If accepted, I'll backport it to https://github.com/pi-hole/pi-hole/blob/development/advanced/Scripts/api.sh

Do we need this? I thought the whole point of the app password was to bypass 2FA for API usage?

Yes, the app password can bypass the 2FA, but users might not want to use it.

this still asks for 2fa even if running PADD as sudo on pihole device directly. i was under the impression that #392 made it so that no password (2fa as well?) needs to be provided if running as root or as a user is a member the pihole group.

without --2fa

sudo ./padd.sh --server pi.hole

so --2fa becomes required (can pass any number, even if more than 6 digits long) regardless of who is running PADD

sudo ./padd.sh --server pi.hole --2fa 0

or from any device with app password from api

./padd.sh --server pi.hole --secret <app-password> --2fa 0

if using WebUI password, --2fa must be valid

I pushed a small change that skipps 2FA if a CLI password is read. Thanks for testing.

tested with and without 2fa enabled on WebUI & running PADD on Pi-hole device and from other computers.

if 2FA is enabled, --2fa is only required when not using PADD from Pi-hole device as root, regardless of password that is provided as --secret.

if 2FA is not enabled on WebUI, PADD does not ask for second factor.

I think this is fine now as it is. I don't want to make the code to complicate to check for the app password as well. If users know they use the app password, they can just enter any number in the 2FA field.

If users know they use the app password, they can just enter any number in the 2FA field.

should it be explained somewhere that when using the app password, the 2fa field can be any number?

or a better way to say it would be

--2fa only needs to be valid when using WebUI password.