From 76f01f8d31ee624490b99b236fce839589d8e668 Mon Sep 17 00:00:00 2001
From: Jon Huang <jon5477@users.noreply.github.com>
Date: Mon, 14 Feb 2022 17:10:31 -0700
Subject: [PATCH] Auth plugin events not fired for non-existent users

Handle auth_flags edge cases which break certain authentication plugins
Fix login redirection for auth plugin.

Fixes #27836, #29517, PR https://github.com/mantisbt/mantisbt/pull/1792
---
 core/authentication_api.php |  6 ++++--
 login_password_page.php     | 23 ++++++++++++++++-------
 2 files changed, 20 insertions(+), 9 deletions(-)

diff --git a/core/authentication_api.php b/core/authentication_api.php
index d0346bf653..d7e5c7de5a 100644
--- a/core/authentication_api.php
+++ b/core/authentication_api.php
@@ -81,14 +81,16 @@
  * @param int|null|bool $p_user_id  The user id or null for logged in user or
  *                                  NO_USER/false for user that doesn't exist
  *                                  in the system, that may be auto-provisioned.
- * @param string        $p_username The username or email
+ * @param string|null   $p_username The username or email
  * @return AuthFlags The auth flags object to use.
  * @throws ClientException
  */
 function auth_flags( $p_user_id = null, $p_username = '' ) {
-	if( !$p_user_id ) {
+	# If user id is null but username is set, let the plugin handle it per #27836
+	if ( is_null( $p_user_id ) || ( $p_user_id === false && is_null( $p_username ) ) ) {
 		# If user id is not provided and user is not authenticated return default flags.
 		# Otherwise, we can get into a loop as in #22740
+		# If user is false and username is null, display a more user-friendly error per #25061
 		if( !auth_is_user_authenticated() ) {
 			return new AuthFlags();
 		}
diff --git a/login_password_page.php b/login_password_page.php
index eec09c7280..062b24302e 100644
--- a/login_password_page.php
+++ b/login_password_page.php
@@ -82,24 +82,33 @@
 # Get the user id and based on the user decide whether to continue with native password credential
 # page or one provided by a plugin.
 $t_user_id = auth_get_user_id_from_login_name( $t_username );
-if( $t_user_id !== false && auth_credential_page( '', $t_user_id ) != AUTH_PAGE_CREDENTIAL ) {
+# User id could be false if the user does not exist in DB, should be calling auth_credential_page
+# regardless if the user exists or not to give the plugin an opportunity to handle non-existent
+# users per #29517
+$t_should_redirect = AUTH_PAGE_CREDENTIAL != ( $t_user_id !== false
+		? auth_credential_page( '', $t_user_id )
+		: auth_credential_page( '', NO_USER, $t_username ) );
+if( $t_should_redirect ) {
 	$t_query_args = array(
 		'username' => $t_username,
-        'cookie_error' => $f_cookie_error,
-        'reauthenticate' => $f_reauthenticate,
+		'cookie_error' => $f_cookie_error,
+		'reauthenticate' => $f_reauthenticate,
 	);
 
 	if( !is_blank( $f_error ) ) {
 		$t_query_args['error'] = $f_error;
-    }
+	}
 
-    if( !is_blank( $f_cookie_error ) ) {
+	if( !is_blank( $f_cookie_error ) ) {
 		$t_query_args['cookie_error'] = $f_cookie_error;
-    }
+	}
 
 	$t_query_text = http_build_query( $t_query_args, '', '&' );
 
-	$t_redirect_url = auth_credential_page( $t_query_text, $t_user_id );
+	# Determine the credential page URL based on user id (if it exists) or username
+	$t_redirect_url = $t_user_id !== false
+		? auth_credential_page( $t_query_text, $t_user_id )
+		: auth_credential_page( $t_query_text, NO_USER, $t_username );
 	print_header_redirect( $t_redirect_url );
 }