From 3c4feff028ab87b57a29e5771cde8ba6c5b7e4b0 Mon Sep 17 00:00:00 2001 From: Ferdinand Thiessen Date: Sat, 18 Jan 2025 16:28:23 +0100 Subject: fix: Move login via email logic to local backend MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Backends can decide which names they accept for login, e.g. with user_ldap you can configure arbitrary login fields. This was a hacky approach to allow login via email, so instead this is now only handled by the local user backend. This also fixes some other related problems: Other logic relys on `backend::get()` which was not handling email, so e.g. password policy could not block users logged in via email if they use out-dated passwords. Similar for other integrations, as the user backend was not consistent with what is a login name and what not. Co-authored-by: Ferdinand Thiessen Co-authored-by: Côme Chilliet <91878298+come-nc@users.noreply.github.com> Signed-off-by: Ferdinand Thiessen --- lib/private/Authentication/Login/Chain.php | 2 - .../Authentication/Login/EmailLoginCommand.php | 53 ---------------------- 2 files changed, 55 deletions(-) delete mode 100644 lib/private/Authentication/Login/EmailLoginCommand.php (limited to 'lib/private/Authentication') diff --git a/lib/private/Authentication/Login/Chain.php b/lib/private/Authentication/Login/Chain.php index 09030a154a6..fc90d9225a7 100644 --- a/lib/private/Authentication/Login/Chain.php +++ b/lib/private/Authentication/Login/Chain.php @@ -13,7 +13,6 @@ class Chain { private PreLoginHookCommand $preLoginHookCommand, private UserDisabledCheckCommand $userDisabledCheckCommand, private UidLoginCommand $uidLoginCommand, - private EmailLoginCommand $emailLoginCommand, private LoggedInCheckCommand $loggedInCheckCommand, private CompleteLoginCommand $completeLoginCommand, private CreateSessionTokenCommand $createSessionTokenCommand, @@ -31,7 +30,6 @@ class Chain { $chain ->setNext($this->userDisabledCheckCommand) ->setNext($this->uidLoginCommand) - ->setNext($this->emailLoginCommand) ->setNext($this->loggedInCheckCommand) ->setNext($this->completeLoginCommand) ->setNext($this->flowV2EphemeralSessionsCommand) diff --git a/lib/private/Authentication/Login/EmailLoginCommand.php b/lib/private/Authentication/Login/EmailLoginCommand.php deleted file mode 100644 index 96cb39277fd..00000000000 --- a/lib/private/Authentication/Login/EmailLoginCommand.php +++ /dev/null @@ -1,53 +0,0 @@ -userManager = $userManager; - } - - public function process(LoginData $loginData): LoginResult { - if ($loginData->getUser() === false) { - if (!filter_var($loginData->getUsername(), FILTER_VALIDATE_EMAIL)) { - return $this->processNextOrFinishSuccessfully($loginData); - } - - $users = $this->userManager->getByEmail($loginData->getUsername()); - // we only allow login by email if unique - if (count($users) === 1) { - // FIXME: This is a workaround to still stick to configured LDAP login filters - // this can be removed once the email login is properly implemented in the local user backend - // as described in https://github.com/nextcloud/server/issues/5221 - if ($users[0]->getBackendClassName() === 'LDAP') { - return $this->processNextOrFinishSuccessfully($loginData); - } - - $username = $users[0]->getUID(); - if ($username !== $loginData->getUsername()) { - $user = $this->userManager->checkPassword( - $username, - $loginData->getPassword() - ); - if ($user !== false) { - $loginData->setUser($user); - $loginData->setUsername($username); - } - } - } - } - - return $this->processNextOrFinishSuccessfully($loginData); - } -} -- cgit v1.2.3