upstream/nextcloud
1
0
Fork 0
mirror of https://github.com/nextcloud/server.git synced 2026-02-22 17:31:10 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions 8

fix(auth): Fix logging in with email, password and login name mismatch

Browse source 
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
This commit is contained in:
Christoph Wurst 2024-01-19 19:29:41 +01:00 committed by backportbot[bot]
parent 9282aa900d
commit fdfd620757
1 changed files with 24 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

37
lib/private/User/Session.php
View file

@ -459,7 +459,8 @@ class Session implements IUserSession, Emitter {
if ($isTokenPassword) {
$dbToken = $this->tokenProvider->getToken($password);
$userFromToken = $this->manager->get($dbToken->getUID());
$isValidEmailLogin = $userFromToken->getEMailAddress() === $user;
$isValidEmailLogin = $userFromToken->getEMailAddress() === $user
&& $this->validateTokenLoginName($userFromToken->getEMailAddress(), $dbToken);
} else {
$users = $this->manager->getByEmail($user);
$isValidEmailLogin = (\count($users) === 1 && $this->login($users[0]->getUID(), $password));
@ -798,18 +799,7 @@ class Session implements IUserSession, Emitter {
return false;
}
// Check if login names match
if (!is_null($user) && $dbToken->getLoginName() !== $user) {
// TODO: this makes it impossible to use different login names on browser and client
// e.g. login by e-mail 'user@example.com' on browser for generating the token will not
// allow to use the client token with the login name 'user'.
$this->logger->error('App token login name does not match', [
'tokenLoginName' => $dbToken->getLoginName(),
'sessionLoginName' => $user,
'app' => 'core',
'user' => $dbToken->getUID(),
]);
if (!is_null($user) && !$this->validateTokenLoginName($user, $dbToken)) {
return false;
}
@ -829,6 +819,27 @@ class Session implements IUserSession, Emitter {
return true;
}
/**
* Check if login names match
*/
private function validateTokenLoginName(?string $loginName, IToken $token): bool {
if ($token->getLoginName() !== $loginName) {
// TODO: this makes it impossible to use different login names on browser and client
// e.g. login by e-mail 'user@example.com' on browser for generating the token will not
// allow to use the client token with the login name 'user'.
$this->logger->error('App token login name does not match', [
'tokenLoginName' => $token->getLoginName(),
'sessionLoginName' => $loginName,
'app' => 'core',
'user' => $token->getUID(),
]);
return false;
}
return true;
}
/**
* Tries to login the user with auth token header
*