From 9964198a93750b1e54cd3e642b8b466cfbcb8553 Mon Sep 17 00:00:00 2001
From: Git'Fellow <12234510+solracsf@users.noreply.github.com>
Date: Fri, 17 Oct 2025 12:19:51 +0200
Subject: [PATCH] fix(session): Ensure token and UID are valid

Wrap token retrieval in try-catch to handle InvalidTokenException.

Signed-off-by: Git'Fellow <12234510+solracsf@users.noreply.github.com>
---
 lib/private/User/Session.php | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/lib/private/User/Session.php b/lib/private/User/Session.php
index e7bfcf56407..65caf26aa5b 100644
--- a/lib/private/User/Session.php
+++ b/lib/private/User/Session.php
@@ -411,8 +411,19 @@ class Session implements IUserSession, Emitter {
 			}
 
 			if ($isTokenPassword) {
-				$dbToken = $this->tokenProvider->getToken($password);
+				try {
+					$dbToken = $this->tokenProvider->getToken($password);
+				} catch (InvalidTokenException $ex) {
+					$this->handleLoginFailed($throttler, $currentDelay, $remoteAddress, $user, $password);
+					return false;
+				}
+
 				$userFromToken = $this->manager->get($dbToken->getUID());
+				if ($userFromToken === null) {
+					$this->handleLoginFailed($throttler, $currentDelay, $remoteAddress, $user, $password);
+					return false;
+				}
+
 				$isValidEmailLogin = $userFromToken->getEMailAddress() === $user
 					&& $this->validateTokenLoginName($userFromToken->getEMailAddress(), $dbToken);
 			} else {