From 21943d2cee2b2ed994c81565fb0b9575ed0dbd67 Mon Sep 17 00:00:00 2001 From: Christoph Wurst Date: Fri, 19 Jan 2024 19:29:41 +0100 Subject: [PATCH] fix(auth): Fix logging in with email, password and login name mismatch Signed-off-by: Christoph Wurst --- lib/private/User/Session.php | 37 +++++++++++++++++++++++------------- 1 file changed, 24 insertions(+), 13 deletions(-) diff --git a/lib/private/User/Session.php b/lib/private/User/Session.php index ed5064aa21ad0..b5e03761a900f 100644 --- a/lib/private/User/Session.php +++ b/lib/private/User/Session.php @@ -459,7 +459,8 @@ public function logClientIn($user, if ($isTokenPassword) { $dbToken = $this->tokenProvider->getToken($password); $userFromToken = $this->manager->get($dbToken->getUID()); - $isValidEmailLogin = $userFromToken->getEMailAddress() === $user; + $isValidEmailLogin = $userFromToken->getEMailAddress() === $user + && $this->validateTokenLoginName($userFromToken->getEMailAddress(), $dbToken); } else { $users = $this->manager->getByEmail($user); $isValidEmailLogin = (\count($users) === 1 && $this->login($users[0]->getUID(), $password)); @@ -798,18 +799,7 @@ private function validateToken($token, $user = null) { return false; } - // Check if login names match - if (!is_null($user) && $dbToken->getLoginName() !== $user) { - // TODO: this makes it impossible to use different login names on browser and client - // e.g. login by e-mail 'user@example.com' on browser for generating the token will not - // allow to use the client token with the login name 'user'. - $this->logger->error('App token login name does not match', [ - 'tokenLoginName' => $dbToken->getLoginName(), - 'sessionLoginName' => $user, - 'app' => 'core', - 'user' => $dbToken->getUID(), - ]); - + if (!is_null($user) && !$this->validateTokenLoginName($user, $dbToken)) { return false; } @@ -829,6 +819,27 @@ private function validateToken($token, $user = null) { return true; } + /** + * Check if login names match + */ + private function validateTokenLoginName(?string $loginName, IToken $token): bool { + if ($token->getLoginName() !== $loginName) { + // TODO: this makes it impossible to use different login names on browser and client + // e.g. login by e-mail 'user@example.com' on browser for generating the token will not + // allow to use the client token with the login name 'user'. + $this->logger->error('App token login name does not match', [ + 'tokenLoginName' => $token->getLoginName(), + 'sessionLoginName' => $loginName, + 'app' => 'core', + 'user' => $token->getUID(), + ]); + + return false; + } + + return true; + } + /** * Tries to login the user with auth token header *