Skip to content

Improve usability of QR code login#57453

Merged
nickvergessen merged 12 commits intomasterfrom
feat/noid/qr-code-in-account-menu
Jan 12, 2026
Merged

Improve usability of QR code login#57453
nickvergessen merged 12 commits intomasterfrom
feat/noid/qr-code-in-account-menu

Conversation

@nickvergessen
Copy link
Member

@nickvergessen nickvergessen commented Jan 9, 2026
edited by Antreesy
Loading

Option added directly into the account menu

Bildschirmfoto vom 2026-01-09 16-27-25

QR code can be configured to be one-time

Only supported with future mobile clients of Android and iOS. Since old ones break, it's disabled by default for now, but will be enabled by default in a future version.
Also the current settings page does not use this, as it's already showing the app password and we can not change the type afterwards.
Expiration time can be configured with an app config.

One time QR Code that expires Permanent QR code like before this PR
image image

Admin setting to disable app password generation

Default Disabled
Bildschirmfoto vom 2026-01-09 16-30-51 Bildschirmfoto vom 2026-01-09 16-30-39

Checklist

@nickvergessen nickvergessen added this to the Nextcloud 33 milestone Jan 9, 2026
@nickvergessen nickvergessen self-assigned this Jan 9, 2026
@nickvergessen nickvergessen requested a review from a team as a code owner January 9, 2026 15:37
@nickvergessen nickvergessen added the 3. to review Waiting for reviews label Jan 9, 2026
@nickvergessen nickvergessen requested a review from a team as a code owner January 9, 2026 15:37
@nickvergessen nickvergessen requested review from ArtificialOwl, leftybournes, nfebe, sorbaugh, susnux and szaimen and removed request for a team January 9, 2026 15:37
Antreesy
Antreesy approved these changes Jan 9, 2026
View reviewed changes
@nickvergessen nickvergessen mentioned this pull request Jan 9, 2026
Merged
SystemKeeper
SystemKeeper reviewed Jan 9, 2026
View reviewed changes
SystemKeeper and others added 8 commits January 9, 2026 19:07
@SystemKeeper @Antreesy
feat(qrcode-login): Add QR code login option directly in the user menu
3b9ec2d 
Signed-off-by: Marcel Müller <marcel-mueller@gmx.de>
Signed-off-by: Maksim Sukharev <antreesy.web@gmail.com>
@nickvergessen @Antreesy
feat: Allow to create one-time app passwords that only allow loading …
6b121c3 
…an app-password

Signed-off-by: Joas Schilling <coding@schilljs.com>
@nickvergessen @Antreesy
fix(sessions): Hide one-time app passwords
e7d0ed2 
Signed-off-by: Joas Schilling <coding@schilljs.com>
@nickvergessen @Antreesy
fix: add app config to control onetime case
bacb432 
Signed-off-by: Joas Schilling <coding@schilljs.com>
@nickvergessen @Antreesy
fix(onetime): Allow longer duration via app config
6c20e3e 
Signed-off-by: Joas Schilling <coding@schilljs.com>
@nickvergessen @Antreesy
feat(app-passwords): Add config to disallow creating app-passwords
a82827d 
Signed-off-by: Joas Schilling <coding@schilljs.com>
@nickvergessen @Antreesy
fix(app-password): Require strict password confirmation
3713f40 
Signed-off-by: Joas Schilling <coding@schilljs.com>
@nickvergessen @Antreesy
fix(psalm): Satisfy psalm
927bea2 
Signed-off-by: Joas Schilling <coding@schilljs.com>
nickvergessen and others added 2 commits January 9, 2026 19:07
@nickvergessen @Antreesy
fix: Recompile openapi
2510020 
Signed-off-by: Joas Schilling <coding@schilljs.com>
@Antreesy
chore: Recompile assets
80f6856 
Signed-off-by: Maksim Sukharev <antreesy.web@gmail.com>
@Antreesy Antreesy force-pushed the feat/noid/qr-code-in-account-menu branch from 4e77da6 to 80f6856 Compare January 9, 2026 18:09
@nickvergessen
fix: Adjust and add new tests
f4acd8a 
Signed-off-by: Joas Schilling <coding@schilljs.com>
CarlSchwan
CarlSchwan approved these changes Jan 12, 2026
View reviewed changes
apps/settings/lib/Controller/AuthSettingsController.php Outdated

if ($qrcodeLogin) {
if ($this->appConfig->getAppValueBool(ConfigLexicon::LOGIN_QRCODE_ONETIME)) {
$name = 'One time login';
Copy link
Member

@CarlSchwan CarlSchwan Jan 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

does that need translation?

Copy link
Member Author

@nickvergessen nickvergessen Jan 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Both should be very temporary as valid devices scanning the code will set a proper name.
But I added it for now

CarlSchwan
CarlSchwan reviewed Jan 12, 2026
View reviewed changes
@nickvergessen
fix: Add translation for temporary app password names
8b4491a 
Signed-off-by: Joas Schilling <coding@schilljs.com>
@nickvergessen nickvergessen merged commit 6bdda55 into master Jan 12, 2026
217 of 255 checks passed
@nickvergessen nickvergessen deleted the feat/noid/qr-code-in-account-menu branch January 12, 2026 13:01
@nickvergessen nickvergessen mentioned this pull request Jan 12, 2026
Open
34 tasks
@mahibi
Copy link

mahibi commented Jan 16, 2026

@nickvergessen Testing with android talk implementation on Sermo i get 403 after removing account and try to login another time:

nextcloud/talk-android#5700 (comment)

  1. Login with onetime QR (works)
  2. remove account in app
  3. Login with new onetime QR for same account

Bug:
"Something went wrong" snackbar is shown. Log is:

2026-01-16 10:02:28.650 11291-11470 okhttp.OkHttpClient     com.nextcloud.talk2                  I  {"ocs":{"meta":{"status":"failure","statuscode":403,"message":"could not get one-time app password"},"data":[]}}
2026-01-16 10:02:28.650 11291-11470 okhttp.OkHttpClient     com.nextcloud.talk2                  I  <-- END HTTP (112-byte body)
2026-01-16 10:02:28.650 11291-11470 NetworkLoginDataSource  com.nextcloud.talk2                  E  Error caught at oneTimePasswordRequest: java.io.IOException: Unexpected code Response{protocol=h2, code=403, message=, url=https://.....yourserverurl......com/ocs/v2.php/core/getapppassword-onetime}

@nickvergessen
Copy link
Member Author

nickvergessen commented Jan 16, 2026

For the record, I responded in chat.
Most likely a problem in the mobile app, it sees to send cookie or other authentication data so the session used is not a one-time session and therefore the endpoint can not be called.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@SystemKeeper SystemKeeper SystemKeeper left review comments

@CarlSchwan CarlSchwan CarlSchwan approved these changes

@Antreesy Antreesy Antreesy approved these changes

@susnux susnux Awaiting requested review from susnux susnux is a code owner automatically assigned from nextcloud/server-frontend

@nfebe nfebe Awaiting requested review from nfebe nfebe is a code owner automatically assigned from nextcloud/server-frontend

@szaimen szaimen Awaiting requested review from szaimen szaimen is a code owner automatically assigned from nextcloud/server-frontend

@ArtificialOwl ArtificialOwl Awaiting requested review from ArtificialOwl ArtificialOwl is a code owner automatically assigned from nextcloud/server-backend

@leftybournes leftybournes Awaiting requested review from leftybournes leftybournes is a code owner automatically assigned from nextcloud/server-backend

@sorbaugh sorbaugh Awaiting requested review from sorbaugh sorbaugh is a code owner automatically assigned from nextcloud/server-backend

@provokateurin provokateurin Awaiting requested review from provokateurin provokateurin is a code owner

Assignees

@nickvergessen nickvergessen

Labels

3. to review Waiting for reviews enhancement feature: authentication ❄️ 2026-Winter

Projects

None yet

Milestone

Nextcloud 33

Development

Successfully merging this pull request may close these issues.

5 participants

@nickvergessen @mahibi @SystemKeeper @CarlSchwan @Antreesy