diff --git a/src/app/Http/Controllers/API/V4/NGINXController.php b/src/app/Http/Controllers/API/V4/NGINXController.php --- a/src/app/Http/Controllers/API/V4/NGINXController.php +++ b/src/app/Http/Controllers/API/V4/NGINXController.php @@ -76,15 +76,6 @@ throw new \Exception("No client ip"); } - if ($userid = AuthUtils::tokenValidate($password)) { - $user = User::find($userid); - if ($user && $user->email == $login) { - return $user; - } - - throw new \Exception("Password mismatch"); - } - $result = User::findAndAuthenticate($login, $password, $clientIP); if (empty($result['user'])) { diff --git a/src/app/User.php b/src/app/User.php --- a/src/app/User.php +++ b/src/app/User.php @@ -3,6 +3,7 @@ namespace App; use App\AuthAttempt; +use App\Auth\Utils as AuthUtils; use App\Traits\AliasesTrait; use App\Traits\BelongsToTenantTrait; use App\Traits\EntitleableTrait; @@ -815,11 +816,19 @@ if (!$user) { $error = AuthAttempt::REASON_NOTFOUND; - } - - // Check user password - if (!$error && !$user->validateCredentials($username, $password)) { - $error = AuthAttempt::REASON_PASSWORD; + } else { + if ($userid = AuthUtils::tokenValidate($password)) { + if ($user->id == $userid) { + $verifyMFA = false; + } else { + $error = AuthAttempt::REASON_PASSWORD; + } + } else { + // Check user password + if (!$user->validateCredentials($username, $password)) { + $error = AuthAttempt::REASON_PASSWORD; + } + } } if ($verifyMFA) { diff --git a/src/tests/Feature/UserTest.php b/src/tests/Feature/UserTest.php --- a/src/tests/Feature/UserTest.php +++ b/src/tests/Feature/UserTest.php @@ -9,6 +9,7 @@ use App\PackageSku; use App\Sku; use App\User; +use App\Auth\Utils as AuthUtils; use Carbon\Carbon; use Illuminate\Support\Facades\Queue; use Tests\TestCase; @@ -1575,4 +1576,21 @@ $this->assertCount(1, $ned->wallets); $this->assertInstanceOf(\App\Wallet::class, $ned->wallets->first()); } + + /** + * Tests for User::findAndAuthenticate() + */ + public function testFindAndAuthenticate(): void + { + $user = $this->getTestUser('john@kolab.org'); + + // Ensure we validate a token for the user: + $token = AuthUtils::tokenCreate($user->id); + $this->assertTrue(isset(User::findAndAuthenticate($user->email, $token)['user'])); + + // Ensure we don't validate a token for another user: + $token = AuthUtils::tokenCreate($this->getTestUser('ned@kolab.org')->id); + $this->assertFalse(isset(User::findAndAuthenticate($user->email, $token)['user'])); + } + }