draft to prevent the invalidation of pw based authn tokens on a pw less login

Signed-off-by: Tobias Assmann <tobias.assmann@ecsec.de>
3 years ago · ce834cbb55
parent 6990f2ff43
commit ce834cbb55
2 changed files with 10 additions and 0 deletions
--- a/lib/private/Authentication/Listeners/UserLoggedInListener.php
+++ b/lib/private/Authentication/Listeners/UserLoggedInListener.php
@ -48,6 +48,11 @@ class UserLoggedInListener implements IEventListener {
 			return;
 		}

+		// prevent setting an empty pw as result of pw-less-login
+		if ($event->getPassword()==='') {
+			return;
+		}
+
 		// If this is already a token login there is nothing to do
 		if ($event->isTokenLogin()) {
 			return;
--- a/lib/private/Authentication/Token/PublicKeyTokenProvider.php
+++ b/lib/private/Authentication/Token/PublicKeyTokenProvider.php
@ -413,6 +413,11 @@ class PublicKeyTokenProvider implements IProvider {
 	public function updatePasswords(string $uid, string $password) {
 		$this->cache->clear();

+		// prevent setting an empty pw as result of pw-less-login
+		if ($password==='') {
+			return;
+		}
+
 		// Update the password for all tokens
 		$tokens = $this->mapper->getTokenByUser($uid);
 		foreach ($tokens as $t) {