Prevent nextcloud impersonate plugin to login #561

the-djmaze · Oct 31, 2022 · 1dbf2e9 · 1dbf2e9
1 parent 6e4be76
commit 1dbf2e9
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 3 deletions.
diff --git a/integrations/nextcloud/snappymail/lib/AppInfo/Application.php b/integrations/nextcloud/snappymail/lib/AppInfo/Application.php
@@ -79,7 +79,9 @@ public function boot(IBootContext $context): void
 			];
 		});
 */
+
 		$userSession = \OC::$server->getUserSession();
+//		$userSession->listen('\OC\User', 'postRememberedLogin', function($loginName, $password) {
 		$userSession->listen('\OC\User', 'postLogin', function($user, $loginName, $password, $isTokenLogin) {
 			$config = \OC::$server->getConfig();
 			$sEmail = '';
@@ -91,6 +93,7 @@ public function boot(IBootContext $context): void
 				$sEmail = $config->getUserValue($user->getUID(), 'settings', 'email', '');
 			}
 			if ($sEmail) {
+				\OC::$server->getSession()['snappymail-email'] = $sEmail;
 				\OC::$server->getSession()['snappymail-password'] = SnappyMailHelper::encodePassword($password, \md5($sEmail));
 			}
 		});

diff --git a/integrations/nextcloud/snappymail/lib/Util/SnappyMailHelper.php b/integrations/nextcloud/snappymail/lib/Util/SnappyMailHelper.php
@@ -106,9 +106,13 @@ public static function startApp(bool $handle = false) : void
 						\RainLoop\Utils::SetCookie('smadmin', $sToken);
 					}
 				}
-			} else if (!$oActions->getMainAccountFromToken(false)) {
+			} else {
 				$aCredentials = SnappyMailHelper::getLoginCredentials();
-				if ($aCredentials[0] && $aCredentials[1]) {
+				if ($oActions->getMainAccountFromToken(false)) {
+					if (!$aCredentials[0] || !$aCredentials[1]) {
+						$oActions->Logout(true);
+					}
+				} else if ($aCredentials[0] && $aCredentials[1]) {
 					$oActions->Logger()->AddSecret($aCredentials[1]);
 					$oAccount = $oActions->LoginProcess($aCredentials[0], $aCredentials[1], false);
 					if ($oAccount) {
@@ -143,6 +147,10 @@ public static function getLoginCredentials() : array
 			$sEmail = $config->getUserValue($sUID, 'settings', 'email', '');
 			$sPassword = \OC::$server->getSession()['snappymail-password'];
 		}
+		if (\OC::$server->getSession()['snappymail-email'] != $sEmail) {
+			$sPassword = '';
+		}
+
 		// If the user has set credentials for SnappyMail in their personal
 		// settings, override everything before and use those instead.
 		$sCustomEmail = $config->getUserValue($sUID, 'snappymail', 'snappymail-email', '');

diff --git a/snappymail/v/0.0.0/app/libraries/RainLoop/Actions/UserAuth.php b/snappymail/v/0.0.0/app/libraries/RainLoop/Actions/UserAuth.php
@@ -429,7 +429,7 @@ public function SetSpecLogoutCustomMgsWithDeletion(string $sMessage): void
 		Utils::SetCookie(self::AUTH_SPEC_LOGOUT_CUSTOM_MSG_KEY, $sMessage);
 	}
 
-	protected function Logout(bool $bMain) : void
+	public function Logout(bool $bMain) : void
 	{
 		Utils::ClearCookie(self::AUTH_ADDITIONAL_TOKEN_KEY);
 		$bMain && Utils::ClearCookie(self::AUTH_SPEC_TOKEN_KEY);