From 1f1ae97824dd84b99037c8dcdd6ba1039f614722 Mon Sep 17 00:00:00 2001
From: Tobias Assmann <tobias.assmann@ecsec.de>
Date: Fri, 9 Jul 2021 09:35:12 +0200
Subject: [PATCH 1/3] draft to prevent the invalidation of pw based authn
 tokens on a pw less login

Signed-off-by: Tobias Assmann <tobias.assmann@ecsec.de>
---
 .../Authentication/Listeners/UserLoggedInListener.php        | 5 +++++
 lib/private/Authentication/Token/PublicKeyTokenProvider.php  | 5 +++++
 2 files changed, 10 insertions(+)

diff --git a/lib/private/Authentication/Listeners/UserLoggedInListener.php b/lib/private/Authentication/Listeners/UserLoggedInListener.php
index 9d90f09b296..d158545d22c 100644
--- a/lib/private/Authentication/Listeners/UserLoggedInListener.php
+++ b/lib/private/Authentication/Listeners/UserLoggedInListener.php
@@ -48,6 +48,11 @@ class UserLoggedInListener implements IEventListener {
 			return;
 		}
 
+		// prevent setting an empty pw as result of pw-less-login
+		if ($event->getPassword()==='') {
+			return;
+		}
+
 		// If this is already a token login there is nothing to do
 		if ($event->isTokenLogin()) {
 			return;
diff --git a/lib/private/Authentication/Token/PublicKeyTokenProvider.php b/lib/private/Authentication/Token/PublicKeyTokenProvider.php
index 38551e63b87..1d4f470a6be 100644
--- a/lib/private/Authentication/Token/PublicKeyTokenProvider.php
+++ b/lib/private/Authentication/Token/PublicKeyTokenProvider.php
@@ -414,6 +414,11 @@ class PublicKeyTokenProvider implements IProvider {
 	public function updatePasswords(string $uid, string $password) {
 		$this->cache->clear();
 
+		// prevent setting an empty pw as result of pw-less-login
+		if ($password==='') {
+			return;
+		}
+
 		if (!$this->mapper->hasExpiredTokens($uid)) {
 			// Nothing to do here
 			return;

From 669bd4d718179fecf96b60b7d7b0ea6c2e82f8a2 Mon Sep 17 00:00:00 2001
From: Tobias Assmann <tobias.assmann@ecsec.de>
Date: Fri, 16 Jul 2021 13:33:29 +0200
Subject: [PATCH 2/3] add spaces around operators

Signed-off-by: Tobias Assmann <tobias.assmann@ecsec.de>
---
 lib/private/Authentication/Listeners/UserLoggedInListener.php | 2 +-
 lib/private/Authentication/Token/PublicKeyTokenProvider.php   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/private/Authentication/Listeners/UserLoggedInListener.php b/lib/private/Authentication/Listeners/UserLoggedInListener.php
index d158545d22c..faf2edd54f7 100644
--- a/lib/private/Authentication/Listeners/UserLoggedInListener.php
+++ b/lib/private/Authentication/Listeners/UserLoggedInListener.php
@@ -49,7 +49,7 @@ class UserLoggedInListener implements IEventListener {
 		}
 
 		// prevent setting an empty pw as result of pw-less-login
-		if ($event->getPassword()==='') {
+		if ($event->getPassword() === '') {
 			return;
 		}
 
diff --git a/lib/private/Authentication/Token/PublicKeyTokenProvider.php b/lib/private/Authentication/Token/PublicKeyTokenProvider.php
index 1d4f470a6be..870098b0404 100644
--- a/lib/private/Authentication/Token/PublicKeyTokenProvider.php
+++ b/lib/private/Authentication/Token/PublicKeyTokenProvider.php
@@ -415,7 +415,7 @@ class PublicKeyTokenProvider implements IProvider {
 		$this->cache->clear();
 
 		// prevent setting an empty pw as result of pw-less-login
-		if ($password==='') {
+		if ($password === '') {
 			return;
 		}
 

From ee049a159b95bcd7d0dea7d656112e410a933f5c Mon Sep 17 00:00:00 2001
From: Tobias Assmann <tobias.assmann@ecsec.de>
Date: Fri, 9 Jul 2021 09:35:12 +0200
Subject: [PATCH 3/3] prevent the invalidation of pw based authn tokens on a pw
 less login

Signed-off-by: Tobias Assmann <tobias.assmann@ecsec.de>
---
 .../Authentication/Listeners/UserLoggedInListener.php        | 5 +++++
 lib/private/Authentication/Token/PublicKeyTokenProvider.php  | 5 +++++
 2 files changed, 10 insertions(+)

diff --git a/lib/private/Authentication/Listeners/UserLoggedInListener.php b/lib/private/Authentication/Listeners/UserLoggedInListener.php
index e33f2bc04ca..88298889057 100644
--- a/lib/private/Authentication/Listeners/UserLoggedInListener.php
+++ b/lib/private/Authentication/Listeners/UserLoggedInListener.php
@@ -48,6 +48,11 @@ class UserLoggedInListener implements IEventListener {
 			return;
 		}
 
+		// prevent setting an empty pw as result of pw-less-login
+		if ($event->getPassword() === '') {
+			return;
+		}
+
 		// If this is already a token login there is nothing to do
 		if ($event->isTokenLogin()) {
 			return;
diff --git a/lib/private/Authentication/Token/PublicKeyTokenProvider.php b/lib/private/Authentication/Token/PublicKeyTokenProvider.php
index ab9ff23dfd1..e8149319904 100644
--- a/lib/private/Authentication/Token/PublicKeyTokenProvider.php
+++ b/lib/private/Authentication/Token/PublicKeyTokenProvider.php
@@ -413,6 +413,11 @@ class PublicKeyTokenProvider implements IProvider {
 	public function updatePasswords(string $uid, string $password) {
 		$this->cache->clear();
 
+		// prevent setting an empty pw as result of pw-less-login
+		if ($password === '') {
+			return;
+		}
+
 		// Update the password for all tokens
 		$tokens = $this->mapper->getTokenByUser($uid);
 		foreach ($tokens as $t) {