Skip to content

Commit

Permalink
fix(auth): Fix logging in with email, password and login name mismatch
Browse files Browse the repository at this point in the history
Signed-off-by: Christoph Wurst <[email protected]>
  • Loading branch information
ChristophWurst authored and backportbot[bot] committed Jan 22, 2024
1 parent 529b3d0 commit 21943d2
Showing 1 changed file with 24 additions and 13 deletions.
37 changes: 24 additions & 13 deletions lib/private/User/Session.php
Original file line number Diff line number Diff line change
Expand Up @@ -459,7 +459,8 @@ public function logClientIn($user,
if ($isTokenPassword) {
$dbToken = $this->tokenProvider->getToken($password);
$userFromToken = $this->manager->get($dbToken->getUID());
$isValidEmailLogin = $userFromToken->getEMailAddress() === $user;
$isValidEmailLogin = $userFromToken->getEMailAddress() === $user
&& $this->validateTokenLoginName($userFromToken->getEMailAddress(), $dbToken);
} else {
$users = $this->manager->getByEmail($user);
$isValidEmailLogin = (\count($users) === 1 && $this->login($users[0]->getUID(), $password));
Expand Down Expand Up @@ -798,18 +799,7 @@ private function validateToken($token, $user = null) {
return false;
}

// Check if login names match
if (!is_null($user) && $dbToken->getLoginName() !== $user) {
// TODO: this makes it impossible to use different login names on browser and client
// e.g. login by e-mail '[email protected]' on browser for generating the token will not
// allow to use the client token with the login name 'user'.
$this->logger->error('App token login name does not match', [
'tokenLoginName' => $dbToken->getLoginName(),
'sessionLoginName' => $user,
'app' => 'core',
'user' => $dbToken->getUID(),
]);

if (!is_null($user) && !$this->validateTokenLoginName($user, $dbToken)) {
return false;
}

Expand All @@ -829,6 +819,27 @@ private function validateToken($token, $user = null) {
return true;
}

/**
* Check if login names match
*/
private function validateTokenLoginName(?string $loginName, IToken $token): bool {
if ($token->getLoginName() !== $loginName) {
// TODO: this makes it impossible to use different login names on browser and client
// e.g. login by e-mail '[email protected]' on browser for generating the token will not
// allow to use the client token with the login name 'user'.
$this->logger->error('App token login name does not match', [
'tokenLoginName' => $token->getLoginName(),
'sessionLoginName' => $loginName,
'app' => 'core',
'user' => $token->getUID(),
]);

return false;
}

return true;
}

/**
* Tries to login the user with auth token header
*
Expand Down

0 comments on commit 21943d2

Please sign in to comment.