fix(auth): Fix logging in with email and app password#42971
fix(auth): Fix logging in with email and app password#42971ChristophWurst merged 1 commit intomasterfrom
Conversation
Signed-off-by: Christoph Wurst <[email protected]>
Weirdly enough that is not possible anymore. If I log in using email+password on web, any generated app token receives my user's UID as login name, not the email address. This is another regression. |
That has even been the case since #15365. I guess sessions with email login names are not possible unless it's ldap. |
|
/backport to stable28 |
|
/backport to stable27 |
|
/backport to stable26 |
|
/backport to stable25 |
IIRC we have a questionable design where mail login is attempted independent of the user backends. The LDAP backend passes on the provided login name, and by configuration it could be compared against a user id, email, both, or other attributes as well. |
nickvergessen
left a comment
There was a problem hiding this comment.
LGTM and login using the email still works for me, but didn't test with app passwords.
|
mysql killed after 1h. rest passed. |
Summary
Logging in with email and app password is only allowed if the token was created in a web session authenticated with the email. That's because Nextcloud enforces the login name to match when logging in with an app password.
\OCA\DAV\Connector\Sabre\Auth::validateUserPasscalls\OC\User\Session::logClientIn, which tries to log in with\OC\User\Session::login, which validates the token. Because of the login name mismatch login "fails". Yet\OC\User\Session::logClientIncontinues the email login fallback. Since #42651 there is a shortcut to not do a second login. But the return value indicates a successful login that never happened.Tested
Checklist