Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix: Match token login name by UID or e-mail address #50254

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

haffmans
Copy link

@haffmans haffmans commented Jan 18, 2025

Summary

With this changes the login name gets matched against the token user's e-mail address in addition to the login name.

This fixes the web login flow of the app, where the session is based on the e-mail address but the token uses the UID.

TODO

Checklist

@haffmans haffmans marked this pull request as draft January 18, 2025 10:58
With this changes the login name gets matched against the token user's
e-mail address in addition to the login name.

This fixes the web login flow of the app, where the session is based on
the e-mail address but the token uses the UID.

Fixes nextcloud#44164

Signed-off-by: Wouter Haffmans <[email protected]>
@haffmans haffmans force-pushed the fix/session-validate-by-email-or-uid branch from 9e8f6b2 to c740144 Compare January 18, 2025 12:50
@haffmans haffmans marked this pull request as ready for review January 18, 2025 12:55
@kesselb kesselb added the 3. to review Waiting for reviews label Jan 19, 2025
Copy link
Member

@ChristophWurst ChristophWurst left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm hesitant with this change, because it lifts some of the restrictions of #42971.

// allow to use the client token with the login name 'user'.
$tokenUser = $this->manager->get($token->getUID());
if (!is_null($tokenUser)) {
$tokenEmail = $tokenUser->getEMailAddress();
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What seems missing here is any kind of safe guard to not allow an app token authentication when the email address is not unique. That constraint is used at the user login. You can use your email, but only if the email address is unique. If there are at least two people with the same email, the login will fail.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the feedback, I indeed didn't consider that case. I'll take a further look later.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[Bug]: After upgrade, App token login name does not match
4 participants