Merge pull request #42971 from nextcloud/fix/auth/login-email-password-login-name-mismatch

ChristophWurst · web-flow · commit 03774ad77c64 · 2024-01-22T10:41:48.000+01:00
fix(auth): Fix logging in with email and app password
diff --git a/lib/private/User/Session.php b/lib/private/User/Session.php
@@ -460,7 +460,8 @@ public function logClientIn($user,
 			if ($isTokenPassword) {
 				$dbToken = $this->tokenProvider->getToken($password);
 				$userFromToken = $this->manager->get($dbToken->getUID());
-				$isValidEmailLogin = $userFromToken->getEMailAddress() === $user;
+				$isValidEmailLogin = $userFromToken->getEMailAddress() === $user
+					&& $this->validateTokenLoginName($userFromToken->getEMailAddress(), $dbToken);
 			} else {
 				$users = $this->manager->getByEmail($user);
 				$isValidEmailLogin = (\count($users) === 1 && $this->login($users[0]->getUID(), $password));
@@ -800,18 +801,7 @@ private function validateToken($token, $user = null) {
 			return false;
 		}
 
-		// Check if login names match
-		if (!is_null($user) && $dbToken->getLoginName() !== $user) {
-			// TODO: this makes it impossible to use different login names on browser and client
-			// e.g. login by e-mail 'user@example.com' on browser for generating the token will not
-			//      allow to use the client token with the login name 'user'.
-			$this->logger->error('App token login name does not match', [
-				'tokenLoginName' => $dbToken->getLoginName(),
-				'sessionLoginName' => $user,
-				'app' => 'core',
-				'user' => $dbToken->getUID(),
-			]);
-
+		if (!is_null($user) && !$this->validateTokenLoginName($user, $dbToken)) {
 			return false;
 		}
 
@@ -831,6 +821,27 @@ private function validateToken($token, $user = null) {
 		return true;
 	}
 
+	/**
+	 * Check if login names match
+	 */
+	private function validateTokenLoginName(?string $loginName, IToken $token): bool {
+		if ($token->getLoginName() !== $loginName) {
+			// TODO: this makes it impossible to use different login names on browser and client
+			// e.g. login by e-mail 'user@example.com' on browser for generating the token will not
+			//      allow to use the client token with the login name 'user'.
+			$this->logger->error('App token login name does not match', [
+				'tokenLoginName' => $token->getLoginName(),
+				'sessionLoginName' => $loginName,
+				'app' => 'core',
+				'user' => $token->getUID(),
+			]);
+
+			return false;
+		}
+
+		return true;
+	}
+
 	/**
 	 * Tries to login the user with auth token header
 	 *
