From c5bb19641c12757e2b11376ee431d2a941e98e3f Mon Sep 17 00:00:00 2001
From: Joas Schilling <coding@schilljs.com>
Date: Mon, 9 Jan 2023 15:13:08 +0100
Subject: fix(authentication): Invert the logic to the original intention

We need to store the new authentication details when the hash did **not** verify
the old password.

Signed-off-by: Joas Schilling <coding@schilljs.com>
---
 lib/private/Authentication/Token/PublicKeyTokenProvider.php | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'lib/private/Authentication/Token')

diff --git a/lib/private/Authentication/Token/PublicKeyTokenProvider.php b/lib/private/Authentication/Token/PublicKeyTokenProvider.php
index 651540f934a..adac86dd073 100644
--- a/lib/private/Authentication/Token/PublicKeyTokenProvider.php
+++ b/lib/private/Authentication/Token/PublicKeyTokenProvider.php
@@ -450,13 +450,14 @@ class PublicKeyTokenProvider implements IProvider {
 		$passwordHash = $this->hashPassword($password);
 		$verifiedHashes = [];
 		foreach ($tokens as $t) {
-			if ($t->getPasswordHash() === null || isset($verifiedHashes[$t->getPasswordHash()]) || $this->hasher->verify(sha1($password) . $password, $t->getPasswordHash())) {
-				$verifiedHashes[$t->getPasswordHash() ?: ''] = true;
+			if ($t->getPasswordHash() === null || !isset($verifiedHashes[$t->getPasswordHash()]) || !$this->hasher->verify(sha1($password) . $password, $t->getPasswordHash())) {
 				$publicKey = $t->getPublicKey();
 				$t->setPassword($this->encryptPassword($password, $publicKey));
 				$t->setPasswordHash($passwordHash);
 				$t->setPasswordInvalid(false);
 				$this->updateToken($t);
+			} else {
+				$verifiedHashes[$t->getPasswordHash() ?: ''] = true;
 			}
 		}
 	}
-- 
cgit v1.2.3