[Bug]: regression(stable32): App tokens cannot be deleted or renamed — incomplete backport of #59607 (PwdConfirmationMode is not defined)

[ernolf]

⚠️ This issue respects the following points: ⚠️

• This is a bug, not a question or a configuration/webserver/proxy issue.
• This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
• Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
• I agree to follow Nextcloud's Code of Conduct.

Bug description

After creating an app token in Settings → Security → Devices & sessions, the token cannot be renamed or deleted. Clicking either action shows the error toast "Could not delete the app token" (or "Could not update the app token") immediately, without any network request being made.

Token creation continues to work normally.

Reported on the help forum: https://help.nextcloud.com/t/deleting-access-token-not-working/244370

Steps to reproduce

1. Log in as any user
2. Go to Settings → Security → Devices & sessions
3. Generate a new app token
4. Try to rename or delete the newly created token

Expected behavior

A password confirmation dialog appears, and after confirmation the token is renamed or deleted.

Nextcloud Server version

32

Operating system

Debian/Ubuntu

PHP engine version

PHP 8.4

Web server

Apache (supported)

Database engine version

MariaDB

Is this bug present after an update or on a fresh install?

Updated from a MINOR version (ex. 32.0.1 to 32.0.2)

Are you using the Nextcloud Server Encryption module?

Encryption is Disabled

What user-backends are you using?

• Default user-backend (database)
• LDAP/ Active Directory
• SSO - SAML
• Other

Configuration report

List of activated Apps

Nextcloud Signing status

Nextcloud Logs

Additional info

Root cause

PR #59607 backported the "require password on delete and update" feature from master to stable32.
The backport copied the usage of PwdConfirmationMode and addPasswordConfirmationInterceptors but omitted the two prerequisites that exist on master.

1. Missing import in apps/settings/src/store/authtoken.ts

Current state on stable32:

import { confirmPassword } from '@nextcloud/password-confirmation'

Required (as on master):

import { addPasswordConfirmationInterceptors, confirmPassword, PwdConfirmationMode } from '@nextcloud/password-confirmation'

Since PwdConfirmationMode is never imported, any call to deleteToken() or updateToken() throws ReferenceError: PwdConfirmationMode is not defined before any axios request is made.

2. Missing interceptor registration

On master, after the imports:

addPasswordConfirmationInterceptors(axios)

This interceptor is responsible for intercepting axios requests that carry a confirmPassword config key and showing the password-confirmation dialog.
On stable32 it is neither imported nor registered, so the dialog would never appear even if the ReferenceError were fixed.

The compiled bundle shipped with 32.0.9 (dist/settings-vue-settings-personal-security.js) confirms the runtime state: it contains two references to PwdConfirmationMode.Strict but no definition, import, or call to addPasswordConfirmationInterceptors.

The PHP side of the backport (AuthSettingsController.php) is correct and requires no changes.

Version information

• Nextcloud version: 32.0.9
• Introduced by: [stable32] fix(apppasswords): Require password also on delete and update #59607 (backport of fix(apppasswords): Require password also on delete and update #59602)

[szaimen]

cc @nextcloud/server-frontend