From 21943d2cee2b2ed994c81565fb0b9575ed0dbd67 Mon Sep 17 00:00:00 2001
From: Christoph Wurst <christoph@winzerhof-wurst.at>
Date: Fri, 19 Jan 2024 19:29:41 +0100
Subject: [PATCH] fix(auth): Fix logging in with email, password and login name
 mismatch

Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
---
 lib/private/User/Session.php | 37 +++++++++++++++++++++++-------------
 1 file changed, 24 insertions(+), 13 deletions(-)

diff --git a/lib/private/User/Session.php b/lib/private/User/Session.php
index ed5064aa21ad0..b5e03761a900f 100644
--- a/lib/private/User/Session.php
+++ b/lib/private/User/Session.php
@@ -459,7 +459,8 @@ public function logClientIn($user,
 			if ($isTokenPassword) {
 				$dbToken = $this->tokenProvider->getToken($password);
 				$userFromToken = $this->manager->get($dbToken->getUID());
-				$isValidEmailLogin = $userFromToken->getEMailAddress() === $user;
+				$isValidEmailLogin = $userFromToken->getEMailAddress() === $user
+					&& $this->validateTokenLoginName($userFromToken->getEMailAddress(), $dbToken);
 			} else {
 				$users = $this->manager->getByEmail($user);
 				$isValidEmailLogin = (\count($users) === 1 && $this->login($users[0]->getUID(), $password));
@@ -798,18 +799,7 @@ private function validateToken($token, $user = null) {
 			return false;
 		}
 
-		// Check if login names match
-		if (!is_null($user) && $dbToken->getLoginName() !== $user) {
-			// TODO: this makes it impossible to use different login names on browser and client
-			// e.g. login by e-mail 'user@example.com' on browser for generating the token will not
-			//      allow to use the client token with the login name 'user'.
-			$this->logger->error('App token login name does not match', [
-				'tokenLoginName' => $dbToken->getLoginName(),
-				'sessionLoginName' => $user,
-				'app' => 'core',
-				'user' => $dbToken->getUID(),
-			]);
-
+		if (!is_null($user) && !$this->validateTokenLoginName($user, $dbToken)) {
 			return false;
 		}
 
@@ -829,6 +819,27 @@ private function validateToken($token, $user = null) {
 		return true;
 	}
 
+	/**
+	 * Check if login names match
+	 */
+	private function validateTokenLoginName(?string $loginName, IToken $token): bool {
+		if ($token->getLoginName() !== $loginName) {
+			// TODO: this makes it impossible to use different login names on browser and client
+			// e.g. login by e-mail 'user@example.com' on browser for generating the token will not
+			//      allow to use the client token with the login name 'user'.
+			$this->logger->error('App token login name does not match', [
+				'tokenLoginName' => $token->getLoginName(),
+				'sessionLoginName' => $loginName,
+				'app' => 'core',
+				'user' => $token->getUID(),
+			]);
+
+			return false;
+		}
+
+		return true;
+	}
+
 	/**
 	 * Tries to login the user with auth token header
 	 *