Skip to content

Commit

Permalink
Merge pull request #43012 from nextcloud/backport/42971/stable28
Browse files Browse the repository at this point in the history
[stable28] fix(auth): Fix logging in with email and app password
  • Loading branch information
blizzz authored Jan 22, 2024
2 parents dad03db + 0e3f680 commit 9398e90
Showing 1 changed file with 24 additions and 13 deletions.
37 changes: 24 additions & 13 deletions lib/private/User/Session.php
Original file line number Diff line number Diff line change
Expand Up @@ -460,7 +460,8 @@ public function logClientIn($user,
if ($isTokenPassword) {
$dbToken = $this->tokenProvider->getToken($password);
$userFromToken = $this->manager->get($dbToken->getUID());
$isValidEmailLogin = $userFromToken->getEMailAddress() === $user;
$isValidEmailLogin = $userFromToken->getEMailAddress() === $user
&& $this->validateTokenLoginName($userFromToken->getEMailAddress(), $dbToken);
} else {
$users = $this->manager->getByEmail($user);
$isValidEmailLogin = (\count($users) === 1 && $this->login($users[0]->getUID(), $password));
Expand Down Expand Up @@ -800,18 +801,7 @@ private function validateToken($token, $user = null) {
return false;
}

// Check if login names match
if (!is_null($user) && $dbToken->getLoginName() !== $user) {
// TODO: this makes it impossible to use different login names on browser and client
// e.g. login by e-mail 'user@example.com' on browser for generating the token will not
// allow to use the client token with the login name 'user'.
$this->logger->error('App token login name does not match', [
'tokenLoginName' => $dbToken->getLoginName(),
'sessionLoginName' => $user,
'app' => 'core',
'user' => $dbToken->getUID(),
]);

if (!is_null($user) && !$this->validateTokenLoginName($user, $dbToken)) {
return false;
}

Expand All @@ -831,6 +821,27 @@ private function validateToken($token, $user = null) {
return true;
}

/**
* Check if login names match
*/
private function validateTokenLoginName(?string $loginName, IToken $token): bool {
if ($token->getLoginName() !== $loginName) {
// TODO: this makes it impossible to use different login names on browser and client
// e.g. login by e-mail 'user@example.com' on browser for generating the token will not
// allow to use the client token with the login name 'user'.
$this->logger->error('App token login name does not match', [
'tokenLoginName' => $token->getLoginName(),
'sessionLoginName' => $loginName,
'app' => 'core',
'user' => $token->getUID(),
]);

return false;
}

return true;
}

/**
* Tries to login the user with auth token header
*
Expand Down

0 comments on commit 9398e90

Please sign in to comment.