diff options
| author | Christoph Wurst <christoph@winzerhof-wurst.at> | 2024-01-19 19:29:41 +0100 |
|---|---|---|
| committer | backportbot[bot] <backportbot[bot]@users.noreply.github.com> | 2024-01-22 09:43:59 +0000 |
| commit | 0e3f68079e3886c319777f5972dec3443fe62681 (patch) | |
| tree | e5e15a293768f6132bdd2b103af590df93f8b8fc | |
| parent | 7026fa6fa28518f157a8733075d6bfe12895664e (diff) | |
| download | nextcloud-server-0e3f68079e3886c319777f5972dec3443fe62681.tar.gz nextcloud-server-0e3f68079e3886c319777f5972dec3443fe62681.zip | |
fix(auth): Fix logging in with email, password and login name mismatch
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
| -rw-r--r-- | lib/private/User/Session.php | 37 |
1 files changed, 24 insertions, 13 deletions
diff --git a/lib/private/User/Session.php b/lib/private/User/Session.php index 772a4103490..a411326c93f 100644 --- a/lib/private/User/Session.php +++ b/lib/private/User/Session.php @@ -460,7 +460,8 @@ class Session implements IUserSession, Emitter { if ($isTokenPassword) { $dbToken = $this->tokenProvider->getToken($password); $userFromToken = $this->manager->get($dbToken->getUID()); - $isValidEmailLogin = $userFromToken->getEMailAddress() === $user; + $isValidEmailLogin = $userFromToken->getEMailAddress() === $user + && $this->validateTokenLoginName($userFromToken->getEMailAddress(), $dbToken); } else { $users = $this->manager->getByEmail($user); $isValidEmailLogin = (\count($users) === 1 && $this->login($users[0]->getUID(), $password)); @@ -800,18 +801,7 @@ class Session implements IUserSession, Emitter { return false; } - // Check if login names match - if (!is_null($user) && $dbToken->getLoginName() !== $user) { - // TODO: this makes it impossible to use different login names on browser and client - // e.g. login by e-mail 'user@example.com' on browser for generating the token will not - // allow to use the client token with the login name 'user'. - $this->logger->error('App token login name does not match', [ - 'tokenLoginName' => $dbToken->getLoginName(), - 'sessionLoginName' => $user, - 'app' => 'core', - 'user' => $dbToken->getUID(), - ]); - + if (!is_null($user) && !$this->validateTokenLoginName($user, $dbToken)) { return false; } @@ -832,6 +822,27 @@ class Session implements IUserSession, Emitter { } /** + * Check if login names match + */ + private function validateTokenLoginName(?string $loginName, IToken $token): bool { + if ($token->getLoginName() !== $loginName) { + // TODO: this makes it impossible to use different login names on browser and client + // e.g. login by e-mail 'user@example.com' on browser for generating the token will not + // allow to use the client token with the login name 'user'. + $this->logger->error('App token login name does not match', [ + 'tokenLoginName' => $token->getLoginName(), + 'sessionLoginName' => $loginName, + 'app' => 'core', + 'user' => $token->getUID(), + ]); + + return false; + } + + return true; + } + + /** * Tries to login the user with auth token header * * @param IRequest $request |