[Bug]: Custom Css header redirected on totp-challenge

newhinton commented 2 years ago

⚠️ This issue respects the following points: ⚠️

[X] This is a bug, not a question or a configuration/webserver/proxy issue.
[X] This issue is not already reported on Github (I've searched it).
[X] Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
[X] Nextcloud Server is running on 64bit capable CPU, PHP and OS.
[X] I agree to follow Nextcloud's Code of Conduct.

Bug description

It is impossible to load css on the core.TwoFactorChallenge.showChallenge-route. It tries to redirect the added header.

the url to be called and generated by Util::addHeader()_ [http://localhost]/index.php/apps/unsplash/api/login

the url shown by my network-calls when adding said call on the totp-challenge: http://localhost/index.php/login/selectchallenge?redirect_url=/index.php/apps/unsplash/api/login

The controller marked the route added by routes.php as Public, so it should load (as it does on the normal login-screen)

Steps to reproduce

See above

Expected behavior

The added header should not be redirected and loaded appropriately.

Installation method

Community Manual installation with Archive

Operating system

Debian/Ubuntu

PHP engine version

PHP 8.0

Web server

Apache (supported)

Database engine version

SQlite

Is this bug present after an update or on a fresh install?

Updated to a major version (ex. 22.2.3 to 23.0.1)

Are you using the Nextcloud Server Encryption module?

Encryption is Disabled

What user-backends are you using?

[X] Default user-backend (database)
[ ] LDAP/ Active Directory
[ ] SSO - SAML
[ ] Other

Configuration report

No response

List of activated Apps

Enabled:
  - activity: 2.17.0
  - calendar: 4.0.0-alpha.1
  - circles: 25.0.0-alpha.0
  - cloud_federation_api: 1.8.0
  - collectives: 2.0.0-beta3
  - comments: 1.15.0
  - contacts: 5.0.0-rc.1
  - contactsinteraction: 1.6.0
  - cookbook: 0.9.15
  - dashboard: 7.5.0
  - dav: 1.24.0
  - deck: 1.8.0-beta.2
  - federatedfilesharing: 1.15.0
  - federation: 1.15.0
  - files: 1.20.0
  - files_pdfviewer: 2.6.0
  - files_rightclick: 1.4.0
  - files_sharing: 1.17.0
  - files_trashbin: 1.15.0
  - files_versions: 1.18.0
  - firstrunwizard: 2.14.0
  - logreader: 2.10.0
  - lookup_server_connector: 1.13.0
  - nextcloud_announcements: 1.14.0
  - notes: 4.5.1
  - notifications: 2.13.1
  - oauth2: 1.13.0
  - password_policy: 1.15.0
  - photos: 1.7.1
  - privacy: 1.9.0
  - provisioning_api: 1.15.0
  - recommendations: 1.4.0
  - related_resources: 1.0.0
  - serverinfo: 1.15.0
  - settings: 1.7.0
  - sharebymail: 1.15.0
  - support: 1.8.0
  - survey_client: 1.13.0
  - systemtags: 1.15.0
  - text: 3.6.0
  - theming: 2.0.0
  - twofactor_backupcodes: 1.14.0
  - twofactor_totp: 7.0.0
  - unsplash: 2.0.0
  - updatenotification: 1.15.0
  - user_status: 1.5.0
  - viewer: 1.9.0
  - weather_status: 1.5.0
  - workflowengine: 2.7.0

Nextcloud Signing status

Enabled:
  - activity: 2.17.0
  - calendar: 4.0.0-alpha.1
  - circles: 25.0.0-alpha.0
  - cloud_federation_api: 1.8.0
  - collectives: 2.0.0-beta3
  - comments: 1.15.0
  - contacts: 5.0.0-rc.1
  - contactsinteraction: 1.6.0
  - dashboard: 7.5.0
  - dav: 1.24.0
  - deck: 1.8.0-beta.2
  - federatedfilesharing: 1.15.0
  - federation: 1.15.0
  - files: 1.20.0
  - files_pdfviewer: 2.6.0
  - files_rightclick: 1.4.0
  - files_sharing: 1.17.0
  - files_trashbin: 1.15.0
  - files_versions: 1.18.0
  - firstrunwizard: 2.14.0
  - logreader: 2.10.0
  - lookup_server_connector: 1.13.0
  - nextcloud_announcements: 1.14.0
  - notes: 4.5.1
  - notifications: 2.13.1
  - oauth2: 1.13.0
  - password_policy: 1.15.0
  - photos: 1.7.1
  - privacy: 1.9.0
  - provisioning_api: 1.15.0
  - recommendations: 1.4.0
  - related_resources: 1.0.0
  - serverinfo: 1.15.0
  - settings: 1.7.0
  - sharebymail: 1.15.0
  - support: 1.8.0
  - survey_client: 1.13.0
  - systemtags: 1.15.0
  - text: 3.6.0
  - theming: 2.0.0
  - twofactor_backupcodes: 1.14.0
  - twofactor_totp: 7.0.0
  - unsplash: 2.0.0
  - updatenotification: 1.15.0
  - user_status: 1.5.0
  - viewer: 1.9.0
  - weather_status: 1.5.0
  - workflowengine: 2.7.0

Nextcloud Logs

No response

Additional info

No response

newhinton commented 2 years ago

See unsplash#97

newhinton commented 2 years ago

It seems this is not a bug. I was not aware of the @NoTwoFactorRequired-Flag, only of the @PublicPage-Flag. The former seems to allow loading of dynamically generated css-files by a Controller.

nextcloud / server