From 9dfd3544c25a71145903a491bab3eb3e21c74cf7 Mon Sep 17 00:00:00 2001
From: Roeland Jago Douma <roeland@famdouma.nl>
Date: Tue, 23 Jan 2018 09:41:44 +0100
Subject: [PATCH] Don't polute log when loggin into dav with email

* We first try the email as username but this fails
* Then we get the uid from the email and try again

We should not log the first attempt since it polutes the log with failed
login attempts while the login actually is valid.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
---
 lib/private/Server.php       | 11 ++++++++++-
 lib/private/User/Session.php | 35 +++++++++++++++++++++++------------
 2 files changed, 33 insertions(+), 13 deletions(-)

diff --git a/lib/private/Server.php b/lib/private/Server.php
index 4a851d67226..c84780c4fb2 100644
--- a/lib/private/Server.php
+++ b/lib/private/Server.php
@@ -355,7 +355,16 @@ class Server extends ServerContainer implements IServerContainer {
 
 			$dispatcher = $c->getEventDispatcher();
 
-			$userSession = new \OC\User\Session($manager, $session, $timeFactory, $defaultTokenProvider, $c->getConfig(), $c->getSecureRandom(), $c->getLockdownManager());
+			$userSession = new \OC\User\Session(
+				$manager,
+				$session,
+				$timeFactory,
+				$defaultTokenProvider,
+				$c->getConfig(),
+				$c->getSecureRandom(),
+				$c->getLockdownManager(),
+				$c->getLogger()
+			);
 			$userSession->listen('\OC\User', 'preCreateUser', function ($uid, $password) {
 				\OC_Hook::emit('OC_User', 'pre_createUser', array('run' => true, 'uid' => $uid, 'password' => $password));
 			});
diff --git a/lib/private/User/Session.php b/lib/private/User/Session.php
index 19b303e46ea..5fcb83dc443 100644
--- a/lib/private/User/Session.php
+++ b/lib/private/User/Session.php
@@ -51,6 +51,7 @@ use OCA\DAV\Connector\Sabre\Auth;
 use OCP\AppFramework\Utility\ITimeFactory;
 use OCP\Files\NotPermittedException;
 use OCP\IConfig;
+use OCP\ILogger;
 use OCP\IRequest;
 use OCP\ISession;
 use OCP\IUser;
@@ -107,6 +108,9 @@ class Session implements IUserSession, Emitter {
 	/** @var ILockdownManager  */
 	private $lockdownManager;
 
+	/** @var ILogger */
+	private $logger;
+
 	/**
 	 * @param IUserManager $manager
 	 * @param ISession $session
@@ -115,6 +119,7 @@ class Session implements IUserSession, Emitter {
 	 * @param IConfig $config
 	 * @param ISecureRandom $random
 	 * @param ILockdownManager $lockdownManager
+	 * @param ILogger $logger
 	 */
 	public function __construct(IUserManager $manager,
 								ISession $session,
@@ -122,8 +127,8 @@ class Session implements IUserSession, Emitter {
 								$tokenProvider,
 								IConfig $config,
 								ISecureRandom $random,
-								ILockdownManager $lockdownManager
-	) {
+								ILockdownManager $lockdownManager,
+								ILogger $logger) {
 		$this->manager = $manager;
 		$this->session = $session;
 		$this->timeFactory = $timeFactory;
@@ -131,6 +136,7 @@ class Session implements IUserSession, Emitter {
 		$this->config = $config;
 		$this->random = $random;
 		$this->lockdownManager = $lockdownManager;
+		$this->logger = $logger;
 	}
 
 	/**
@@ -400,17 +406,22 @@ class Session implements IUserSession, Emitter {
 		if (!$isTokenPassword && $this->isTwoFactorEnforced($user)) {
 			throw new PasswordLoginForbiddenException();
 		}
-		if (!$this->login($user, $password) ) {
-			$users = $this->manager->getByEmail($user);
-			if (count($users) === 1) {
-				return $this->login($users[0]->getUID(), $password);
-			}
 
-			$throttler->registerAttempt('login', $request->getRemoteAddress(), ['uid' => $user]);
-			if($currentDelay === 0) {
-				$throttler->sleepDelay($request->getRemoteAddress(), 'login');
+		// Try to login with this username and password
+		if (!$this->login($user, $password) ) {
+
+			// Failed, maybe the user used their email address
+			$users = $this->manager->getByEmail($user);
+			if (!(\count($users) === 1 && $this->login($users[0]->getUID(), $password))) {
+
+				$this->logger->warning('Login failed: \'' . $user . '\' (Remote IP: \'' . \OC::$server->getRequest()->getRemoteAddress() . '\')', ['app' => 'core']);
+
+				$throttler->registerAttempt('login', $request->getRemoteAddress(), ['uid' => $user]);
+				if ($currentDelay === 0) {
+					$throttler->sleepDelay($request->getRemoteAddress(), 'login');
+				}
+				return false;
 			}
-			return false;
 		}
 
 		if ($isTokenPassword) {
@@ -544,7 +555,7 @@ class Session implements IUserSession, Emitter {
 	 * @throws LoginException if an app canceld the login process or the user is not enabled
 	 */
 	private function loginWithPassword($uid, $password) {
-		$user = $this->manager->checkPassword($uid, $password);
+		$user = $this->manager->checkPasswordNoLogging($uid, $password);
 		if ($user === false) {
 			// Password check failed
 			return false;