Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>

These annotations will allow for extra checks. And thus make it harder
to break things.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>

Once 2FA is enforced for a user and they have no 2FA setup yet this will
now prompt them with a setup screen. Given that providers are enabled
that allow setup then.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>

If you login with an apptoken there is no need to check 2FA state as
this does not apply to apptokens. Not checking saves us a query on each
request made from a client.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>

Signed-off-by: Morris Jobke <hey@morrisjobke.de>

This is public API and breaks the middlewares of existing apps. Since this also requires maintaining two different code paths for 12 and 13 I'm at the moment voting for reverting this change.

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>

Signed-off-by: Joas Schilling <coding@schilljs.com>

This fixes infinite loops that are caused whenever a user is about to solve a 2FA
challenge, but the provider app is disabled at the same time. Since the session
value usually indicates that the challenge needs to be solved before we grant access
we have to remove that value instead in this special case.