From 4ec4a04e491bf334c1d129d51aa7ca65dc54dfe3 Mon Sep 17 00:00:00 2001
From: Hypolite Petovan <hypolite@mrpetovan.com>
Date: Tue, 23 Jul 2019 20:03:08 -0400
Subject: [PATCH] Remove mod/ping from 2fa exception list

- Prevent asynchronous calls to redirect to /2fa in case of missing valid 2fa session
---
 src/Core/Authentication.php | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/Core/Authentication.php b/src/Core/Authentication.php
index 646729c434..e75cc93e7f 100644
--- a/src/Core/Authentication.php
+++ b/src/Core/Authentication.php
@@ -7,6 +7,7 @@ namespace Friendica\Core;
 
 use Friendica\App;
 use Friendica\BaseObject;
+use Friendica\Network\HTTPException\ForbiddenException;
 use Friendica\Util\BaseURL;
 
 /**
@@ -71,7 +72,7 @@ class Authentication extends BaseObject
 		}
 
 		// Check current path, if 2fa authentication module return
-		if ($a->argc > 0 && in_array($a->argv[0], ['ping', '2fa', 'view', 'help', 'api', 'proxy', 'logout'])) {
+		if ($a->argc > 0 && in_array($a->argv[0], ['2fa', 'view', 'help', 'api', 'proxy', 'logout'])) {
 			return;
 		}
 
@@ -81,7 +82,11 @@ class Authentication extends BaseObject
 		}
 
 		// Case 2: No valid 2FA session: redirect to code verification page
-		$a->internalRedirect('2fa');
+		if ($a->isAjax()) {
+			throw new ForbiddenException();
+		} else {
+			$a->internalRedirect('2fa');
+		}
 	}
 }