From 76367c5c38c59404a6a99ff4b5b489fa4c39373d Mon Sep 17 00:00:00 2001
From: Joas Schilling <coding@schilljs.com>
Date: Thu, 17 Dec 2020 11:46:57 +0100
Subject: [PATCH 1/4] Don't save credentials of another user

Signed-off-by: Joas Schilling <coding@schilljs.com>
---
 .../lib/Lib/Auth/Password/LoginCredentials.php               | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/apps/files_external/lib/Lib/Auth/Password/LoginCredentials.php b/apps/files_external/lib/Lib/Auth/Password/LoginCredentials.php
index 6bf6b61f16..b8279f5ca6 100644
--- a/apps/files_external/lib/Lib/Auth/Password/LoginCredentials.php
+++ b/apps/files_external/lib/Lib/Auth/Password/LoginCredentials.php
@@ -79,6 +79,11 @@ class LoginCredentials extends AuthMechanism {
 			try {
 				$sessionCredentials = $this->credentialsStore->getLoginCredentials();
 
+				if ($sessionCredentials->getUID() !== $user->getUID()) {
+					// Can't take the credentials from the session as they are not the same user
+					throw new CredentialsUnavailableException();
+				}
+
 				$credentials = [
 					'user' => $sessionCredentials->getLoginName(),
 					'password' => $sessionCredentials->getPassword()

From 831c807eafa7887eb7072513b4413b8c2a8d102b Mon Sep 17 00:00:00 2001
From: Joas Schilling <coding@schilljs.com>
Date: Thu, 17 Dec 2020 11:47:17 +0100
Subject: [PATCH 2/4] Also fix the username when it changed

Signed-off-by: Joas Schilling <coding@schilljs.com>
---
 apps/files_external/lib/Listener/StorePasswordListener.php | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/apps/files_external/lib/Listener/StorePasswordListener.php b/apps/files_external/lib/Listener/StorePasswordListener.php
index 3212f2a48c..f1683af2ec 100644
--- a/apps/files_external/lib/Listener/StorePasswordListener.php
+++ b/apps/files_external/lib/Listener/StorePasswordListener.php
@@ -52,9 +52,10 @@ class StorePasswordListener implements IEventListener {
 
 		$stored = $this->credentialsManager->retrieve($event->getUser()->getUID(), LoginCredentials::CREDENTIALS_IDENTIFIER);
 
-		if ($stored && $stored['password'] !== $event->getPassword()) {
+		if ($stored && ($stored['user'] !== $event->getUser()->getUID()
+				|| $stored['password'] !== $event->getPassword())) {
 			$credentials = [
-				'user' => $stored['user'],
+				'user' => $event->getUser()->getUID(),
 				'password' => $event->getPassword()
 			];
 

From 6c1e294edd7389c8ecffdd2ead2534bf9972c64f Mon Sep 17 00:00:00 2001
From: Joas Schilling <coding@schilljs.com>
Date: Fri, 18 Dec 2020 14:46:41 +0100
Subject: [PATCH 3/4] Compare and store the login name via the event

Signed-off-by: Joas Schilling <coding@schilljs.com>
---
 .../lib/Listener/StorePasswordListener.php          |  9 ++++++---
 lib/private/Server.php                              |  2 +-
 lib/public/User/Events/UserLoggedInEvent.php        | 13 ++++++++++++-
 3 files changed, 19 insertions(+), 5 deletions(-)

diff --git a/apps/files_external/lib/Listener/StorePasswordListener.php b/apps/files_external/lib/Listener/StorePasswordListener.php
index f1683af2ec..a2c359e58d 100644
--- a/apps/files_external/lib/Listener/StorePasswordListener.php
+++ b/apps/files_external/lib/Listener/StorePasswordListener.php
@@ -51,11 +51,14 @@ class StorePasswordListener implements IEventListener {
 		}
 
 		$stored = $this->credentialsManager->retrieve($event->getUser()->getUID(), LoginCredentials::CREDENTIALS_IDENTIFIER);
+		$update = $stored['password'] !== $event->getPassword();
+		if (!$update && $event instanceof UserLoggedInEvent) {
+			$update = $stored['user'] !== $event->getLoginName();
+		}
 
-		if ($stored && ($stored['user'] !== $event->getUser()->getUID()
-				|| $stored['password'] !== $event->getPassword())) {
+		if ($stored && $update) {
 			$credentials = [
-				'user' => $event->getUser()->getUID(),
+				'user' => $event->getLoginName(),
 				'password' => $event->getPassword()
 			];
 
diff --git a/lib/private/Server.php b/lib/private/Server.php
index 1114e60f47..ba95416579 100644
--- a/lib/private/Server.php
+++ b/lib/private/Server.php
@@ -575,7 +575,7 @@ class Server extends ServerContainer implements IServerContainer {
 
 				/** @var IEventDispatcher $dispatcher */
 				$dispatcher = $this->get(IEventDispatcher::class);
-				$dispatcher->dispatchTyped(new UserLoggedInEvent($user, $password, $isTokenLogin));
+				$dispatcher->dispatchTyped(new UserLoggedInEvent($user, $loginName, $password, $isTokenLogin));
 			});
 			$userSession->listen('\OC\User', 'preRememberedLogin', function ($uid) {
 				/** @var IEventDispatcher $dispatcher */
diff --git a/lib/public/User/Events/UserLoggedInEvent.php b/lib/public/User/Events/UserLoggedInEvent.php
index e2cb37a64d..7d0c0bf41d 100644
--- a/lib/public/User/Events/UserLoggedInEvent.php
+++ b/lib/public/User/Events/UserLoggedInEvent.php
@@ -43,14 +43,18 @@ class UserLoggedInEvent extends Event {
 	/** @var bool */
 	private $isTokenLogin;
 
+	/** @var string */
+	private $loginName;
+
 	/**
 	 * @since 18.0.0
 	 */
-	public function __construct(IUser $user, string $password, bool $isTokenLogin) {
+	public function __construct(IUser $user, string $loginName, string $password, bool $isTokenLogin) {
 		parent::__construct();
 		$this->user = $user;
 		$this->password = $password;
 		$this->isTokenLogin = $isTokenLogin;
+		$this->loginName = $loginName;
 	}
 
 	/**
@@ -60,6 +64,13 @@ class UserLoggedInEvent extends Event {
 		return $this->user;
 	}
 
+	/**
+	 * @since 21.0.0
+	 */
+	public function getLoginName(): string {
+		return $this->loginName;
+	}
+
 	/**
 	 * @since 18.0.0
 	 */

From 1e35ece8e59ed31c0ae7a578aced99d257e97e67 Mon Sep 17 00:00:00 2001
From: Joas Schilling <coding@schilljs.com>
Date: Wed, 20 Jan 2021 10:09:45 +0100
Subject: [PATCH 4/4] Fix potential empty result

Signed-off-by: Joas Schilling <coding@schilljs.com>
---
 apps/files_external/lib/Listener/StorePasswordListener.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/apps/files_external/lib/Listener/StorePasswordListener.php b/apps/files_external/lib/Listener/StorePasswordListener.php
index a2c359e58d..27de4ada46 100644
--- a/apps/files_external/lib/Listener/StorePasswordListener.php
+++ b/apps/files_external/lib/Listener/StorePasswordListener.php
@@ -51,9 +51,9 @@ class StorePasswordListener implements IEventListener {
 		}
 
 		$stored = $this->credentialsManager->retrieve($event->getUser()->getUID(), LoginCredentials::CREDENTIALS_IDENTIFIER);
-		$update = $stored['password'] !== $event->getPassword();
+		$update = isset($stored['password']) && $stored['password'] !== $event->getPassword();
 		if (!$update && $event instanceof UserLoggedInEvent) {
-			$update = $stored['user'] !== $event->getLoginName();
+			$update = isset($stored['user']) && $stored['user'] !== $event->getLoginName();
 		}
 
 		if ($stored && $update) {