diff options
author | Ferdinand Thiessen <opensource@fthiessen.de> | 2025-01-18 16:28:23 +0100 |
---|---|---|
committer | Ferdinand Thiessen <opensource@fthiessen.de> | 2025-03-03 18:02:07 +0100 |
commit | 3c4feff028ab87b57a29e5771cde8ba6c5b7e4b0 (patch) | |
tree | 74b8e265ab200fa6f12fef49a0d17c9634e5f444 /lib/private/Authentication | |
parent | 2582a55300ac83a806d79499c9bbe7db4e310aee (diff) | |
download | nextcloud-server-fix/move-email-logic-local-user-backend.tar.gz nextcloud-server-fix/move-email-logic-local-user-backend.zip |
fix: Move login via email logic to local backendfix/move-email-logic-local-user-backend
Backends can decide which names they accept for login,
e.g. with user_ldap you can configure arbitrary login fields.
This was a hacky approach to allow login via email,
so instead this is now only handled by the local user backend.
This also fixes some other related problems:
Other logic relys on `backend::get()` which was not handling email,
so e.g. password policy could not block users logged in via email
if they use out-dated passwords.
Similar for other integrations, as the user backend was not consistent with
what is a login name and what not.
Co-authored-by: Ferdinand Thiessen <opensource@fthiessen.de>
Co-authored-by: Côme Chilliet <91878298+come-nc@users.noreply.github.com>
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
Diffstat (limited to 'lib/private/Authentication')
-rw-r--r-- | lib/private/Authentication/Login/Chain.php | 2 | ||||
-rw-r--r-- | lib/private/Authentication/Login/EmailLoginCommand.php | 53 |
2 files changed, 0 insertions, 55 deletions
diff --git a/lib/private/Authentication/Login/Chain.php b/lib/private/Authentication/Login/Chain.php index 09030a154a6..fc90d9225a7 100644 --- a/lib/private/Authentication/Login/Chain.php +++ b/lib/private/Authentication/Login/Chain.php @@ -13,7 +13,6 @@ class Chain { private PreLoginHookCommand $preLoginHookCommand, private UserDisabledCheckCommand $userDisabledCheckCommand, private UidLoginCommand $uidLoginCommand, - private EmailLoginCommand $emailLoginCommand, private LoggedInCheckCommand $loggedInCheckCommand, private CompleteLoginCommand $completeLoginCommand, private CreateSessionTokenCommand $createSessionTokenCommand, @@ -31,7 +30,6 @@ class Chain { $chain ->setNext($this->userDisabledCheckCommand) ->setNext($this->uidLoginCommand) - ->setNext($this->emailLoginCommand) ->setNext($this->loggedInCheckCommand) ->setNext($this->completeLoginCommand) ->setNext($this->flowV2EphemeralSessionsCommand) diff --git a/lib/private/Authentication/Login/EmailLoginCommand.php b/lib/private/Authentication/Login/EmailLoginCommand.php deleted file mode 100644 index 96cb39277fd..00000000000 --- a/lib/private/Authentication/Login/EmailLoginCommand.php +++ /dev/null @@ -1,53 +0,0 @@ -<?php - -declare(strict_types=1); - -/** - * SPDX-FileCopyrightText: 2019 Nextcloud GmbH and Nextcloud contributors - * SPDX-License-Identifier: AGPL-3.0-or-later - */ -namespace OC\Authentication\Login; - -use OCP\IUserManager; - -class EmailLoginCommand extends ALoginCommand { - /** @var IUserManager */ - private $userManager; - - public function __construct(IUserManager $userManager) { - $this->userManager = $userManager; - } - - public function process(LoginData $loginData): LoginResult { - if ($loginData->getUser() === false) { - if (!filter_var($loginData->getUsername(), FILTER_VALIDATE_EMAIL)) { - return $this->processNextOrFinishSuccessfully($loginData); - } - - $users = $this->userManager->getByEmail($loginData->getUsername()); - // we only allow login by email if unique - if (count($users) === 1) { - // FIXME: This is a workaround to still stick to configured LDAP login filters - // this can be removed once the email login is properly implemented in the local user backend - // as described in https://github.com/nextcloud/server/issues/5221 - if ($users[0]->getBackendClassName() === 'LDAP') { - return $this->processNextOrFinishSuccessfully($loginData); - } - - $username = $users[0]->getUID(); - if ($username !== $loginData->getUsername()) { - $user = $this->userManager->checkPassword( - $username, - $loginData->getPassword() - ); - if ($user !== false) { - $loginData->setUser($user); - $loginData->setUsername($username); - } - } - } - } - - return $this->processNextOrFinishSuccessfully($loginData); - } -} |