From fd46c1732ec599008621a82d872c6a2a1d7ed41c Mon Sep 17 00:00:00 2001 From: Josh Date: Tue, 23 Jun 2026 15:18:51 -0400 Subject: [PATCH 1/3] docs(config): clarify scope of token_auth_enforced Signed-off-by: Josh --- config/config.sample.php | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/config/config.sample.php b/config/config.sample.php index e74c299b533ba..624a556c41f76 100644 --- a/config/config.sample.php +++ b/config/config.sample.php @@ -396,9 +396,17 @@ 'auto_logout' => false, /** - * Enforce token authentication for clients, which blocks requests using the user - * password for enhanced security. Users need to generate tokens in personal settings - * which can be used as passwords on their clients. + * Require app passwords/tokens instead of users' regular passwords for + * client authentication flows that would otherwise accept either form of + * credential directly. + * + * When enabled, these flows must use an app password/token generated in + * Personal settings rather than the user's main login password. + * + * This applies to client-style authentication such as DAV and HTTP Basic + * auth. It does not affect the standard interactive browser login, even + * when the browser is used to authorize a client. To restrict password-based + * browser logins, use an SSO or external identity provider. * * Defaults to ``false`` */ From 3ef0a32c6b1c74aaac38c039c47693cfe4e05b9b Mon Sep 17 00:00:00 2001 From: Josh Date: Tue, 23 Jun 2026 16:00:51 -0400 Subject: [PATCH 2/3] docs(config): clarify existing sessions / new authentication applicability Signed-off-by: Josh --- config/config.sample.php | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/config/config.sample.php b/config/config.sample.php index 624a556c41f76..f46eff0208b36 100644 --- a/config/config.sample.php +++ b/config/config.sample.php @@ -400,14 +400,19 @@ * client authentication flows that would otherwise accept either form of * credential directly. * - * When enabled, these flows must use an app password/token generated in - * Personal settings rather than the user's main login password. + * When enabled, new authentication attempts through these flows must use an + * app password/token generated in Personal settings rather than the user's + * main login password. * * This applies to client-style authentication such as DAV and HTTP Basic * auth. It does not affect the standard interactive browser login, even * when the browser is used to authorize a client. To restrict password-based * browser logins, use an SSO or external identity provider. * + * This setting does not automatically revoke existing sessions. To fully + * enforce this policy for users with existing sessions, invalidate those + * sessions or wait for them to expire. + * * Defaults to ``false`` */ 'token_auth_enforced' => false, From 24c9584b72e25532d64a1d72350225d7c1e7dee5 Mon Sep 17 00:00:00 2001 From: Josh Date: Tue, 23 Jun 2026 16:07:07 -0400 Subject: [PATCH 3/3] chore(config): drop extra space at eol for lint happiness Signed-off-by: Josh --- config/config.sample.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/config.sample.php b/config/config.sample.php index f46eff0208b36..7f61f4ae2af4e 100644 --- a/config/config.sample.php +++ b/config/config.sample.php @@ -409,7 +409,7 @@ * when the browser is used to authorize a client. To restrict password-based * browser logins, use an SSO or external identity provider. * - * This setting does not automatically revoke existing sessions. To fully + * This setting does not automatically revoke existing sessions. To fully * enforce this policy for users with existing sessions, invalidate those * sessions or wait for them to expire. *