archive
/
nextcloud
mirror of https://github.com/nextcloud/server.git
1
0
Fork 0
Code Issues Releases Wiki Activity

fix(auth): Fix logging in with email, password and login name mismatch

Browse Source 
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
pull/43010/head
Christoph Wurst 4 months ago committed by backportbot[bot]
parent 529b3d068f
commit 21943d2cee
1 changed files with 24 additions and 13 deletions
Show Stats Download Patch File Download Diff File

37
lib/private/User/Session.php
Unescape Escape View File

@ -459,7 +459,8 @@ class Session implements IUserSession, Emitter {
if ($isTokenPassword) {
$dbToken = $this->tokenProvider->getToken($password);
$userFromToken = $this->manager->get($dbToken->getUID());
$isValidEmailLogin = $userFromToken->getEMailAddress() === $user;
$isValidEmailLogin = $userFromToken->getEMailAddress() === $user
&& $this->validateTokenLoginName($userFromToken->getEMailAddress(), $dbToken);
} else {
$users = $this->manager->getByEmail($user);
$isValidEmailLogin = (\count($users) === 1 && $this->login($users[0]->getUID(), $password));
@ -798,18 +799,7 @@ class Session implements IUserSession, Emitter {
return false;
}
// Check if login names match
if (!is_null($user) && $dbToken->getLoginName() !== $user) {
// TODO: this makes it impossible to use different login names on browser and client
// e.g. login by e-mail 'user@example.com' on browser for generating the token will not
// allow to use the client token with the login name 'user'.
$this->logger->error('App token login name does not match', [
'tokenLoginName' => $dbToken->getLoginName(),
'sessionLoginName' => $user,
'app' => 'core',
'user' => $dbToken->getUID(),
]);
if (!is_null($user) && !$this->validateTokenLoginName($user, $dbToken)) {
return false;
}
@ -829,6 +819,27 @@ class Session implements IUserSession, Emitter {
return true;
}
/**
* Check if login names match
*/
private function validateTokenLoginName(?string $loginName, IToken $token): bool {
if ($token->getLoginName() !== $loginName) {
// TODO: this makes it impossible to use different login names on browser and client
// e.g. login by e-mail 'user@example.com' on browser for generating the token will not
// allow to use the client token with the login name 'user'.
$this->logger->error('App token login name does not match', [
'tokenLoginName' => $token->getLoginName(),
'sessionLoginName' => $loginName,
'app' => 'core',
'user' => $token->getUID(),
]);
return false;
}
return true;
}
/**
* Tries to login the user with auth token header
*

Write Preview
Loading…
Cancel
Save