fix(auth): Fix logging in with email, password and login name mismatch

Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>

diff --git a/lib/private/User/Session.php b/lib/private/User/Session.php
index 78b4778bd52ca9a0d2240274b30d82a4e79ff2a1..b6d6adf6523a86cf35fd54e7660cf3c4072b30f1 100644 (file)
--- a/lib/private/User/Session.php
+++ b/lib/private/User/Session.php
@@ -459,7 +459,8 @@ class Session implements IUserSession, Emitter {
                        if ($isTokenPassword) {
                                $dbToken = $this->tokenProvider->getToken($password);
                                $userFromToken = $this->manager->get($dbToken->getUID());
-                               $isValidEmailLogin = $userFromToken->getEMailAddress() === $user;
+                               $isValidEmailLogin = $userFromToken->getEMailAddress() === $user
+                                       && $this->validateTokenLoginName($userFromToken->getEMailAddress(), $dbToken);
                        } else {
                                $users = $this->manager->getByEmail($user);
                                $isValidEmailLogin = (\count($users) === 1 && $this->login($users[0]->getUID(), $password));
@@ -798,18 +799,7 @@ class Session implements IUserSession, Emitter {
                        return false;
                }
 
-               // Check if login names match
-               if (!is_null($user) && $dbToken->getLoginName() !== $user) {
-                       // TODO: this makes it impossible to use different login names on browser and client
-                       // e.g. login by e-mail 'user@example.com' on browser for generating the token will not
-                       //      allow to use the client token with the login name 'user'.
-                       $this->logger->error('App token login name does not match', [
-                               'tokenLoginName' => $dbToken->getLoginName(),
-                               'sessionLoginName' => $user,
-                               'app' => 'core',
-                               'user' => $dbToken->getUID(),
-                       ]);
-
+               if (!is_null($user) && !$this->validateTokenLoginName($user, $dbToken)) {
                        return false;
                }
 
@@ -829,6 +819,27 @@ class Session implements IUserSession, Emitter {
                return true;
        }
 
+       /**
+        * Check if login names match
+        */
+       private function validateTokenLoginName(?string $loginName, IToken $token): bool {
+               if ($token->getLoginName() !== $loginName) {
+                       // TODO: this makes it impossible to use different login names on browser and client
+                       // e.g. login by e-mail 'user@example.com' on browser for generating the token will not
+                       //      allow to use the client token with the login name 'user'.
+                       $this->logger->error('App token login name does not match', [
+                               'tokenLoginName' => $token->getLoginName(),
+                               'sessionLoginName' => $loginName,
+                               'app' => 'core',
+                               'user' => $token->getUID(),
+                       ]);
+
+                       return false;
+               }
+
+               return true;
+       }
+
        /**
         * Tries to login the user with auth token header
         *