diff options
| author | Christoph Wurst <ChristophWurst@users.noreply.github.com> | 2024-01-22 10:41:48 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-01-22 10:41:48 +0100 |
| commit | 03774ad77c64963f15d43904bb8460a2af86c861 (patch) | |
| tree | 66eb749fee474605dc969cb62a2e11fd36918174 | |
| parent | 90a551d5704b730ee26227f44d4042e8b5309660 (diff) | |
| parent | 7f2fdd884354a1ab2f07228d7b1c3839139c4378 (diff) | |
| download | nextcloud-server-03774ad77c64963f15d43904bb8460a2af86c861.tar.gz nextcloud-server-03774ad77c64963f15d43904bb8460a2af86c861.zip | |
Merge pull request #42971 from nextcloud/fix/auth/login-email-password-login-name-mismatch
fix(auth): Fix logging in with email and app password
| -rw-r--r-- | lib/private/User/Session.php | 37 |
1 files changed, 24 insertions, 13 deletions
diff --git a/lib/private/User/Session.php b/lib/private/User/Session.php index 772a4103490..a411326c93f 100644 --- a/lib/private/User/Session.php +++ b/lib/private/User/Session.php @@ -460,7 +460,8 @@ class Session implements IUserSession, Emitter { if ($isTokenPassword) { $dbToken = $this->tokenProvider->getToken($password); $userFromToken = $this->manager->get($dbToken->getUID()); - $isValidEmailLogin = $userFromToken->getEMailAddress() === $user; + $isValidEmailLogin = $userFromToken->getEMailAddress() === $user + && $this->validateTokenLoginName($userFromToken->getEMailAddress(), $dbToken); } else { $users = $this->manager->getByEmail($user); $isValidEmailLogin = (\count($users) === 1 && $this->login($users[0]->getUID(), $password)); @@ -800,18 +801,7 @@ class Session implements IUserSession, Emitter { return false; } - // Check if login names match - if (!is_null($user) && $dbToken->getLoginName() !== $user) { - // TODO: this makes it impossible to use different login names on browser and client - // e.g. login by e-mail 'user@example.com' on browser for generating the token will not - // allow to use the client token with the login name 'user'. - $this->logger->error('App token login name does not match', [ - 'tokenLoginName' => $dbToken->getLoginName(), - 'sessionLoginName' => $user, - 'app' => 'core', - 'user' => $dbToken->getUID(), - ]); - + if (!is_null($user) && !$this->validateTokenLoginName($user, $dbToken)) { return false; } @@ -832,6 +822,27 @@ class Session implements IUserSession, Emitter { } /** + * Check if login names match + */ + private function validateTokenLoginName(?string $loginName, IToken $token): bool { + if ($token->getLoginName() !== $loginName) { + // TODO: this makes it impossible to use different login names on browser and client + // e.g. login by e-mail 'user@example.com' on browser for generating the token will not + // allow to use the client token with the login name 'user'. + $this->logger->error('App token login name does not match', [ + 'tokenLoginName' => $token->getLoginName(), + 'sessionLoginName' => $loginName, + 'app' => 'core', + 'user' => $token->getUID(), + ]); + + return false; + } + + return true; + } + + /** * Tries to login the user with auth token header * * @param IRequest $request |