From 280d092f35f05506d09a81fd83449ca97eacbc63 Mon Sep 17 00:00:00 2001
From: Robin Appelman <robin@icewind.nl>
Date: Mon, 4 May 2026 18:00:52 +0200
Subject: [PATCH 1/2] fix: don't tell the remote their token is lower

Signed-off-by: Robin Appelman <robin@icewind.nl>
---
 apps/federation/lib/Controller/OCSAuthAPIController.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/federation/lib/Controller/OCSAuthAPIController.php b/apps/federation/lib/Controller/OCSAuthAPIController.php
index 733b6b63544c1..1a4cc5d5817a0 100644
--- a/apps/federation/lib/Controller/OCSAuthAPIController.php
+++ b/apps/federation/lib/Controller/OCSAuthAPIController.php
@@ -109,7 +109,7 @@ public function requestSharedSecret(string $url, string $token): DataResponse {
 			$this->logger->info(
 				'remote server (' . $url . ') presented lower token. We will initiate the exchange of the shared secret.'
 			);
-			throw new OCSForbiddenException();
+			return new DataResponse();
 		}
 
 		$this->jobList->add(

From bb4e98d79527d9c054df40ebc50c0a5129f0cdf2 Mon Sep 17 00:00:00 2001
From: Robin Appelman <robin@icewind.nl>
Date: Tue, 19 May 2026 19:39:05 +0200
Subject: [PATCH 2/2] test: adjust tests

Signed-off-by: Robin Appelman <robin@icewind.nl>
---
 .../federation/tests/Controller/OCSAuthAPIControllerTest.php | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/apps/federation/tests/Controller/OCSAuthAPIControllerTest.php b/apps/federation/tests/Controller/OCSAuthAPIControllerTest.php
index ef6879677f163..4fb6d2f1d4db2 100644
--- a/apps/federation/tests/Controller/OCSAuthAPIControllerTest.php
+++ b/apps/federation/tests/Controller/OCSAuthAPIControllerTest.php
@@ -90,9 +90,9 @@ public function testRequestSharedSecret(string $token, string $localToken, bool
 
 		try {
 			$this->ocsAuthApi->requestSharedSecret($url, $token);
-			$this->assertTrue($ok);
+			$this->assertTrue($isTrustedServer);
 		} catch (OCSForbiddenException $e) {
-			$this->assertFalse($ok);
+			$this->assertFalse($isTrustedServer);
 		}
 	}
 
@@ -144,7 +144,6 @@ public function testGetSharedSecret(bool $isTrustedServer, bool $isValidToken, b
 
 		try {
 			$result = $ocsAuthApi->getSharedSecret($url, $token);
-			$this->assertTrue($ok);
 			$data = $result->getData();
 			$this->assertSame('secret', $data['sharedSecret']);
 		} catch (OCSForbiddenException $e) {