feat (2fa): Add IStatelessProvider interface

AUTHORS

@@ -629,6 +629,7 @@
  - zorn-v <[email protected]>
  - zulan <[email protected]>
  - Łukasz Buśko <[email protected]>
+ - Michał Roszak <[email protected]>
  - Nextcloud GmbH
  - ownCloud GmbH
  - ownCloud, Inc.

lib/private/Authentication/TwoFactorAuth/ProviderManager.php

@@ -13,6 +13,7 @@
 use OCP\Authentication\TwoFactorAuth\IDeactivatableByAdmin;
 use OCP\Authentication\TwoFactorAuth\IProvider;
 use OCP\Authentication\TwoFactorAuth\IRegistry;
+use OCP\Authentication\TwoFactorAuth\IStatelessProvider;
 use OCP\IUser;
 
 class ProviderManager {
@@ -47,7 +48,9 @@ private function getProvider(string $providerId, IUser $user): IProvider {
 	public function tryEnableProviderFor(string $providerId, IUser $user): bool {
 		$provider = $this->getProvider($providerId, $user);
 
-		if ($provider instanceof IActivatableByAdmin) {
+		if ($provider instanceof IActivatableByAdmin
+			&& !($provider instanceof IStatelessProvider)
+		) {
 			$provider->enableFor($user);
 			$this->providerRegistry->enableProviderFor($provider, $user);
 			return true;
@@ -66,7 +69,9 @@ public function tryEnableProviderFor(string $providerId, IUser $user): bool {
 	public function tryDisableProviderFor(string $providerId, IUser $user): bool {
 		$provider = $this->getProvider($providerId, $user);
 
-		if ($provider instanceof IDeactivatableByAdmin) {
+		if ($provider instanceof IDeactivatableByAdmin
+			&& !($provider instanceof IStatelessProvider)
+		) {
 			$provider->disableFor($user);
 			$this->providerRegistry->disableProviderFor($provider, $user);
 			return true;

lib/private/Authentication/TwoFactorAuth/Registry.php

@@ -11,6 +11,7 @@
 use OC\Authentication\TwoFactorAuth\Db\ProviderUserAssignmentDao;
 use OCP\Authentication\TwoFactorAuth\IProvider;
 use OCP\Authentication\TwoFactorAuth\IRegistry;
+use OCP\Authentication\TwoFactorAuth\IStatelessProvider;
 use OCP\Authentication\TwoFactorAuth\RegistryEvent;
 use OCP\Authentication\TwoFactorAuth\TwoFactorProviderDisabled;
 use OCP\Authentication\TwoFactorAuth\TwoFactorProviderForUserRegistered;
@@ -37,6 +38,10 @@ public function getProviderStates(IUser $user): array {
 	}
 
 	public function enableProviderFor(IProvider $provider, IUser $user) {
+		if ($provider instanceof IStatelessProvider) {
+			return;
+		}
+
 		$this->assignmentDao->persist($provider->getId(), $user->getUID(), 1);
 
 		$event = new RegistryEvent($provider, $user);
@@ -45,6 +50,10 @@ public function enableProviderFor(IProvider $provider, IUser $user) {
 	}
 
 	public function disableProviderFor(IProvider $provider, IUser $user) {
+		if ($provider instanceof IStatelessProvider) {
+			return;
+		}
+
 		$this->assignmentDao->persist($provider->getId(), $user->getUID(), 0);
 
 		$event = new RegistryEvent($provider, $user);

lib/public/Authentication/TwoFactorAuth/IStatelessProvider.php

@@ -0,0 +1,21 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * SPDX-FileCopyrightText: 2025 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+namespace OCP\Authentication\TwoFactorAuth;
+
+use OCP\IUser;
+
+/**
+ * Marks the 2FA provider stateless. That means the state of 2FA activation
+ * for user will be checked dynamically and not stored in the database.
+ */
+interface IStatelessProvider extends IProvider {
+
+	public function isTwoFactorAuthEnabledForUser(IUser $user): bool;
+}

tests/lib/Authentication/TwoFactorAuth/RegistryTest.php

@@ -13,6 +13,7 @@
 use OC\Authentication\TwoFactorAuth\Registry;
 use OCP\Authentication\TwoFactorAuth\IProvider;
 use OCP\Authentication\TwoFactorAuth\IRegistry;
+use OCP\Authentication\TwoFactorAuth\IStatelessProvider;
 use OCP\Authentication\TwoFactorAuth\RegistryEvent;
 use OCP\Authentication\TwoFactorAuth\TwoFactorProviderDisabled;
 use OCP\Authentication\TwoFactorAuth\TwoFactorProviderForUserRegistered;
@@ -81,6 +82,18 @@ public function testEnableProvider(): void {
 		$this->registry->enableProviderFor($provider, $user);
 	}
 
+	public function testEnableStatelessProvider(): void {
+		$user = $this->createMock(IUser::class);
+		$provider = $this->createMock(IStatelessProvider::class);
+
+		$this->dao->expects($this->never())->method('persist');
+
+		$this->dispatcher->expects($this->never())->method('dispatch');
+		$this->dispatcher->expects($this->never())->method('dispatchTyped');
+
+		$this->registry->enableProviderFor($provider, $user);
+	}
+
 	public function testDisableProvider(): void {
 		$user = $this->createMock(IUser::class);
 		$provider = $this->createMock(IProvider::class);
@@ -108,6 +121,18 @@ public function testDisableProvider(): void {
 		$this->registry->disableProviderFor($provider, $user);
 	}
 
+	public function testDisableStatelessProvider(): void {
+		$user = $this->createMock(IUser::class);
+		$provider = $this->createMock(IStatelessProvider::class);
+
+		$this->dao->expects($this->never())->method('persist');
+
+		$this->dispatcher->expects($this->never())->method('dispatch');
+		$this->dispatcher->expects($this->never())->method('dispatchTyped');
+
+		$this->registry->disableProviderFor($provider, $user);
+	}
+
 	public function testDeleteUserData(): void {
 		$user = $this->createMock(IUser::class);
 		$user->expects($this->once())->method('getUID')->willReturn('user123');