AppAPI: allowed to bypass Two-Factor

Signed-off-by: Alexander Piskun <bigcat88@icloud.com>

core/Middleware/TwoFactorMiddleware.php

@@ -100,7 +100,10 @@ public function beforeController($controller, $methodName) {
 		if ($this->userSession->isLoggedIn()) {
 			$user = $this->userSession->getUser();
 
-			if ($this->session->exists('app_password') || $this->twoFactorManager->isTwoFactorAuthenticated($user)) {
+			if ($this->session->exists('app_password')  // authenticated using an app password
+				|| $this->session->exists('app_api')  // authenticated using an AppAPI Auth
+				|| $this->twoFactorManager->isTwoFactorAuthenticated($user)) {
+
 				$this->checkTwoFactor($controller, $methodName, $user);
 			} elseif ($controller instanceof TwoFactorChallengeController) {
 				// Allow access to the two-factor controllers only if two-factor authentication

lib/private/Authentication/TwoFactorAuth/Manager.php

@@ -318,8 +318,8 @@ public function needsSecondFactor(IUser $user = null): bool {
 			return false;
 		}
 
-		// If we are authenticated using an app password skip all this
-		if ($this->session->exists('app_password')) {
+		// If we are authenticated using an app password or AppAPI Auth, skip all this
+		if ($this->session->exists('app_password') || $this->session->get('app_api') === true) {
 			return false;
 		}
 

tests/lib/Authentication/TwoFactorAuth/ManagerTest.php

@@ -636,6 +636,10 @@ public function testNeedsSecondFactorSessionAuth() {
 			->method('get')
 			->with(Manager::SESSION_UID_DONE)
 			->willReturn('user');
+		$this->session->expects($this->once())
+			->method('get')
+			->with('app_api')
+			->willReturn(false);
 
 		$this->assertFalse($this->manager->needsSecondFactor($user));
 	}