[stable30] Fix CSRF token not being refreshed while a two-factor challenge is ongoing

core/Controller/CSRFTokenController.php

@@ -33,6 +33,8 @@ public function __construct(
 	 *
 	 * 200: CSRF token returned
 	 * 403: Strict cookie check failed
+	 *
+	 * @NoTwoFactorRequired
 	 */
 	#[PublicPage]
 	#[NoCSRFRequired]

core/Controller/TwoFactorChallengeController.php

@@ -25,6 +25,7 @@
 use OCP\ISession;
 use OCP\IURLGenerator;
 use OCP\IUserSession;
+use OCP\Util;
 use Psr\Log\LoggerInterface;
 
 #[OpenAPI(scope: OpenAPI::SCOPE_IGNORE)]
@@ -89,6 +90,7 @@ public function selectChallenge($redirect_url) {
 			'logout_url' => $this->getLogoutUrl(),
 			'hasSetupProviders' => !empty($setupProviders),
 		];
+		Util::addScript('core', 'twofactor-request-token');
 		return new StandaloneTemplateResponse($this->appName, 'twofactorselectchallenge', $data, 'guest');
 	}
 
@@ -141,6 +143,7 @@ public function showChallenge($challengeProviderId, $redirect_url) {
 		if ($provider instanceof IProvidesCustomCSP) {
 			$response->setContentSecurityPolicy($provider->getCSP());
 		}
+		Util::addScript('core', 'twofactor-request-token');
 		return $response;
 	}
 
@@ -204,6 +207,7 @@ public function setupProviders(?string $redirect_url = null): StandaloneTemplate
 			'redirect_url' => $redirect_url,
 		];
 
+		Util::addScript('core', 'twofactor-request-token');
 		return new StandaloneTemplateResponse($this->appName, 'twofactorsetupselection', $data, 'guest');
 	}
 
@@ -235,6 +239,7 @@ public function setupProvider(string $providerId, ?string $redirect_url = null)
 			'template' => $tmpl->fetchPage(),
 		];
 		$response = new StandaloneTemplateResponse($this->appName, 'twofactorsetupchallenge', $data, 'guest');
+		Util::addScript('core', 'twofactor-request-token');
 		return $response;
 	}
 

core/src/twofactor-request-token.ts

@@ -0,0 +1,25 @@
+/**
+ * SPDX-FileCopyrightText: 2025 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+import { onRequestTokenUpdate } from '@nextcloud/auth'
+import { getBaseUrl } from '@nextcloud/router'
+
+document.addEventListener('DOMContentLoaded', () => {
+	onRequestTokenUpdate((token) => {
+		const cancelLink = window.document.getElementById('cancel-login')
+		if (!cancelLink) {
+			return
+		}
+
+		const href = cancelLink.getAttribute('href')
+		if (!href) {
+			return
+		}
+
+		const parsedHref = new URL(href, getBaseUrl())
+		parsedHref.searchParams.set('requesttoken', token)
+		cancelLink.setAttribute('href', parsedHref.pathname + parsedHref.search)
+	})
+})

core/templates/twofactorselectchallenge.php

@@ -76,7 +76,7 @@
 		</a>
 	</p>
 	<?php endif; ?>
-	<p><a class="two-factor-secondary" href="<?php print_unescaped($_['logout_url']); ?>">
+	<p><a id="cancel-login" class="two-factor-secondary" href="<?php print_unescaped($_['logout_url']); ?>">
 		<?php p($l->t('Cancel login')) ?>
 	</a></p>
 </div>

core/templates/twofactorsetupchallenge.php

@@ -14,7 +14,7 @@
 <div class="body-login-container update">
 	<h2 class="two-factor-header"><?php p($provider->getDisplayName()); ?></h2>
 	<?php print_unescaped($template); ?>
-	<p><a class="two-factor-secondary" href="<?php print_unescaped($_['logout_url']); ?>">
+	<p><a id="cancel-login" class="two-factor-secondary" href="<?php print_unescaped($_['logout_url']); ?>">
 			<?php p($l->t('Cancel login')) ?>
 	</a></p>
 </div>

core/templates/twofactorsetupselection.php

@@ -35,7 +35,7 @@
 		</li>
 	<?php endforeach; ?>
 	</ul>
-	<p><a class="two-factor-secondary" href="<?php print_unescaped($_['logout_url']); ?>">
+	<p><a id="cancel-login" class="two-factor-secondary" href="<?php print_unescaped($_['logout_url']); ?>">
 		<?php p($l->t('Cancel login')) ?>
 	</a></p>
 </div>

core/templates/twofactorshowchallenge.php

@@ -38,7 +38,7 @@
 		</a>
 	</p>
 	<?php endif; ?>
-	<p><a class="two-factor-secondary" href="<?php print_unescaped($_['logout_url']); ?>">
+	<p><a id="cancel-login" class="two-factor-secondary" href="<?php print_unescaped($_['logout_url']); ?>">
 		<?php p($l->t('Cancel login')) ?>
 	</a></p>
 </div>

dist/core-twofactor-request-token.js.license

@@ -0,0 +1,36 @@
+SPDX-License-Identifier: MIT
+SPDX-License-Identifier: ISC
+SPDX-License-Identifier: GPL-3.0-or-later
+SPDX-License-Identifier: AGPL-3.0-or-later
+SPDX-FileCopyrightText: Tobias Koppers @sokra
+SPDX-FileCopyrightText: Roman Shtylman <shtylman@gmail.com>
+SPDX-FileCopyrightText: Nextcloud GmbH and Nextcloud contributors
+SPDX-FileCopyrightText: GitHub Inc.
+SPDX-FileCopyrightText: Christoph Wurst
+
+
+This file is generated from multiple sources. Included packages:
+- @nextcloud/auth
+	- version: 2.5.1
+	- license: GPL-3.0-or-later
+- @nextcloud/browser-storage
+	- version: 0.4.0
+	- license: GPL-3.0-or-later
+- semver
+	- version: 7.6.3
+	- license: ISC
+- @nextcloud/event-bus
+	- version: 3.3.2
+	- license: GPL-3.0-or-later
+- @nextcloud/router
+	- version: 3.0.1
+	- license: GPL-3.0-or-later
+- process
+	- version: 0.11.10
+	- license: MIT
+- webpack
+	- version: 5.99.9
+	- license: MIT
+- nextcloud
+	- version: 1.0.0
+	- license: AGPL-3.0-or-later

dist/core-twofactor-request-token.js.map.license

@@ -0,0 +1 @@
+core-twofactor-request-token.js.license

webpack.modules.js

@@ -26,6 +26,7 @@ module.exports = {
 		'unsupported-browser': path.join(__dirname, 'core/src', 'unsupported-browser.js'),
 		'unsupported-browser-redirect': path.join(__dirname, 'core/src', 'unsupported-browser-redirect.js'),
 		public: path.join(__dirname, 'core/src', 'public.ts'),
+		'twofactor-request-token': path.join(__dirname, 'core/src', 'twofactor-request-token.ts'),
 	},
 	dashboard: {
 		main: path.join(__dirname, 'apps/dashboard/src', 'main.js'),