diff options
| author | Arthur Schiwon <blizzz@arthur-schiwon.de> | 2024-01-22 20:24:26 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-01-22 20:24:26 +0100 |
| commit | 9398e908281d354e11e0b4680c693ffbbc98c57d (patch) | |
| tree | 5e3679749a83bb4dd2b86f3fb67a6ba354e566f7 /lib | |
| parent | dad03dbc734e2b2030e76dcead9230be2cd8ee2c (diff) | |
| parent | 0e3f68079e3886c319777f5972dec3443fe62681 (diff) | |
| download | nextcloud-server-9398e908281d354e11e0b4680c693ffbbc98c57d.tar.gz nextcloud-server-9398e908281d354e11e0b4680c693ffbbc98c57d.zip | |
Merge pull request #43012 from nextcloud/backport/42971/stable28
[stable28] fix(auth): Fix logging in with email and app password
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/private/User/Session.php | 37 |
1 files changed, 24 insertions, 13 deletions
diff --git a/lib/private/User/Session.php b/lib/private/User/Session.php index 772a4103490..a411326c93f 100644 --- a/lib/private/User/Session.php +++ b/lib/private/User/Session.php @@ -460,7 +460,8 @@ class Session implements IUserSession, Emitter { if ($isTokenPassword) { $dbToken = $this->tokenProvider->getToken($password); $userFromToken = $this->manager->get($dbToken->getUID()); - $isValidEmailLogin = $userFromToken->getEMailAddress() === $user; + $isValidEmailLogin = $userFromToken->getEMailAddress() === $user + && $this->validateTokenLoginName($userFromToken->getEMailAddress(), $dbToken); } else { $users = $this->manager->getByEmail($user); $isValidEmailLogin = (\count($users) === 1 && $this->login($users[0]->getUID(), $password)); @@ -800,18 +801,7 @@ class Session implements IUserSession, Emitter { return false; } - // Check if login names match - if (!is_null($user) && $dbToken->getLoginName() !== $user) { - // TODO: this makes it impossible to use different login names on browser and client - // e.g. login by e-mail 'user@example.com' on browser for generating the token will not - // allow to use the client token with the login name 'user'. - $this->logger->error('App token login name does not match', [ - 'tokenLoginName' => $dbToken->getLoginName(), - 'sessionLoginName' => $user, - 'app' => 'core', - 'user' => $dbToken->getUID(), - ]); - + if (!is_null($user) && !$this->validateTokenLoginName($user, $dbToken)) { return false; } @@ -832,6 +822,27 @@ class Session implements IUserSession, Emitter { } /** + * Check if login names match + */ + private function validateTokenLoginName(?string $loginName, IToken $token): bool { + if ($token->getLoginName() !== $loginName) { + // TODO: this makes it impossible to use different login names on browser and client + // e.g. login by e-mail 'user@example.com' on browser for generating the token will not + // allow to use the client token with the login name 'user'. + $this->logger->error('App token login name does not match', [ + 'tokenLoginName' => $token->getLoginName(), + 'sessionLoginName' => $loginName, + 'app' => 'core', + 'user' => $token->getUID(), + ]); + + return false; + } + + return true; + } + + /** * Tries to login the user with auth token header * * @param IRequest $request |