretWarning.value = true

--- a/apps/settings/src/components/AdminDelegation/GroupSelect.vue
+++ b/apps/settings/src/components/AdminDelegation/GroupSelect.vue
@ -17,6 +17,7 @@
 <script>
 import axios from '@nextcloud/axios'
 import { showError } from '@nextcloud/dialogs'
+import { PwdConfirmationMode } from '@nextcloud/password-confirmation'
 import { generateUrl } from '@nextcloud/router'
 import NcSelect from '@nextcloud/vue/components/NcSelect'
 import logger from '../../logger.ts'
@ -66,7 +67,7 @@ export default {
 				class: this.setting.class,
 			}
 			try {
-				await axios.post(generateUrl('/apps/settings/') + '/settings/authorizedgroups/saveSettings', data)
+				await axios.post(generateUrl('/apps/settings/') + '/settings/authorizedgroups/saveSettings', data, { confirmPassword: PwdConfirmationMode.Strict })
 			} catch (e) {
 				showError(t('settings', 'Unable to modify setting'))
 				logger.error('Unable to modify setting', e)
--- a/apps/settings/src/components/AdminTwoFactor.vue
+++ b/apps/settings/src/components/AdminTwoFactor.vue
@ -77,6 +77,7 @@
 <script>
 import axios from '@nextcloud/axios'
 import { loadState } from '@nextcloud/initial-state'
+import { PwdConfirmationMode } from '@nextcloud/password-confirmation'
 import { generateOcsUrl, generateUrl } from '@nextcloud/router'
 import debounce from 'lodash/debounce.js'
 import sortedUniq from 'lodash/sortedUniq.js'
@ -170,7 +171,7 @@ export default {
 				enforcedGroups: this.enforcedGroups,
 				excludedGroups: this.excludedGroups,
 			}
-			axios.put(generateUrl('/settings/api/admin/twofactorauth'), data)
+			axios.put(generateUrl('/settings/api/admin/twofactorauth'), data, { confirmPassword: PwdConfirmationMode.Strict })
 				.then((resp) => resp.data)
 				.then((state) => {
 					this.state = state
--- a/apps/settings/src/main-admin-delegation.js
+++ b/apps/settings/src/main-admin-delegation.js
@ -3,9 +3,13 @@
 * SPDX-License-Identifier: AGPL-3.0-or-later
 */

+import axios from '@nextcloud/axios'
+import { addPasswordConfirmationInterceptors } from '@nextcloud/password-confirmation'
 import Vue from 'vue'
 import App from './components/AdminDelegating.vue'

+addPasswordConfirmationInterceptors(axios)
+
 // bind to window
 Vue.prototype.OC = OC
 Vue.prototype.t = t
--- a/apps/settings/src/main-admin-security.js
+++ b/apps/settings/src/main-admin-security.js
@ -1,14 +1,18 @@
+import { getCSPNonce } from '@nextcloud/auth'
 /**
 * SPDX-FileCopyrightText: 2016 Nextcloud GmbH and Nextcloud contributors
 * SPDX-License-Identifier: AGPL-3.0-or-later
 */
-import { getCSPNonce } from '@nextcloud/auth'
+import axios from '@nextcloud/axios'
 import { loadState } from '@nextcloud/initial-state'
+import { addPasswordConfirmationInterceptors } from '@nextcloud/password-confirmation'
 import Vue from 'vue'
 import AdminTwoFactor from './components/AdminTwoFactor.vue'
 import EncryptionSettings from './components/Encryption/EncryptionSettings.vue'
 import store from './store/admin-security.js'

+addPasswordConfirmationInterceptors(axios)
+
 __webpack_nonce__ = getCSPNonce()

 Vue.prototype.t = t
--- a/apps/settings/src/main-apps-users-management.ts
+++ b/apps/settings/src/main-apps-users-management.ts
@ -4,7 +4,9 @@
 */

 import { getCSPNonce } from '@nextcloud/auth'
+import axios from '@nextcloud/axios'
 import { n, t } from '@nextcloud/l10n'
+import { addPasswordConfirmationInterceptors } from '@nextcloud/password-confirmation'
 import { createPinia, PiniaVuePlugin } from 'pinia'
 import VTooltipPlugin from 'v-tooltip'
 import Vue from 'vue'
@ -14,6 +16,8 @@ import SettingsApp from './views/SettingsApp.vue'
 import router from './router/index.ts'
 import { useStore } from './store/index.js'

+addPasswordConfirmationInterceptors(axios)
+
 // CSP config for webpack dynamic chunk loading

 __webpack_nonce__ = getCSPNonce()
--- a/apps/settings/src/store/api.js
+++ b/apps/settings/src/store/api.js
@ -52,8 +52,8 @@ export default {
 	get(url, options) {
 		return axios.get(sanitize(url), options)
 	},
-	post(url, data) {
-		return axios.post(sanitize(url), data)
+	post(url, data, options) {
+		return axios.post(sanitize(url), data, options)
 	},
 	patch(url, data) {
 		return axios.patch(sanitize(url), data)
--- a/apps/settings/src/store/apps.js
+++ b/apps/settings/src/store/apps.js
@ -6,6 +6,7 @@
 import axios from '@nextcloud/axios'
 import { showError, showInfo } from '@nextcloud/dialogs'
 import { loadState } from '@nextcloud/initial-state'
+import { PwdConfirmationMode } from '@nextcloud/password-confirmation'
 import { generateUrl } from '@nextcloud/router'
 import Vue from 'vue'
 import logger from '../logger.ts'
@ -180,81 +181,82 @@ const actions = {
 		} else {
 			apps = [appId]
 		}
-		return api.requireAdmin().then(() => {
-			context.commit('startLoading', apps)
-			context.commit('startLoading', 'install')
+		context.commit('startLoading', apps)
+		context.commit('startLoading', 'install')

-			const previousState = {}
-			apps.forEach((_appId) => {
-				const app = context.state.apps.find((app) => app.id === _appId)
-				if (app) {
-					previousState[_appId] = {
-						active: app.active,
-						groups: [...(app.groups || [])],
-					}
-					context.commit('enableApp', { appId: _appId, groups })
+		const previousState = {}
+		apps.forEach((_appId) => {
+			const app = context.state.apps.find((app) => app.id === _appId)
+			if (app) {
+				previousState[_appId] = {
+					active: app.active,
+					groups: [...(app.groups || [])],
 				}
-			})
+				context.commit('enableApp', { appId: _appId, groups })
+			}
+		})

-			return api.post(generateUrl('settings/apps/enable'), { appIds: apps, groups })
-				.then((response) => {
-					context.commit('stopLoading', apps)
-					context.commit('stopLoading', 'install')
+		return api.post(generateUrl('settings/apps/enable'), { appIds: apps, groups }, { confirmPassword: PwdConfirmationMode.Strict })
+			.then((response) => {
+				context.commit('stopLoading', apps)
+				context.commit('stopLoading', 'install')

-					// check for server health
-					return axios.get(generateUrl('apps/files/'))
-						.then(() => {
-							if (response.data.update_required) {
-								showInfo(
-									t(
-										'settings',
-										'The app has been enabled but needs to be updated. You will be redirected to the update page in 5 seconds.',
-									),
-									{
-										onClick: () => window.location.reload(),
-										close: false,
+				// check for server health
+				return axios.get(generateUrl('apps/files/'))
+					.then(() => {
+						if (response.data.update_required) {
+							showInfo(
+								t(
+									'settings',
+									'The app has been enabled but needs to be updated. You will be redirected to the update page in 5 seconds.',
+								),
+								{
+									onClick: () => window.location.reload(),
+									close: false,

-									},
-								)
-								setTimeout(function() {
-									location.reload()
-								}, 5000)
-							}
-						})
-						.catch(() => {
-							if (!Array.isArray(appId)) {
-								showError(t('settings', 'Error: This app cannot be enabled because it makes the server unstable'))
-								context.commit('setError', {
-									appId: apps,
-									error: t('settings', 'Error: This app cannot be enabled because it makes the server unstable'),
-								})
-								context.dispatch('disableApp', { appId })
-							}
-						})
-				})
-				.catch((error) => {
-					context.commit('stopLoading', apps)
-					context.commit('stopLoading', 'install')
-
-					apps.forEach((_appId) => {
-						if (previousState[_appId]) {
-							context.commit('enableApp', {
-								appId: _appId,
-								groups: previousState[_appId].groups,
-							})
-							if (!previousState[_appId].active) {
-								context.commit('disableApp', _appId)
-							}
+								},
+							)
+							setTimeout(function() {
+								location.reload()
+							}, 5000)
 						}
 					})
+					.catch(() => {
+						if (!Array.isArray(appId)) {
+							showError(t('settings', 'Error: This app cannot be enabled because it makes the server unstable'))
+							context.commit('setError', {
+								appId: apps,
+								error: t('settings', 'Error: This app cannot be enabled because it makes the server unstable'),
+							})
+							context.dispatch('disableApp', { appId })
+						}
+					})
+			})
+			.catch((error) => {
+				context.commit('stopLoading', apps)
+				context.commit('stopLoading', 'install')

+				apps.forEach((_appId) => {
+					if (previousState[_appId]) {
+						context.commit('enableApp', {
+							appId: _appId,
+							groups: previousState[_appId].groups,
+						})
+						if (!previousState[_appId].active) {
+							context.commit('disableApp', _appId)
+						}
+					}
+				})
+
+				const message = error.response?.data?.data?.message
+				if (message) {
 					context.commit('setError', {
 						appId: apps,
-						error: error.response.data.data.message,
+						error: message,
 					})
 					context.commit('APPS_API_FAILURE', { appId, error })
-				})
-		}).catch((error) => context.commit('API_FAILURE', { appId, error }))
+				}
+			})
 	},
 	forceEnableApp(context, { appId }) {
 		let apps