From 50ccf7e2cff8dfe6345d32e5c3b69a544eef52ea Mon Sep 17 00:00:00 2001
From: Joas Schilling <coding@schilljs.com>
Date: Thu, 10 Mar 2022 15:28:01 +0100
Subject: Validate the password before generating an apptoken

Signed-off-by: Joas Schilling <coding@schilljs.com>
---
 core/Command/User/AddAppPassword.php | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

(limited to 'core/Command/User')

diff --git a/core/Command/User/AddAppPassword.php b/core/Command/User/AddAppPassword.php
index 34c8dc67ccc..4f636c406fb 100644
--- a/core/Command/User/AddAppPassword.php
+++ b/core/Command/User/AddAppPassword.php
@@ -109,8 +109,10 @@ class AddAppPassword extends Command {
 			return 1;
 		}
 
-		$output->writeln('<info>The password is not validated so what you provide is what gets recorded in the token</info>');
-
+		if (!$this->userManager->checkPassword($user->getUID(), $password)) {
+			$output->writeln('<error>The provided password is invalid</error>');
+			return 1;
+		}
 
 		$token = $this->random->generate(72, ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_LOWER.ISecureRandom::CHAR_DIGITS);
 		$generatedToken = $this->tokenProvider->generateToken(
-- 
cgit v1.2.3