From: Ember 'n0emis' Keske <git@n0emis.eu>
Date: Mon, 13 Mar 2023 09:32:53 +0000 (+0100)
Subject: Don't try to hash a nonexisting password
X-Git-Tag: v27.0.0beta1~340^2
X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=6881d2f2f15976514cc52d6ea49ff09c5bb81d2b;p=nextcloud-server.git

Don't try to hash a nonexisting password

Allows to log-in via a passwordless authentication provider, eg SSO

Signed-off-by: Ember 'n0emis' Keske <git@n0emis.eu>
---

diff --git a/lib/private/Authentication/Token/PublicKeyTokenProvider.php b/lib/private/Authentication/Token/PublicKeyTokenProvider.php
index 38bbef8fb61..824e2e056c8 100644
--- a/lib/private/Authentication/Token/PublicKeyTokenProvider.php
+++ b/lib/private/Authentication/Token/PublicKeyTokenProvider.php
@@ -113,7 +113,7 @@ class PublicKeyTokenProvider implements IProvider {
 		// We need to check against one old token to see if there is a password
 		// hash that we can reuse for detecting outdated passwords
 		$randomOldToken = $this->mapper->getFirstTokenForUser($uid);
-		$oldTokenMatches = $randomOldToken && $randomOldToken->getPasswordHash() && $this->hasher->verify(sha1($password) . $password, $randomOldToken->getPasswordHash());
+		$oldTokenMatches = $randomOldToken && $randomOldToken->getPasswordHash() && $password !== null && $this->hasher->verify(sha1($password) . $password, $randomOldToken->getPasswordHash());
 
 		$dbToken = $this->newToken($token, $uid, $loginName, $password, $name, $type, $remember);