Validate app password on alternative login

Fixes #20838

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
This commit is contained in:
Roeland Jago Douma 2020-05-07 16:32:28 +02:00
parent d730579809
commit ffad3f83fe
No known key found for this signature in database
GPG Key ID: F941078878347C0C
1 changed files with 18 additions and 0 deletions

View File

@ -377,6 +377,24 @@ class ClientFlowLoginController extends Controller {
return $this->stateTokenForbiddenResponse();
}
try {
$token = $this->tokenProvider->getToken($password);
if ($token->getLoginName() !== $user) {
throw new InvalidTokenException('login name does not match');
}
} catch (InvalidTokenException $e) {
$response = new StandaloneTemplateResponse(
$this->appName,
'403',
[
'message' => $this->l10n->t('Invalid app password'),
],
'guest'
);
$response->setStatus(Http::STATUS_FORBIDDEN);
return $response;
}
$redirectUri = 'nc://login/server:' . $this->getServerPath() . '&user:' . urlencode($user) . '&password:' . urlencode($password);
return new Http\RedirectResponse($redirectUri);
}