We rely on this because the roundcube files plugin uses the auth/login
route to obtain a token using the password, which is a different token
in case of SSO.
Details
Details
- Reviewers
machniak - Group Reviewers
Restricted Project - Commits
- rK77ced2efb642: Token validation when providing it as a password
Diff Detail
Diff Detail
- Repository
- rK kolab
- Lint
Lint Not Applicable - Unit
Tests Not Applicable
Event Timeline
Comment Actions
Placing this in User::validateCredentials() maybe is not a bad idea, but it creates some redundancy. See NGINXController::authorizeRequest() - AuthUtils::tokenValidate() now will be called twice. Also, test this new case in Unit/UserTest::testPasswordValidation().
src/tests/Unit/UserTest.php | ||
---|---|---|
69 ↗ | (On Diff #14546) | It should be assertTrue(), right? A test for "valid token of another user" would be nice too. |
Comment Actions
After another look I think we might be doing something wrong here. A valid token should disable/skip 2FA use. Current User::findAndAuthenticate() will not skip 2FA if the password is a valid token.
Comment Actions
Moved the token validation to findAndAuthenticate, so we can skip mfa when a token has been validated.