-
-
Notifications
You must be signed in to change notification settings - Fork 4.1k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #43012 from nextcloud/backport/42971/stable28
[stable28] fix(auth): Fix logging in with email and app password
- Loading branch information
Showing
1 changed file
with
24 additions
and
13 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -460,7 +460,8 @@ public function logClientIn($user, | |
| if ($isTokenPassword) { | ||
| $dbToken = $this->tokenProvider->getToken($password); | ||
| $userFromToken = $this->manager->get($dbToken->getUID()); | ||
| $isValidEmailLogin = $userFromToken->getEMailAddress() === $user; | ||
| $isValidEmailLogin = $userFromToken->getEMailAddress() === $user | ||
| && $this->validateTokenLoginName($userFromToken->getEMailAddress(), $dbToken); | ||
| } else { | ||
| $users = $this->manager->getByEmail($user); | ||
| $isValidEmailLogin = (\count($users) === 1 && $this->login($users[0]->getUID(), $password)); | ||
|
|
@@ -800,18 +801,7 @@ private function validateToken($token, $user = null) { | |
| return false; | ||
| } | ||
|
|
||
| // Check if login names match | ||
| if (!is_null($user) && $dbToken->getLoginName() !== $user) { | ||
| // TODO: this makes it impossible to use different login names on browser and client | ||
| // e.g. login by e-mail '[email protected]' on browser for generating the token will not | ||
| // allow to use the client token with the login name 'user'. | ||
| $this->logger->error('App token login name does not match', [ | ||
| 'tokenLoginName' => $dbToken->getLoginName(), | ||
| 'sessionLoginName' => $user, | ||
| 'app' => 'core', | ||
| 'user' => $dbToken->getUID(), | ||
| ]); | ||
|
|
||
| if (!is_null($user) && !$this->validateTokenLoginName($user, $dbToken)) { | ||
| return false; | ||
| } | ||
|
|
||
|
|
@@ -831,6 +821,27 @@ private function validateToken($token, $user = null) { | |
| return true; | ||
| } | ||
|
|
||
| /** | ||
| * Check if login names match | ||
| */ | ||
| private function validateTokenLoginName(?string $loginName, IToken $token): bool { | ||
| if ($token->getLoginName() !== $loginName) { | ||
| // TODO: this makes it impossible to use different login names on browser and client | ||
| // e.g. login by e-mail '[email protected]' on browser for generating the token will not | ||
| // allow to use the client token with the login name 'user'. | ||
| $this->logger->error('App token login name does not match', [ | ||
| 'tokenLoginName' => $token->getLoginName(), | ||
| 'sessionLoginName' => $loginName, | ||
| 'app' => 'core', | ||
| 'user' => $token->getUID(), | ||
| ]); | ||
|
|
||
| return false; | ||
| } | ||
|
|
||
| return true; | ||
| } | ||
|
|
||
| /** | ||
| * Tries to login the user with auth token header | ||
| * | ||
|
|
||