loginController now emitting failedLogin hook after failed login attempts #28206
Conversation
core/Controller/LoginController.php
Outdated
There was a problem hiding this comment.
this totally removes the capability to login with the login name - right?
There was a problem hiding this comment.
If someone is trying to login with uid, getByEmail does not return anything. If a user's uid is the same as another user's email, it creates a problem.
core/Controller/LoginController.php
Outdated
There was a problem hiding this comment.
so login is enough - we not longer need to call checkPassword? looks strange ....
There was a problem hiding this comment.
login is also using userManager's checkPassword inside of it with emitting hook signal before and after checkPassword. IMHO we can trust login.
|
an please squash your commits - thx |
|
We miss a login failed hook - right? |
|
we can add login failed hook to userSession's login method. However, I am not sure, where should we emit login failed signal also? For now, this change allows to use preLogin hook and it is enough to start security app. Should I work on login failed hook? |
yes please - we shall keep the behavior |
we need that hook to log a failed login - or am I missing something? |
IMHO, Login hook signal should emit from UserSession's login method. Since failed login check is done by userManager's checkPassword method in our current password correction logic, we can not emit any hook signal from userSessions login method in failed login attempts. Because of that, I removed checkPassword methods and used userSession's login function. |
lib/private/User/Session.php
Outdated
There was a problem hiding this comment.
shall we really expose the password?
There was a problem hiding this comment.
I thought, maybe it can be useful for some warning like "it is your previous password".
There was a problem hiding this comment.
Should I change password exposition? Still, I think it might be useful in fact.
There was a problem hiding this comment.
I would not expose the password here - @Peter-Prochaska objections?
There was a problem hiding this comment.
As a user, I might have accidentally put in a password for an account of mine on some other site, so would rather not have it displayed/logged... anywhere.
|
Now, failed login hook is exposing the only username. |
|
@DeepDiver1975 is this now acceptable for merging ? |
|
This introduced a regression which was now fixed in #28450 |
karakayasemi
changed the title
|
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
4 participants
Description
There is an error in the logic of emitting preLogin signal in the LoginController. UserSession's login function is checking password and emitting preLogin signal, but loginController is either checking password before UserSession and returning view response without hook signal when failed login attempts.
With this change, unnecessary checkPassword functions are removed. Code simplified and now we are emitting preLogin hook also before failed login attempts.
Motivation and Context
preLogin hook is not emitting on failed login attempts. To resolve following issue
owncloud-archive/security#1
How Has This Been Tested?
Unit tests are working
Types of changes
Checklist: