fix: only redirect to the login flow when the request comes from a 'navigation' context

Signed-off-by: Julien Veyssier <julien-nc@posteo.net>

Author: julien-nc

lib/AppInfo/Application.php

@@ -22,6 +22,7 @@
 use OCA\UserOIDC\Listener\TimezoneHandlingListener;
 use OCA\UserOIDC\Listener\TokenInvalidatedListener;
 use OCA\UserOIDC\Service\ID4MeService;
+use OCA\UserOIDC\Service\RequestClassificationService;
 use OCA\UserOIDC\Service\SettingsService;
 use OCA\UserOIDC\Service\TokenService;
 use OCA\UserOIDC\User\Backend;
@@ -114,7 +115,10 @@ private function registerRedirect(IRequest $request, IURLGenerator $urlGenerator
 		} catch (Exception $e) {
 			// in case any errors happen when checking for the path do not apply redirect logic as it is only needed for the login
 		}
-		if ($isDefaultLogin && !$settings->getAllowMultipleUserBackEnds()) {
+		if ($isDefaultLogin
+			&& RequestClassificationService::isTopLevelHtmlNavigation($request)
+			&& !$settings->getAllowMultipleUserBackEnds()
+		) {
 			$providers = $this->getCachedProviders($providerMapper);
 			if (count($providers) === 1) {
 				$targetUrl = $urlGenerator->linkToRoute(self::APP_ID . '.login.login', [

lib/Service/RequestClassificationService.php

@@ -0,0 +1,41 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * SPDX-FileCopyrightText: 2026 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+namespace OCA\UserOIDC\Service;
+
+use OCP\IRequest;
+
+class RequestClassificationService {
+	public static function isTopLevelHtmlNavigation(IRequest $request): bool {
+		if (strtoupper($request->getMethod()) !== 'GET') {
+			return false;
+		}
+
+		$accept = strtolower($request->getHeader('Accept'));
+		if ($accept !== '' && strpos($accept, 'text/html') === false) {
+			return false;
+		}
+
+		if ($request->getHeader('X-Requested-With') === 'XMLHttpRequest') {
+			return false;
+		}
+
+		$secFetchMode = strtolower($request->getHeader('Sec-Fetch-Mode'));
+		if ($secFetchMode !== '' && $secFetchMode !== 'navigate') {
+			return false;
+		}
+
+		$secFetchDest = strtolower($request->getHeader('Sec-Fetch-Dest'));
+		if ($secFetchDest !== '' && $secFetchDest !== 'document') {
+			return false;
+		}
+
+		return true;
+	}
+}

lib/Service/TokenService.php

@@ -185,6 +185,15 @@ public function checkLoginToken(): void {
 	}
 
 	public function reauthenticate(int $providerId) {
+		if (!RequestClassificationService::isTopLevelHtmlNavigation($this->request)) {
+			$this->userSession->logout();
+			$this->logger->debug('[TokenService] reauthenticate skipped: request is not a top-level HTML navigation', [
+				'provider_id' => $providerId,
+				'request_uri' => $this->request->getRequestUri(),
+			]);
+			return;
+		}
+
 		// Logout the user and redirect to the oidc login flow to gather a fresh token
 		$this->userSession->logout();
 		$redirectUrl = $this->urlGenerator->linkToRouteAbsolute(Application::APP_ID . '.login.login', [

tests/unit/Service/RequestClassificationServiceTest.php

@@ -0,0 +1,87 @@
+<?php
+
+/**
+ * SPDX-FileCopyrightText: 2026 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+declare(strict_types=1);
+
+use OCA\UserOIDC\Service\RequestClassificationService;
+use OCP\IRequest;
+use PHPUnit\Framework\Attributes\DataProvider;
+use PHPUnit\Framework\TestCase;
+
+class RequestClassificationServiceTest extends TestCase {
+	#[DataProvider('topLevelHtmlNavigationProvider')]
+	public function testIsTopLevelHtmlNavigation(string $method, array $headers, bool $expected): void {
+		$request = $this->createMock(IRequest::class);
+		$request->method('getMethod')
+			->willReturn($method);
+		$request->method('getHeader')
+			->willReturnCallback(static function (string $name) use ($headers): string {
+				return $headers[$name] ?? '';
+			});
+
+		self::assertSame($expected, RequestClassificationService::isTopLevelHtmlNavigation($request));
+	}
+
+	public static function topLevelHtmlNavigationProvider(): array {
+		return [
+			'top level navigation with html accept' => [
+				'GET',
+				[
+					'Accept' => 'text/html,application/xhtml+xml',
+					'Sec-Fetch-Mode' => 'navigate',
+					'Sec-Fetch-Dest' => 'document',
+				],
+				true,
+			],
+			'html accept without fetch metadata' => [
+				'GET',
+				[
+					'Accept' => 'text/html',
+				],
+				true,
+			],
+			'xhr request' => [
+				'GET',
+				[
+					'Accept' => 'text/html',
+					'X-Requested-With' => 'XMLHttpRequest',
+				],
+				false,
+			],
+			'json request' => [
+				'GET',
+				[
+					'Accept' => 'application/json',
+				],
+				false,
+			],
+			'non navigate fetch mode' => [
+				'GET',
+				[
+					'Accept' => 'text/html',
+					'Sec-Fetch-Mode' => 'cors',
+				],
+				false,
+			],
+			'non document destination' => [
+				'GET',
+				[
+					'Accept' => 'text/html',
+					'Sec-Fetch-Dest' => 'empty',
+				],
+				false,
+			],
+			'non get request' => [
+				'POST',
+				[
+					'Accept' => 'text/html',
+				],
+				false,
+			],
+		];
+	}
+}