Merge pull request #6473 from nextcloud/2fa_apppasword_auth

Fix AppPassword 2FA auth

lib/private/Authentication/TwoFactorAuth/Manager.php

@@ -269,6 +269,11 @@ class Manager {
 			return false;
 		}
 
+		// If we are authenticated using an app password skip all this
+		if ($this->session->exists('app_password')) {
+			return false;
+		}
+
 		// First check if the session tells us we should do 2FA (99% case)
 		if (!$this->session->exists(self::SESSION_UID_KEY)) {
 
@@ -296,7 +301,6 @@ class Manager {
 			}
 		}
 
-
 		if (!$this->isTwoFactorAuthenticated($user)) {
 			// There is no second factor any more -> let the user pass
 			//   This prevents infinite redirect loops when a user is about

tests/lib/Authentication/TwoFactorAuth/ManagerTest.php

@@ -387,10 +387,14 @@ class ManagerTest extends TestCase {
 	public function testNeedsSecondFactor() {
 		$user = $this->createMock(IUser::class);
 		$this->session->expects($this->at(0))
+			->method('exists')
+			->with('app_password')
+			->willReturn(false);
+		$this->session->expects($this->at(1))
 			->method('exists')
 			->with('two_factor_auth_uid')
 			->will($this->returnValue(false));
-		$this->session->expects($this->at(1))
+		$this->session->expects($this->at(2))
 			->method('exists')
 			->with(Manager::SESSION_UID_DONE)
 			->willReturn(false);
@@ -523,6 +527,8 @@ class ManagerTest extends TestCase {
 			->will($this->returnCallback(function($var) {
 				if ($var === Manager::SESSION_UID_KEY) {
 					return false;
+				} else if ($var === 'app_password') {
+					return false;
 				}
 				return true;
 			}));
@@ -585,4 +591,13 @@ class ManagerTest extends TestCase {
 
 		$this->assertFalse($this->manager->needsSecondFactor($user));
 	}
+
+	public function testNeedsSecondFactorAppPassword() {
+		$user = $this->createMock(IUser::class);
+		$this->session->method('exists')
+			->with('app_password')
+			->willReturn(true);
+
+		$this->assertFalse($this->manager->needsSecondFactor($user));
+	}
 }