nextcloud · CarlSchwan · Sep 17, 2025 · Sep 17, 2025 · Jan 12, 2026
@@ -8,6 +8,7 @@
 
 use OCP\AppFramework\Http;
 use OCP\AppFramework\Http\Attribute\NoCSRFRequired;
+use OCP\AppFramework\Http\Attribute\NoSameSiteCookieRequired;
 use OCP\AppFramework\Http\Attribute\OpenAPI;
 use OCP\AppFramework\Http\Attribute\PublicPage;
 use OCP\AppFramework\Http\DataResponse;
@@ -144,8 +145,6 @@ public function getPreview(
 	}
 
 	/**
-	 * @NoSameSiteCookieRequired
-	 *
 	 * Get a direct link preview for a shared file
 	 *
 	 * @param string $token Token of the share
@@ -159,6 +158,7 @@ public function getPreview(
 	#[PublicPage]
 	#[NoCSRFRequired]
 	#[OpenAPI(scope: OpenAPI::SCOPE_DEFAULT)]
+	#[NoSameSiteCookieRequired]
 	public function directLink(string $token) {
 		// No token no image
 		if ($token === '') {

@@ -15,12 +15,12 @@
 use OCP\Accounts\IAccountManager;
 use OCP\AppFramework\AuthPublicShareController;
 use OCP\AppFramework\Http\Attribute\NoCSRFRequired;
+use OCP\AppFramework\Http\Attribute\NoSameSiteCookieRequired;
 use OCP\AppFramework\Http\Attribute\OpenAPI;
 use OCP\AppFramework\Http\Attribute\PublicPage;
 use OCP\AppFramework\Http\DataResponse;
 use OCP\AppFramework\Http\NotFoundResponse;
 use OCP\AppFramework\Http\RedirectResponse;
-use OCP\AppFramework\Http\Response;
 use OCP\AppFramework\Http\TemplateResponse;
 use OCP\Constants;
 use OCP\Defaults;
@@ -343,18 +343,13 @@ public function showShare($path = ''): TemplateResponse {
 	}
 
 	/**
-	 * @NoSameSiteCookieRequired
-	 *
-	 * @param string $token
-	 * @param string|null $files
-	 * @param string $path
-	 * @return void|Response
 	 * @throws NotFoundException
 	 * @deprecated 31.0.0 Users are encouraged to use the DAV endpoint
 	 */
 	#[PublicPage]
 	#[NoCSRFRequired]
-	public function downloadShare($token, $files = null, $path = '') {
+	#[NoSameSiteCookieRequired]
+	public function downloadShare(string $token, ?string $files = null, string $path = ''): NotFoundResponse|RedirectResponse|DataResponse {
 		\OC_User::setIncognitoMode(true);
 
 		$share = $this->shareManager->getShareByToken($token);

@@ -17,6 +17,8 @@
 use OCP\AppFramework\Http\Attribute\AuthorizedAdminSetting;
 use OCP\AppFramework\Http\Attribute\BruteForceProtection;
 use OCP\AppFramework\Http\Attribute\NoCSRFRequired;
+use OCP\AppFramework\Http\Attribute\NoSameSiteCookieRequired;
+use OCP\AppFramework\Http\Attribute\NoTwoFactorRequired;
 use OCP\AppFramework\Http\Attribute\OpenAPI;
 use OCP\AppFramework\Http\Attribute\PublicPage;
 use OCP\AppFramework\Http\ContentSecurityPolicy;
@@ -61,13 +63,10 @@ public function __construct(
 	}
 
 	/**
-	 * @param string $setting
-	 * @param string $value
-	 * @return DataResponse
 	 * @throws NotPermittedException
 	 */
 	#[AuthorizedAdminSetting(settings: Admin::class)]
-	public function updateStylesheet($setting, $value) {
+	public function updateStylesheet(string $setting, string $value): DataResponse {
 		$value = trim($value);
 		$error = null;
 		$saved = false;
@@ -153,13 +152,10 @@ public function updateStylesheet($setting, $value) {
 	}
 
 	/**
-	 * @param string $setting
-	 * @param mixed $value
-	 * @return DataResponse
 	 * @throws NotPermittedException
 	 */
 	#[AuthorizedAdminSetting(settings: Admin::class)]
-	public function updateAppMenu($setting, $value) {
+	public function updateAppMenu(string $setting, mixed $value): DataResponse {
 		$error = null;
 		switch ($setting) {
 			case 'defaultApps':
@@ -204,7 +200,6 @@ private function isValidUrl(string $url): bool {
 	}
 
 	/**
-	 * @return DataResponse
 	 * @throws NotPermittedException
 	 */
 	#[AuthorizedAdminSetting(settings: Admin::class)]
@@ -366,9 +361,6 @@ public function getImage(string $key, bool $useSvg = true) {
 	}
 
 	/**
-	 * @NoSameSiteCookieRequired
-	 * @NoTwoFactorRequired
-	 *
 	 * Get the CSS stylesheet for a theme
 	 *
 	 * @param string $themeId ID of the theme
@@ -381,7 +373,9 @@ public function getImage(string $key, bool $useSvg = true) {
 	 */
 	#[PublicPage]
 	#[NoCSRFRequired]
+	#[NoTwoFactorRequired]
 	#[OpenAPI(scope: OpenAPI::SCOPE_DEFAULT)]
+	#[NoSameSiteCookieRequired]
 	public function getThemeStylesheet(string $themeId, bool $plain = false, bool $withCustomCss = false) {
 		$themes = $this->themesService->getThemes();
 		if (!in_array($themeId, array_keys($themes))) {

@@ -3324,13 +3324,6 @@
     </DeprecatedMethod>
   </file>
   <file src="core/Middleware/TwoFactorMiddleware.php">
-    <DeprecatedInterface>
-      <code><![CDATA[private]]></code>
-    </DeprecatedInterface>
-    <DeprecatedMethod>
-      <code><![CDATA[hasAnnotation]]></code>
-      <code><![CDATA[hasAnnotation]]></code>
-    </DeprecatedMethod>
     <NoInterfaceProperties>
       <code><![CDATA[$this->request->server]]></code>
     </NoInterfaceProperties>

@@ -13,6 +13,7 @@
 use OCP\AppFramework\Http\Attribute\FrontpageRoute;
 use OCP\AppFramework\Http\Attribute\NoAdminRequired;
 use OCP\AppFramework\Http\Attribute\NoCSRFRequired;
+use OCP\AppFramework\Http\Attribute\NoSameSiteCookieRequired;
 use OCP\AppFramework\Http\Attribute\OpenAPI;
 use OCP\AppFramework\Http\Attribute\PublicPage;
 use OCP\AppFramework\Http\FileDisplayResponse;
@@ -50,8 +51,6 @@ public function __construct(
 	}
 
 	/**
-	 * @NoSameSiteCookieRequired
-	 *
 	 * Get the dark avatar
 	 *
 	 * @param string $userId ID of the user
@@ -67,6 +66,7 @@ public function __construct(
 	#[PublicPage]
 	#[FrontpageRoute(verb: 'GET', url: '/avatar/{userId}/{size}/dark')]
 	#[OpenAPI(scope: OpenAPI::SCOPE_DEFAULT)]
+	#[NoSameSiteCookieRequired]
 	public function getAvatarDark(string $userId, int $size, bool $guestFallback = false) {
 		if ($size <= 64) {
 			if ($size !== 64) {
@@ -102,8 +102,6 @@ public function getAvatarDark(string $userId, int $size, bool $guestFallback = f
 
 
 	/**
-	 * @NoSameSiteCookieRequired
-	 *
 	 * Get the avatar
 	 *
 	 * @param string $userId ID of the user
@@ -119,6 +117,7 @@ public function getAvatarDark(string $userId, int $size, bool $guestFallback = f
 	#[PublicPage]
 	#[FrontpageRoute(verb: 'GET', url: '/avatar/{userId}/{size}')]
 	#[OpenAPI(scope: OpenAPI::SCOPE_DEFAULT)]
+	#[NoSameSiteCookieRequired]
 	public function getAvatar(string $userId, int $size, bool $guestFallback = false) {
 		if ($size <= 64) {
 			if ($size !== 64) {

@@ -13,6 +13,7 @@
 use OCP\AppFramework\Http;
 use OCP\AppFramework\Http\Attribute\FrontpageRoute;
 use OCP\AppFramework\Http\Attribute\NoCSRFRequired;
+use OCP\AppFramework\Http\Attribute\NoTwoFactorRequired;
 use OCP\AppFramework\Http\Attribute\OpenAPI;
 use OCP\AppFramework\Http\Attribute\PublicPage;
 use OCP\AppFramework\Http\JSONResponse;
@@ -34,13 +35,12 @@ public function __construct(
 	 *
 	 * 200: CSRF token returned
 	 * 403: Strict cookie check failed
-	 *
-	 * @NoTwoFactorRequired
 	 */
 	#[PublicPage]
 	#[NoCSRFRequired]
 	#[FrontpageRoute(verb: 'GET', url: '/csrftoken')]
 	#[OpenAPI(scope: OpenAPI::SCOPE_DEFAULT)]
+	#[NoTwoFactorRequired]
 	public function index(): JSONResponse {
 		if (!$this->request->passesStrictCookieCheck()) {
 			return new JSONResponse([], Http::STATUS_FORBIDDEN);

@@ -17,6 +17,7 @@
 use OCP\AppFramework\Http\Attribute\FrontpageRoute;
 use OCP\AppFramework\Http\Attribute\NoAdminRequired;
 use OCP\AppFramework\Http\Attribute\NoCSRFRequired;
+use OCP\AppFramework\Http\Attribute\NoSameSiteCookieRequired;
 use OCP\AppFramework\Http\Attribute\OpenAPI;
 use OCP\AppFramework\Http\Attribute\PasswordConfirmationRequired;
 use OCP\AppFramework\Http\Attribute\PublicPage;
@@ -157,13 +158,11 @@ public function showAuthPickerPage(string $clientIdentifier = '', string $user =
 		return $response;
 	}
 
-	/**
-	 * @NoSameSiteCookieRequired
-	 */
 	#[NoAdminRequired]
 	#[NoCSRFRequired]
 	#[UseSession]
 	#[FrontpageRoute(verb: 'GET', url: '/login/flow/grant')]
+	#[NoSameSiteCookieRequired]
 	public function grantPage(
 		string $stateToken = '',
 		string $clientIdentifier = '',

@@ -18,6 +18,7 @@
 use OCP\AppFramework\Http\Attribute\FrontpageRoute;
 use OCP\AppFramework\Http\Attribute\NoAdminRequired;
 use OCP\AppFramework\Http\Attribute\NoCSRFRequired;
+use OCP\AppFramework\Http\Attribute\NoSameSiteCookieRequired;
 use OCP\AppFramework\Http\Attribute\OpenAPI;
 use OCP\AppFramework\Http\Attribute\PasswordConfirmationRequired;
 use OCP\AppFramework\Http\Attribute\PublicPage;
@@ -137,14 +138,12 @@ public function showAuthPickerPage(string $user = '', int $direct = 0): Standalo
 		);
 	}
 
-	/**
-	 * @NoSameSiteCookieRequired
-	 */
 	#[NoAdminRequired]
 	#[NoCSRFRequired]
 	#[OpenAPI(scope: OpenAPI::SCOPE_IGNORE)]
 	#[UseSession]
 	#[FrontpageRoute(verb: 'GET', url: '/login/v2/grant')]
+	#[NoSameSiteCookieRequired]
 	public function grantPage(?string $stateToken, int $direct = 0): StandaloneTemplateResponse {
 		if ($stateToken === null) {
 			return $this->stateTokenMissingResponse();

@@ -13,11 +13,11 @@
 use OCP\AppFramework\Http;
 use OCP\AppFramework\Http\Attribute\FrontpageRoute;
 use OCP\AppFramework\Http\Attribute\NoCSRFRequired;
+use OCP\AppFramework\Http\Attribute\NoSameSiteCookieRequired;
 use OCP\AppFramework\Http\Attribute\OpenAPI;
 use OCP\AppFramework\Http\Attribute\PublicPage;
 use OCP\AppFramework\Http\FileDisplayResponse;
 use OCP\AppFramework\Http\NotFoundResponse;
-use OCP\AppFramework\Http\Response;
 use OCP\AppFramework\Utility\ITimeFactory;
 use OCP\Files\IAppData;
 use OCP\Files\NotFoundException;
@@ -41,21 +41,19 @@ public function __construct(
 	}
 
 	/**
-	 * @NoSameSiteCookieRequired
-	 *
 	 * @param string $fileName css filename with extension
 	 * @param string $appName css folder name
-	 * @return FileDisplayResponse|NotFoundResponse
 	 */
 	#[PublicPage]
 	#[NoCSRFRequired]
 	#[FrontpageRoute(verb: 'GET', url: '/css/{appName}/{fileName}')]
-	public function getCss(string $fileName, string $appName): Response {
+	#[NoSameSiteCookieRequired]
+	public function getCss(string $fileName, string $appName): FileDisplayResponse|NotFoundResponse {
 		try {
 			$folder = $this->appData->getFolder($appName);
 			$gzip = false;
 			$file = $this->getFile($folder, $fileName, $gzip);
-		} catch (NotFoundException $e) {
+		} catch (NotFoundException) {
 			return new NotFoundResponse();
 		}
 

@@ -13,11 +13,12 @@
 use OCP\AppFramework\Http;
 use OCP\AppFramework\Http\Attribute\FrontpageRoute;
 use OCP\AppFramework\Http\Attribute\NoCSRFRequired;
+use OCP\AppFramework\Http\Attribute\NoSameSiteCookieRequired;
+use OCP\AppFramework\Http\Attribute\NoTwoFactorRequired;
 use OCP\AppFramework\Http\Attribute\OpenAPI;
 use OCP\AppFramework\Http\Attribute\PublicPage;
 use OCP\AppFramework\Http\FileDisplayResponse;
 use OCP\AppFramework\Http\NotFoundResponse;
-use OCP\AppFramework\Http\Response;
 use OCP\AppFramework\Utility\ITimeFactory;
 use OCP\Files\IAppData;
 use OCP\Files\NotFoundException;
@@ -41,17 +42,15 @@ public function __construct(
 	}
 
 	/**
-	 * @NoSameSiteCookieRequired
-	 * @NoTwoFactorRequired
-	 *
 	 * @param string $fileName js filename with extension
 	 * @param string $appName js folder name
-	 * @return FileDisplayResponse|NotFoundResponse
 	 */
 	#[PublicPage]
 	#[NoCSRFRequired]
 	#[FrontpageRoute(verb: 'GET', url: '/js/{appName}/{fileName}')]
-	public function getJs(string $fileName, string $appName): Response {
+	#[NoTwoFactorRequired]
+	#[NoSameSiteCookieRequired]
+	public function getJs(string $fileName, string $appName): FileDisplayResponse|NotFoundResponse {
 		try {
 			$folder = $this->appData->getFolder($appName);
 			$gzip = false;
@@ -76,15 +75,11 @@ public function getJs(string $fileName, string $appName): Response {
 	}
 
 	/**
-	 * @NoTwoFactorRequired
-	 *
-	 * @param ISimpleFolder $folder
-	 * @param string $fileName
 	 * @param bool $gzip is set to true if we use the gzip file
-	 * @return ISimpleFile
 	 *
 	 * @throws NotFoundException
 	 */
+	#[NoTwoFactorRequired]
 	private function getFile(ISimpleFolder $folder, string $fileName, bool &$gzip): ISimpleFile {
 		$encoding = $this->request->getHeader('Accept-Encoding');
 

@@ -16,6 +16,7 @@
 use OCP\AppFramework\Http;
 use OCP\AppFramework\Http\Attribute\FrontpageRoute;
 use OCP\AppFramework\Http\Attribute\NoCSRFRequired;
+use OCP\AppFramework\Http\Attribute\NoTwoFactorRequired;
 use OCP\AppFramework\Http\Attribute\OpenAPI;
 use OCP\AppFramework\Http\Attribute\PublicPage;
 use OCP\AppFramework\Http\DataDisplayResponse;
@@ -75,12 +76,10 @@ public function __construct(
 		);
 	}
 
-	/**
-	 * @NoTwoFactorRequired
-	 */
 	#[PublicPage]
 	#[NoCSRFRequired]
 	#[FrontpageRoute(verb: 'GET', url: '/core/js/oc.js')]
+	#[NoTwoFactorRequired]
 	public function getConfig(): DataDisplayResponse {
 		$data = $this->helper->getConfig();