aboutsummaryrefslogtreecommitdiffstats
path: root/lib/private/Authentication
diff options
context:
space:
mode:
authorFerdinand Thiessen <opensource@fthiessen.de>2025-01-18 16:28:23 +0100
committerFerdinand Thiessen <opensource@fthiessen.de>2025-03-03 18:02:07 +0100
commit3c4feff028ab87b57a29e5771cde8ba6c5b7e4b0 (patch)
tree74b8e265ab200fa6f12fef49a0d17c9634e5f444 /lib/private/Authentication
parent2582a55300ac83a806d79499c9bbe7db4e310aee (diff)
downloadnextcloud-server-fix/move-email-logic-local-user-backend.tar.gz
nextcloud-server-fix/move-email-logic-local-user-backend.zip
fix: Move login via email logic to local backendfix/move-email-logic-local-user-backend
Backends can decide which names they accept for login, e.g. with user_ldap you can configure arbitrary login fields. This was a hacky approach to allow login via email, so instead this is now only handled by the local user backend. This also fixes some other related problems: Other logic relys on `backend::get()` which was not handling email, so e.g. password policy could not block users logged in via email if they use out-dated passwords. Similar for other integrations, as the user backend was not consistent with what is a login name and what not. Co-authored-by: Ferdinand Thiessen <opensource@fthiessen.de> Co-authored-by: Côme Chilliet <91878298+come-nc@users.noreply.github.com> Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
Diffstat (limited to 'lib/private/Authentication')
-rw-r--r--lib/private/Authentication/Login/Chain.php2
-rw-r--r--lib/private/Authentication/Login/EmailLoginCommand.php53
2 files changed, 0 insertions, 55 deletions
diff --git a/lib/private/Authentication/Login/Chain.php b/lib/private/Authentication/Login/Chain.php
index 09030a154a6..fc90d9225a7 100644
--- a/lib/private/Authentication/Login/Chain.php
+++ b/lib/private/Authentication/Login/Chain.php
@@ -13,7 +13,6 @@ class Chain {
private PreLoginHookCommand $preLoginHookCommand,
private UserDisabledCheckCommand $userDisabledCheckCommand,
private UidLoginCommand $uidLoginCommand,
- private EmailLoginCommand $emailLoginCommand,
private LoggedInCheckCommand $loggedInCheckCommand,
private CompleteLoginCommand $completeLoginCommand,
private CreateSessionTokenCommand $createSessionTokenCommand,
@@ -31,7 +30,6 @@ class Chain {
$chain
->setNext($this->userDisabledCheckCommand)
->setNext($this->uidLoginCommand)
- ->setNext($this->emailLoginCommand)
->setNext($this->loggedInCheckCommand)
->setNext($this->completeLoginCommand)
->setNext($this->flowV2EphemeralSessionsCommand)
diff --git a/lib/private/Authentication/Login/EmailLoginCommand.php b/lib/private/Authentication/Login/EmailLoginCommand.php
deleted file mode 100644
index 96cb39277fd..00000000000
--- a/lib/private/Authentication/Login/EmailLoginCommand.php
+++ /dev/null
@@ -1,53 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-/**
- * SPDX-FileCopyrightText: 2019 Nextcloud GmbH and Nextcloud contributors
- * SPDX-License-Identifier: AGPL-3.0-or-later
- */
-namespace OC\Authentication\Login;
-
-use OCP\IUserManager;
-
-class EmailLoginCommand extends ALoginCommand {
- /** @var IUserManager */
- private $userManager;
-
- public function __construct(IUserManager $userManager) {
- $this->userManager = $userManager;
- }
-
- public function process(LoginData $loginData): LoginResult {
- if ($loginData->getUser() === false) {
- if (!filter_var($loginData->getUsername(), FILTER_VALIDATE_EMAIL)) {
- return $this->processNextOrFinishSuccessfully($loginData);
- }
-
- $users = $this->userManager->getByEmail($loginData->getUsername());
- // we only allow login by email if unique
- if (count($users) === 1) {
- // FIXME: This is a workaround to still stick to configured LDAP login filters
- // this can be removed once the email login is properly implemented in the local user backend
- // as described in https://github.com/nextcloud/server/issues/5221
- if ($users[0]->getBackendClassName() === 'LDAP') {
- return $this->processNextOrFinishSuccessfully($loginData);
- }
-
- $username = $users[0]->getUID();
- if ($username !== $loginData->getUsername()) {
- $user = $this->userManager->checkPassword(
- $username,
- $loginData->getPassword()
- );
- if ($user !== false) {
- $loginData->setUser($user);
- $loginData->setUsername($username);
- }
- }
- }
- }
-
- return $this->processNextOrFinishSuccessfully($loginData);
- }
-}