diff --git a/src/app/Http/Controllers/API/V4/NGINXController.php b/src/app/Http/Controllers/API/V4/NGINXController.php --- a/src/app/Http/Controllers/API/V4/NGINXController.php +++ b/src/app/Http/Controllers/API/V4/NGINXController.php @@ -76,15 +76,6 @@ throw new \Exception("No client ip"); } - if ($userid = AuthUtils::tokenValidate($password)) { - $user = User::find($userid); - if ($user && $user->email == $login) { - return $user; - } - - throw new \Exception("Password mismatch"); - } - $result = User::findAndAuthenticate($login, $password, $clientIP); if (empty($result['user'])) { diff --git a/src/app/User.php b/src/app/User.php --- a/src/app/User.php +++ b/src/app/User.php @@ -3,6 +3,7 @@ namespace App; use App\AuthAttempt; +use App\Auth\Utils as AuthUtils; use App\Traits\AliasesTrait; use App\Traits\BelongsToTenantTrait; use App\Traits\EntitleableTrait; @@ -721,6 +722,13 @@ { $authenticated = false; + if ($userid = AuthUtils::tokenValidate($password)) { + if ($this->id == $userid) { + return true; + } + return false; + } + if ($this->email === \strtolower($username)) { if (!empty($this->password)) { if (Hash::check($password, $this->password)) { diff --git a/src/tests/Unit/UserTest.php b/src/tests/Unit/UserTest.php --- a/src/tests/Unit/UserTest.php +++ b/src/tests/Unit/UserTest.php @@ -2,8 +2,8 @@ namespace Tests\Unit; +use App\Auth\Utils as AuthUtils; use App\User; -use App\Wallet; use Tests\TestCase; class UserTest extends TestCase @@ -63,6 +63,10 @@ $this->assertSame(true, $ldapUser->validateCredentials('user2@email.com', 'test', false)); $ldapUser->delete(); + + //Ensure we validate a token for the user: + $token = AuthUtils::tokenCreate($user->id); + $this->assertSame(false, $user->validateCredentials('user@email.com', $token)); } /**