Merge pull request #25225 from nextcloud/backport/24600/stable20

MorrisJobke · web-flow · commit 1dcfab0d7647 · 2021-01-20T14:57:48.000+01:00
[stable20] Update handling of user credentials
diff --git a/apps/files_external/lib/Lib/Auth/Password/LoginCredentials.php b/apps/files_external/lib/Lib/Auth/Password/LoginCredentials.php
@@ -79,6 +79,11 @@ private function getCredentials(IUser $user): array {
 			try {
 				$sessionCredentials = $this->credentialsStore->getLoginCredentials();
 
+				if ($sessionCredentials->getUID() !== $user->getUID()) {
+					// Can't take the credentials from the session as they are not the same user
+					throw new CredentialsUnavailableException();
+				}
+
 				$credentials = [
 					'user' => $sessionCredentials->getLoginName(),
 					'password' => $sessionCredentials->getPassword()
diff --git a/apps/files_external/lib/Listener/StorePasswordListener.php b/apps/files_external/lib/Listener/StorePasswordListener.php
@@ -51,10 +51,14 @@ public function handle(Event $event): void {
 		}
 
 		$stored = $this->credentialsManager->retrieve($event->getUser()->getUID(), LoginCredentials::CREDENTIALS_IDENTIFIER);
+		$update = isset($stored['password']) && $stored['password'] !== $event->getPassword();
+		if (!$update && $event instanceof UserLoggedInEvent) {
+			$update = isset($stored['user']) && $stored['user'] !== $event->getLoginName();
+		}
 
-		if ($stored && $stored['password'] !== $event->getPassword()) {
+		if ($stored && $update) {
 			$credentials = [
-				'user' => $stored['user'],
+				'user' => $event->getLoginName(),
 				'password' => $event->getPassword()
 			];
 
diff --git a/lib/private/Server.php b/lib/private/Server.php
@@ -569,7 +569,7 @@ public function __construct($webRoot, \OC\Config $config) {
 
 				/** @var IEventDispatcher $dispatcher */
 				$dispatcher = $this->query(IEventDispatcher::class);
-				$dispatcher->dispatchTyped(new UserLoggedInEvent($user, $password, $isTokenLogin));
+				$dispatcher->dispatchTyped(new UserLoggedInEvent($user, $loginName, $password, $isTokenLogin));
 			});
 			$userSession->listen('\OC\User', 'preRememberedLogin', function ($uid) {
 				/** @var IEventDispatcher $dispatcher */
diff --git a/lib/public/User/Events/UserLoggedInEvent.php b/lib/public/User/Events/UserLoggedInEvent.php
@@ -43,14 +43,18 @@ class UserLoggedInEvent extends Event {
 	/** @var bool */
 	private $isTokenLogin;
 
+	/** @var string */
+	private $loginName;
+
 	/**
 	 * @since 18.0.0
 	 */
-	public function __construct(IUser $user, string $password, bool $isTokenLogin) {
+	public function __construct(IUser $user, string $loginName, string $password, bool $isTokenLogin) {
 		parent::__construct();
 		$this->user = $user;
 		$this->password = $password;
 		$this->isTokenLogin = $isTokenLogin;
+		$this->loginName = $loginName;
 	}
 
 	/**
@@ -60,6 +64,13 @@ public function getUser(): IUser {
 		return $this->user;
 	}
 
+	/**
+	 * @since 21.0.0
+	 */
+	public function getLoginName(): string {
+		return $this->loginName;
+	}
+
 	/**
 	 * @since 18.0.0
 	 */
