check login name when authenticating with client token

Author: ChristophWurst

lib/private/User/Session.php

@@ -280,7 +280,7 @@ public function getLoginName() {
 	 */
 	public function login($uid, $password) {
 		$this->session->regenerateId();
-		if ($this->validateToken($password)) {
+		if ($this->validateToken($password, $uid)) {
 			// When logging in with token, the password must be decrypted first before passing to login hook
 			try {
 				$token = $this->tokenProvider->getToken($password);
@@ -584,15 +584,24 @@ private function checkTokenCredentials(IToken $dbToken, $token) {
 	 * Invalidates the token if checks fail
 	 *
 	 * @param string $token
+	 * @param string $user login name
 	 * @return boolean
 	 */
-	private function validateToken($token) {
+	private function validateToken($token, $user = null) {
 		try {
 			$dbToken = $this->tokenProvider->getToken($token);
 		} catch (InvalidTokenException $ex) {
 			return false;
 		}
 
+		// Check if login names match
+		if (!is_null($user) && $dbToken->getLoginName() !== $user) {
+			// TODO: this makes it imposssible to use different login names on browser and client
+			// e.g. login by e-mail 'user@example.com' on browser for generating the token will not
+			//      allow to use the client token with the login name 'user'.
+			return false;
+		}
+
 		if (!$this->checkTokenCredentials($dbToken, $token)) {
 			return false;
 		}

tests/lib/User/SessionTest.php

@@ -314,6 +314,36 @@ public function testLoginNonExisting() {
 		$userSession->login('foo', 'bar');
 	}
 
+	/**
+	 * When using a device token, the loginname must match the one that was used
+	 * when generating the token on the browser.
+	 */
+	public function testLoginWithDifferentTokenLoginName() {
+		$session = $this->getMock('\OC\Session\Memory', array(), array(''));
+		$manager = $this->getMock('\OC\User\Manager');
+		$backend = $this->getMock('\Test\Util\User\Dummy');
+		$userSession = new \OC\User\Session($manager, $session, $this->timeFactory, $this->tokenProvider, $this->config);
+		$username = 'user123';
+		$token = new \OC\Authentication\Token\DefaultToken();
+		$token->setLoginName($username);
+
+		$session->expects($this->never())
+			->method('set');
+		$session->expects($this->once())
+			->method('regenerateId');
+		$this->tokenProvider->expects($this->once())
+			->method('getToken')
+			->with('bar')
+			->will($this->returnValue($token));
+
+		$manager->expects($this->once())
+			->method('checkPassword')
+			->with('foo', 'bar')
+			->will($this->returnValue(false));
+
+		$userSession->login('foo', 'bar');
+	}
+
 	/**
 	 * @expectedException \OC\Authentication\Exceptions\PasswordLoginForbiddenException
 	 */