draft to prevent the invalidation of pw based authn tokens on a pw le…

…ss login Signed-off-by: Tobias Assmann <[email protected]>
nextcloud · PVince81 · Oct 13, 2021 · Jul 9, 2021 · Jul 16, 2021 · Oct 8, 2021
commit 4fd1b09a600a90d37d8f0e6d7721e2a09b38f429
diff --git a/lib/private/Authentication/Listeners/UserLoggedInListener.php b/lib/private/Authentication/Listeners/UserLoggedInListener.php
@@ -49,6 +49,11 @@ public function handle(Event $event): void {
 			return;
 		}
 
+		// prevent setting an empty pw as result of pw-less-login
+		if ($event->getPassword()==='') {
+			return;
+		}
+
 		// If this is already a token login there is nothing to do
 		if ($event->isTokenLogin()) {
 			return;

diff --git a/lib/private/Authentication/Token/PublicKeyTokenProvider.php b/lib/private/Authentication/Token/PublicKeyTokenProvider.php
@@ -414,6 +414,11 @@ public function markPasswordInvalid(IToken $token, string $tokenId) {
 	public function updatePasswords(string $uid, string $password) {
 		$this->cache->clear();
 
+		// prevent setting an empty pw as result of pw-less-login
+		if ($password==='') {
+			return;
+		}
+
 		// Update the password for all tokens
 		$tokens = $this->mapper->getTokenByUser($uid);
 		foreach ($tokens as $t) {