2 files changed, 23 insertions, 5 deletions

diff --git a/lib/private/IntegrityCheck/Checker.php b/lib/private/IntegrityCheck/Checker.php
index ab68f752206..57127f280c4 100644
--- a/lib/private/IntegrityCheck/Checker.php
+++ b/lib/private/IntegrityCheck/Checker.php
@@ -108,7 +108,11 @@ class Checker {
 		 * applicable for very specific scenarios and we should not advertise it
 		 * too prominent. So please do not add it to config.sample.php.
 		 */
-		$isIntegrityCheckDisabled = $this->config->getSystemValue('integrity.check.disabled', false);
+		if ($this->config !== null) {
+			$isIntegrityCheckDisabled = $this->config->getSystemValue('integrity.check.disabled', false);
+		} else {
+			$isIntegrityCheckDisabled = false;
+		}
 		if($isIntegrityCheckDisabled === true) {
 			return false;
 		}
@@ -401,7 +405,10 @@ class Checker {
 			return json_decode($cachedResults, true);
 		}
 
-		return json_decode($this->config->getAppValue('core', self::CACHE_KEY, '{}'), true);
+		if ($this->config !== null) {
+			return json_decode($this->config->getAppValue('core', self::CACHE_KEY, '{}'), true);
+		}
+		return [];
 	}
 
 	/**
@@ -416,7 +423,9 @@ class Checker {
 		if(!empty($result)) {
 			$resultArray[$scope] = $result;
 		}
-		$this->config->setAppValue('core', self::CACHE_KEY, json_encode($resultArray));
+		if ($this->config !== null) {
+			$this->config->setAppValue('core', self::CACHE_KEY, json_encode($resultArray));
+		}
 		$this->cache->set(self::CACHE_KEY, json_encode($resultArray));
 	}
 
diff --git a/lib/private/User/Session.php b/lib/private/User/Session.php
index 2b65f31af28..6219a89e5b3 100644
--- a/lib/private/User/Session.php
+++ b/lib/private/User/Session.php
@@ -280,7 +280,7 @@ class Session implements IUserSession, Emitter {
 	 */
 	public function login($uid, $password) {
 		$this->session->regenerateId();
-		if ($this->validateToken($password)) {
+		if ($this->validateToken($password, $uid)) {
 			// When logging in with token, the password must be decrypted first before passing to login hook
 			try {
 				$token = $this->tokenProvider->getToken($password);
@@ -584,15 +584,24 @@ class Session implements IUserSession, Emitter {
 	 * Invalidates the token if checks fail
 	 *
 	 * @param string $token
+	 * @param string $user login name
 	 * @return boolean
 	 */
-	private function validateToken($token) {
+	private function validateToken($token, $user = null) {
 		try {
 			$dbToken = $this->tokenProvider->getToken($token);
 		} catch (InvalidTokenException $ex) {
 			return false;
 		}
 
+		// Check if login names match
+		if (!is_null($user) && $dbToken->getLoginName() !== $user) {
+			// TODO: this makes it imposssible to use different login names on browser and client
+			// e.g. login by e-mail 'user@example.com' on browser for generating the token will not
+			//      allow to use the client token with the login name 'user'.
+			return false;
+		}
+
 		if (!$this->checkTokenCredentials($dbToken, $token)) {
 			return false;
 		}