Skip to content

Fix: Match token login name by UID or e-mail address #50254

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
haffmans wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Fix: Match token login name by UID or e-mail address #50254

haffmans wants to merge 1 commit into from

Conversation

@haffmans
Copy link

@haffmans haffmans commented Jan 18, 2025
edited
Loading

Summary

With this changes the login name gets matched against the token user's e-mail address in addition to the login name.

This fixes the web login flow of the app, where the session is based on the e-mail address but the token uses the UID.

TODO

Checklist

@haffmans haffmans marked this pull request as draft January 18, 2025 10:58
@haffmans
fix(User): Match token login name by UID or e-mail address
c740144 
With this changes the login name gets matched against the token user's
e-mail address in addition to the login name.

This fixes the web login flow of the app, where the session is based on
the e-mail address but the token uses the UID.

Fixes nextcloud#44164

Signed-off-by: Wouter Haffmans <[email protected]>
@haffmans haffmans force-pushed the fix/session-validate-by-email-or-uid branch from 9e8f6b2 to c740144 Compare January 18, 2025 12:50
@haffmans haffmans marked this pull request as ready for review January 18, 2025 12:55
@kesselb kesselb added the 3. to review Waiting for reviews label Jan 19, 2025
ChristophWurst
ChristophWurst reviewed Jan 20, 2025
View reviewed changes
Copy link
Member

@ChristophWurst ChristophWurst left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm hesitant with this change, because it lifts some of the restrictions of #42971.

lib/private/User/Session.php
// allow to use the client token with the login name 'user'.
$tokenUser = $this->manager->get($token->getUID());
if (!is_null($tokenUser)) {
$tokenEmail = $tokenUser->getEMailAddress();
Copy link
Member

@ChristophWurst ChristophWurst Jan 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What seems missing here is any kind of safe guard to not allow an app token authentication when the email address is not unique. That constraint is used at the user login. You can use your email, but only if the email address is unique. If there are at least two people with the same email, the login will fail.

Copy link
Author

@haffmans haffmans Jan 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the feedback, I indeed didn't consider that case. I'll take a further look later.

@github-actions
Copy link
Contributor

github-actions bot commented Feb 2, 2025

Hello there,
Thank you so much for taking the time and effort to create a pull request to our Nextcloud project.

We hope that the review process is going smooth and is helpful for you. We want to ensure your pull request is reviewed to your satisfaction. If you have a moment, our community management team would very much appreciate your feedback on your experience with this PR review process.

Your feedback is valuable to us as we continuously strive to improve our community developer experience. Please take a moment to complete our short survey by clicking on the following link: https://cloud.nextcloud.com/apps/forms/s/i9Ago4EQRZ7TWxjfmeEpPkf6

Thank you for contributing to Nextcloud and we hope to hear from you soon!

(If you believe you should not receive this message, you can add yourself to the blocklist.)

@susnux susnux added this to the Nextcloud 32 milestone Mar 2, 2025
This was referenced Aug 22, 2025
Merged
Merged
Merged
This was referenced Sep 2, 2025
Merged
Merged
@nextcloud-bot nextcloud-bot mentioned this pull request Sep 10, 2025
Merged
@nextcloud-bot nextcloud-bot mentioned this pull request Sep 18, 2025
Merged
This was referenced Sep 25, 2025
Merged
Merged
@skjnldsv skjnldsv modified the milestones: Nextcloud 32, Nextcloud 33 Sep 28, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ChristophWurst ChristophWurst ChristophWurst left review comments

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

3. to review Waiting for reviews feature: authentication feedback-requested

Projects

None yet

Milestone

Nextcloud 33

Development

Successfully merging this pull request may close these issues.

[Bug]: After upgrade, App token login name does not match

6 participants

@haffmans @ChristophWurst @joshtrichards @susnux @kesselb @skjnldsv