Skip to content

fix: Reduce the mixups between apptokens and session ids #59758

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
come-nc merged 1 commit into from
Apr 21, 2026
+20 −7
Merged

fix: Reduce the mixups between apptokens and session ids #59758

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 20 additions & 7 deletions lib/private/User/Session.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -394,6 +394,12 @@ public function logClientIn($user,
try {
$dbToken = $this->getTokenFromPassword($password);
$isTokenPassword = $dbToken !== null;
if (($dbToken instanceof PublicKeyToken)
&& !in_array($dbToken->getType(), [IToken::PERMANENT_TOKEN,IToken::ONETIME_TOKEN])
) {
// Refuse session tokens here, only app tokens and onetime tokens are handled
return false;
}
} catch (ExpiredTokenException) {
// Just return on an expired token no need to check further or record a failed login
return false;
Expand Down Expand Up @@ -817,32 +823,39 @@ private function validateTokenLoginName(?string $loginName, IToken $token): bool
*/
public function tryTokenLogin(IRequest $request) {
$authHeader = $request->getHeader('Authorization');
$tokenFromCookie = false;
if (str_starts_with($authHeader, 'Bearer ')) {
$token = substr($authHeader, 7);
} elseif ($request->getCookie($this->config->getSystemValueString('instanceid')) !== null) {
// No auth header, let's try session id, but only if this is an existing
// session and the request has a session cookie
try {
$token = $this->session->getId();
$tokenFromCookie = true;
} catch (SessionNotAvailableException $ex) {
return false;
}
} else {
return false;
}

if (!$this->loginWithToken($token)) {
try {
$dbToken = $this->tokenProvider->getToken($token);
} catch (InvalidTokenException $e) {
// Can't really happen but better safe than sorry
return false;
}
if (!$this->validateToken($token)) {

if ($dbToken instanceof PublicKeyToken && $dbToken->getType() === IToken::TEMPORARY_TOKEN && !$tokenFromCookie) {
// Session token but from Bearer header, not allowed
return false;
}

try {
$dbToken = $this->tokenProvider->getToken($token);
} catch (InvalidTokenException $e) {
// Can't really happen but better save than sorry
return true;
if (!$this->loginWithToken($token)) {
return false;
}
if (!$this->validateToken($token)) {
return false;
}

// Set the session variable so we know this is an app password
Expand Down
Loading