fix(authentication): Update the token when the hash is null or can not be verified

nickvergessen · nickvergessen · commit 2fb4dac7adba · 2023-01-09T16:32:36.000+01:00
Signed-off-by: Joas Schilling &lt;coding@schilljs.com&gt;
diff --git a/lib/private/Authentication/Token/PublicKeyTokenProvider.php b/lib/private/Authentication/Token/PublicKeyTokenProvider.php
@@ -448,9 +448,28 @@ public function updatePasswords(string $uid, string $password) {
 		// Update the password for all tokens
 		$tokens = $this->mapper->getTokenByUser($uid);
 		$newPasswordHash = null;
-		$verifiedHashes = [];
+
+		/**
+		 * - true: The password hash could not be verified anymore
+		 *     and the token needs to be updated with the newly encrypted password
+		 * - false: The hash could still be verified
+		 * - missing: The hash needs to be verified
+		 */
+		$hashNeedsUpdate = [];
+
 		foreach ($tokens as $t) {
-			if ($t->getPasswordHash() === null || !isset($verifiedHashes[$t->getPasswordHash()]) || !$this->hasher->verify(sha1($password) . $password, $t->getPasswordHash())) {
+			if (!isset($hashNeedsUpdate[$t->getPasswordHash()])) {
+				if ($t->getPasswordHash() === null) {
+					$hashNeedsUpdate[$t->getPasswordHash() ?: ''] = true;
+				} elseif (!$this->hasher->verify(sha1($password) . $password, $t->getPasswordHash())) {
+					$hashNeedsUpdate[$t->getPasswordHash() ?: ''] = true;
+				} else {
+					$hashNeedsUpdate[$t->getPasswordHash() ?: ''] = false;
+				}
+			}
+			$needsUpdating = $hashNeedsUpdate[$t->getPasswordHash() ?: ''] ?? true;
+
+			if ($needsUpdating) {
 				if ($newPasswordHash === null) {
 					$newPasswordHash = $this->hashPassword($password);
 				}
@@ -460,8 +479,6 @@ public function updatePasswords(string $uid, string $password) {
 				$t->setPasswordHash($newPasswordHash);
 				$t->setPasswordInvalid(false);
 				$this->updateToken($t);
-			} else {
-				$verifiedHashes[$t->getPasswordHash() ?: ''] = true;
 			}
 		}
 	}
