add failedLogin hook to detect failed login attempts

owncloud · PVince81 · Aug 9, 2017 · Jun 24, 2017 · Jun 28, 2017 · Jul 13, 2017
commit f8e29401d04024ee4e6f5ae051383c431b6a0d00
diff --git a/core/Controller/LoginController.php b/core/Controller/LoginController.php
@@ -3,6 +3,7 @@
  * @author Christoph Wurst <[email protected]>
  * @author Joas Schilling <[email protected]>
  * @author Lukas Reschke <[email protected]>
+ * @author Semih Serhat Karakaya <[email protected]>
  * @author Thomas Müller <[email protected]>
  *
  * @copyright Copyright (c) 2017, ownCloud GmbH
@@ -197,11 +198,16 @@ public function showLoginForm($user, $redirect_url, $remember_login) {
 	public function tryLogin($user, $password, $redirect_url) {
 		$originalUser = $user;
 		// TODO: Add all the insane error handling
-		$emailUsers = $this->userManager->getByEmail($user);
-		if (count($emailUsers) === 1) {
-			$user = $emailUsers[0]->getUID();
+		$loginResult = $this->userSession->login($user, $password);
+		if ($loginResult !== true) {
+			$users = $this->userManager->getByEmail($user);
+			// we only allow login by email if unique
+			if (count($users) === 1) {
+				$user = $users[0]->getUID();
+				$loginResult = $this->userSession->login($user, $password);
+			}
 		}
-		if ($this->userSession->login($user, $password) !== true) {
+		if ($loginResult !== true) {
 			$this->session->set('loginMessages', [
 				['invalidpassword'], []
 			]);

diff --git a/lib/private/User/Session.php b/lib/private/User/Session.php
@@ -9,6 +9,7 @@
  * @author Morris Jobke <[email protected]>
  * @author Robin Appelman <[email protected]>
  * @author Robin McCorkell <[email protected]>
+ * @author Semih Serhat Karakaya <[email protected]>
  * @author Thomas Müller <[email protected]>
  * @author Vincent Petry <[email protected]>
  *
@@ -70,6 +71,7 @@
  * - postCreateUser(\OC\User\User $user)
  * - preLogin(string $user, string $password)
  * - postLogin(\OC\User\User $user, string $password)
+ * - failedLogin(string $user)
  * - preRememberedLogin(string $uid)
  * - postRememberedLogin(\OC\User\User $user)
  * - logout()
@@ -464,7 +466,7 @@ private function loginWithPassword($uid, $password) {
 		$this->manager->emit('\OC\User', 'preLogin', [$uid, $password]);
 		$user = $this->manager->checkPassword($uid, $password);
 		if ($user === false) {
-			// Password check failed
+			$this->manager->emit('\OC\User', 'failedLogin', [$uid]);
 			return false;
 		}
 

diff --git a/tests/Core/Controller/LoginControllerTest.php b/tests/Core/Controller/LoginControllerTest.php
@@ -1,6 +1,7 @@
 <?php
 /**
  * @author Lukas Reschke <[email protected]>
+ * @author Semih Serhat Karakaya <[email protected]>
  *
  * @copyright Copyright (c) 2016, ownCloud, Inc.
  * @license AGPL-3.0
@@ -444,9 +445,12 @@ public function testToNotLeakLoginName() {
 			->method('getUID')
 			->will($this->returnValue('john'));
 
-		$this->userSession->expects($this->once())
+		$this->userSession->expects($this->exactly(2))
 			->method('login')
-			->with('john', 'just wrong')
+			->withConsecutive(
+				['[email protected]', 'just wrong'],
+				['john', 'just wrong']
+			)
 			->willReturn(false);
 
 		$this->userManager->expects($this->once())