draft to prevent the invalidation of pw based authn tokens on a pw less login

Signed-off-by: Tobias Assmann <tobias.assmann@ecsec.de>

diff --git a/lib/private/Authentication/Listeners/UserLoggedInListener.php b/lib/private/Authentication/Listeners/UserLoggedInListener.php
index 711a759fad40b35fa11123b7bf32d9dbd43fa944..d0ad8e2e838f718ba65dd3d6787b467ecb924d74 100644 (file)
--- a/lib/private/Authentication/Listeners/UserLoggedInListener.php
+++ b/lib/private/Authentication/Listeners/UserLoggedInListener.php
@@ -49,6 +49,11 @@ class UserLoggedInListener implements IEventListener {
                        return;
                }
 
+               // prevent setting an empty pw as result of pw-less-login
+               if ($event->getPassword()==='') {
+                       return;
+               }
+
                // If this is already a token login there is nothing to do
                if ($event->isTokenLogin()) {
                        return;

diff --git a/lib/private/Authentication/Token/PublicKeyTokenProvider.php b/lib/private/Authentication/Token/PublicKeyTokenProvider.php
index a293d2a8404243e18700f5d361b8723b54995e89..222e5cba099e48acddbd5f01adf50fcca185ce2e 100644 (file)
--- a/lib/private/Authentication/Token/PublicKeyTokenProvider.php
+++ b/lib/private/Authentication/Token/PublicKeyTokenProvider.php
@@ -414,6 +414,11 @@ class PublicKeyTokenProvider implements IProvider {
        public function updatePasswords(string $uid, string $password) {
                $this->cache->clear();
 
+               // prevent setting an empty pw as result of pw-less-login
+               if ($password==='') {
+                       return;
+               }
+
                // Update the password for all tokens
                $tokens = $this->mapper->getTokenByUser($uid);
                foreach ($tokens as $t) {