fix(session): Only mark sessions of permanent tokens as app passwords

ChristophWurst · backportbot[bot] · commit df4746fb7ee5 · 2025-04-03T08:11:02.000Z
Signed-off-by: Christoph Wurst &lt;christoph@winzerhof-wurst.at&gt;

[skip ci]
diff --git a/lib/private/User/Session.php b/lib/private/User/Session.php
@@ -833,9 +833,8 @@ public function tryTokenLogin(IRequest $request) {
 			return true;
 		}
 
-		// Remember me tokens are not app_passwords
-		if ($dbToken->getRemember() === IToken::DO_NOT_REMEMBER) {
-			// Set the session variable so we know this is an app password
+		// Set the session variable so we know this is an app password
+		if ($dbToken instanceof PublicKeyToken && $dbToken->getType() === IToken::PERMANENT_TOKEN) {
 			$this->session->set('app_password', $token);
 		}
 
diff --git a/tests/lib/User/SessionTest.php b/tests/lib/User/SessionTest.php
@@ -34,6 +34,7 @@
 use OCP\Security\Bruteforce\IThrottler;
 use OCP\Security\ISecureRandom;
 use OCP\User\Events\PostLoginEvent;
+use PHPUnit\Framework\ExpectationFailedException;
 use PHPUnit\Framework\MockObject\MockObject;
 use Psr\Log\LoggerInterface;
 use function array_diff;

Original file line number	Diff line number	Diff line change
`@@ -833,9 +833,8 @@ public function tryTokenLogin(IRequest $request) {`
`833`	`833`	`return true;`
`834`	`834`	`}`
`835`	`835`
`836`		`- // Remember me tokens are not app_passwords`
`837`		`- if ($dbToken->getRemember() === IToken::DO_NOT_REMEMBER) {`
`838`		`- // Set the session variable so we know this is an app password`
	`836`	`+ // Set the session variable so we know this is an app password`
	`837`	`+ if ($dbToken instanceof PublicKeyToken && $dbToken->getType() === IToken::PERMANENT_TOKEN) {`
`839`	`838`	`$this->session->set('app_password', $token);`
`840`	`839`	`}`
`841`	`840`