diff options
author | Christoph Wurst <christoph@winzerhof-wurst.at> | 2024-01-19 19:29:41 +0100 |
---|---|---|
committer | backportbot[bot] <backportbot[bot]@users.noreply.github.com> | 2024-01-22 09:42:16 +0000 |
commit | 9606f11d0df8bc9563aea3ca79e28c7edcd44b7a (patch) | |
tree | 57d89c1edb066d8669a2f72bc9fb48055b4f0da4 | |
parent | 45a16bfdcde48ba0cde44f1f496ceb5f51a20ff7 (diff) |
fix(auth): Fix logging in with email, password and login name mismatchbackport/42971/stable25
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
[skip ci]
-rw-r--r-- | lib/private/User/Session.php | 24 |
1 files changed, 23 insertions, 1 deletions
diff --git a/lib/private/User/Session.php b/lib/private/User/Session.php index c953cf6cbb3..933810dabf9 100644 --- a/lib/private/User/Session.php +++ b/lib/private/User/Session.php @@ -460,7 +460,8 @@ class Session implements IUserSession, Emitter { if ($isTokenPassword) { $dbToken = $this->tokenProvider->getToken($password); $userFromToken = $this->manager->get($dbToken->getUID()); - $isValidEmailLogin = $userFromToken->getEMailAddress() === $user; + $isValidEmailLogin = $userFromToken->getEMailAddress() === $user + && $this->validateTokenLoginName($userFromToken->getEMailAddress(), $dbToken); } else { $users = $this->manager->getByEmail($user); $isValidEmailLogin = (\count($users) === 1 && $this->login($users[0]->getUID(), $password)); @@ -820,6 +821,27 @@ class Session implements IUserSession, Emitter { } /** + * Check if login names match + */ + private function validateTokenLoginName(?string $loginName, IToken $token): bool { + if ($token->getLoginName() !== $loginName) { + // TODO: this makes it impossible to use different login names on browser and client + // e.g. login by e-mail 'user@example.com' on browser for generating the token will not + // allow to use the client token with the login name 'user'. + $this->logger->error('App token login name does not match', [ + 'tokenLoginName' => $token->getLoginName(), + 'sessionLoginName' => $loginName, + 'app' => 'core', + 'user' => $token->getUID(), + ]); + + return false; + } + + return true; + } + + /** * Tries to login the user with auth token header * * @param IRequest $request |