Allow usernames to be case-insensitive with app passwords

phil-davis · phil-davis · commit d4d8b28aaaed · 2022-08-10T19:07:09.000+05:45
diff --git a/lib/private/User/Session.php b/lib/private/User/Session.php
@@ -919,7 +919,7 @@ private function validateToken($token, $user = null) {
 		);
 
 		// Check if login names match
-		if ($user !== null && $dbToken->getLoginName() !== $user) {
+		if ($user !== null && \strcasecmp($dbToken->getLoginName(), $user) !== 0) {
 			// TODO: this makes it impossible to use different login names on browser and client
 			// e.g. login by e-mail 'user@example.com' on browser for generating the token will not
 			//      allow to use the client token with the login name 'user'.
diff --git a/tests/acceptance/features/apiAuthWebDav/webDavCaseInsensitiveAuth.feature b/tests/acceptance/features/apiAuthWebDav/webDavCaseInsensitiveAuth.feature
@@ -0,0 +1,35 @@
+@api @notToImplementOnOCIS
+Feature: usernames are case-insensitive in webDAV requests with app passwords
+
+  Background:
+    Given these users have been created with default attributes and without skeleton files:
+      | username |
+      | Alice    |
+    And user "Alice" has uploaded file with content "some data" to "/textfile0.txt"
+    And user "Alice" has uploaded file with content "some data" to "/textfile1.txt"
+    And user "Alice" has created folder "/PARENT"
+    And user "Alice" has created folder "/FOLDER"
+    And user "Alice" has uploaded file with content "some data" to "/PARENT/parent.txt"
+
+
+  Scenario: send PUT requests to webDav endpoints using app password token as password and lowercase of username
+    Given token auth has been enforced
+    And a new browser session for "Alice" has been started
+    And the user has generated a new app password named "my-client"
+    When the user "alice" requests these endpoints with "PUT" with body "doesnotmatter" using basic auth and generated app password about user "Alice"
+      | endpoint                                           |
+      | /remote.php/webdav/textfile0.txt                   |
+      | /remote.php/dav/files/%username%/textfile1.txt     |
+      | /remote.php/dav/files/%username%/PARENT/parent.txt |
+    Then the HTTP status code of responses on all endpoints should be "204"
+    When the user "alice" requests these endpoints with "PUT" with body "doesnotmatter" using basic auth and generated app password about user "Alice"
+      | endpoint                                 |
+      # this folder is created, so gives 201 - CREATED
+      | /remote.php/webdav/PARENS                |
+      | /remote.php/dav/files/%username%/FOLDERS |
+    Then the HTTP status code of responses on all endpoints should be "201"
+    When the user "alice" requests these endpoints with "PUT" with body "doesnotmatter" using basic auth and generated app password about user "Alice"
+      | endpoint                                |
+      # this folder already exists so gives 409 - CONFLICT
+      | /remote.php/dav/files/%username%/FOLDER |
+    Then the HTTP status code of responses on all endpoints should be "409"
