nextcloud / server

lib/private/Authentication/Login/CreateSessionTokenCommand.php

Indentation +45 added lines, -45 removed lines

@@ -13,54 +13,54 @@
 use OCP\IConfig;
 
 class CreateSessionTokenCommand extends ALoginCommand {
-	/** @var IConfig */
-	private $config;
+    /** @var IConfig */
+    private $config;
 
-	/** @var Session */
-	private $userSession;
+    /** @var Session */
+    private $userSession;
 
-	public function __construct(IConfig $config,
-		Session $userSession) {
-		$this->config = $config;
-		$this->userSession = $userSession;
-	}
+    public function __construct(IConfig $config,
+        Session $userSession) {
+        $this->config = $config;
+        $this->userSession = $userSession;
+    }
 
-	public function process(LoginData $loginData): LoginResult {
-		if ($this->config->getSystemValueInt('remember_login_cookie_lifetime', 60 * 60 * 24 * 15) === 0) {
-			$loginData->setRememberLogin(false);
-		}
-		if ($loginData->isRememberLogin()) {
-			$tokenType = IToken::REMEMBER;
-		} else {
-			$tokenType = IToken::DO_NOT_REMEMBER;
-		}
+    public function process(LoginData $loginData): LoginResult {
+        if ($this->config->getSystemValueInt('remember_login_cookie_lifetime', 60 * 60 * 24 * 15) === 0) {
+            $loginData->setRememberLogin(false);
+        }
+        if ($loginData->isRememberLogin()) {
+            $tokenType = IToken::REMEMBER;
+        } else {
+            $tokenType = IToken::DO_NOT_REMEMBER;
+        }
 
-		if ($loginData->getPassword() === '') {
-			$this->userSession->createSessionToken(
-				$loginData->getRequest(),
-				$loginData->getUser()->getUID(),
-				$loginData->getUsername(),
-				null,
-				$tokenType
-			);
-			$this->userSession->updateTokens(
-				$loginData->getUser()->getUID(),
-				''
-			);
-		} else {
-			$this->userSession->createSessionToken(
-				$loginData->getRequest(),
-				$loginData->getUser()->getUID(),
-				$loginData->getUsername(),
-				$loginData->getPassword(),
-				$tokenType
-			);
-			$this->userSession->updateTokens(
-				$loginData->getUser()->getUID(),
-				$loginData->getPassword()
-			);
-		}
+        if ($loginData->getPassword() === '') {
+            $this->userSession->createSessionToken(
+                $loginData->getRequest(),
+                $loginData->getUser()->getUID(),
+                $loginData->getUsername(),
+                null,
+                $tokenType
+            );
+            $this->userSession->updateTokens(
+                $loginData->getUser()->getUID(),
+                ''
+            );
+        } else {
+            $this->userSession->createSessionToken(
+                $loginData->getRequest(),
+                $loginData->getUser()->getUID(),
+                $loginData->getUsername(),
+                $loginData->getPassword(),
+                $tokenType
+            );
+            $this->userSession->updateTokens(
+                $loginData->getUser()->getUID(),
+                $loginData->getPassword()
+            );
+        }
 
-		return $this->processNextOrFinishSuccessfully($loginData);
-	}
+        return $this->processNextOrFinishSuccessfully($loginData);
+    }
 }

lib/private/Authentication/Login/LoginData.php

Indentation +63 added lines, -63 removed lines

@@ -13,67 +13,67 @@
 use OCP\IUser;
 
 class LoginData {
-	/** @var IUser|false|null */
-	private $user = null;
-
-	public function __construct(
-		private IRequest $request,
-		private string $username,
-		private ?string $password,
-		private bool $rememberLogin = true,
-		private ?string $redirectUrl = null,
-		private string $timeZone = '',
-		private string $timeZoneOffset = '',
-	) {
-	}
-
-	public function getRequest(): IRequest {
-		return $this->request;
-	}
-
-	public function setUsername(string $username): void {
-		$this->username = $username;
-	}
-
-	public function getUsername(): string {
-		return $this->username;
-	}
-
-	public function getPassword(): ?string {
-		return $this->password;
-	}
-
-	public function getRedirectUrl(): ?string {
-		return $this->redirectUrl;
-	}
-
-	public function getTimeZone(): string {
-		return $this->timeZone;
-	}
-
-	public function getTimeZoneOffset(): string {
-		return $this->timeZoneOffset;
-	}
-
-	/**
-	 * @param IUser|false|null $user
-	 */
-	public function setUser($user): void {
-		$this->user = $user;
-	}
-
-	/**
-	 * @return false|IUser|null
-	 */
-	public function getUser() {
-		return $this->user;
-	}
-
-	public function setRememberLogin(bool $rememberLogin): void {
-		$this->rememberLogin = $rememberLogin;
-	}
-
-	public function isRememberLogin(): bool {
-		return $this->rememberLogin;
-	}
+    /** @var IUser|false|null */
+    private $user = null;
+
+    public function __construct(
+        private IRequest $request,
+        private string $username,
+        private ?string $password,
+        private bool $rememberLogin = true,
+        private ?string $redirectUrl = null,
+        private string $timeZone = '',
+        private string $timeZoneOffset = '',
+    ) {
+    }
+
+    public function getRequest(): IRequest {
+        return $this->request;
+    }
+
+    public function setUsername(string $username): void {
+        $this->username = $username;
+    }
+
+    public function getUsername(): string {
+        return $this->username;
+    }
+
+    public function getPassword(): ?string {
+        return $this->password;
+    }
+
+    public function getRedirectUrl(): ?string {
+        return $this->redirectUrl;
+    }
+
+    public function getTimeZone(): string {
+        return $this->timeZone;
+    }
+
+    public function getTimeZoneOffset(): string {
+        return $this->timeZoneOffset;
+    }
+
+    /**
+     * @param IUser|false|null $user
+     */
+    public function setUser($user): void {
+        $this->user = $user;
+    }
+
+    /**
+     * @return false|IUser|null
+     */
+    public function getUser() {
+        return $this->user;
+    }
+
+    public function setRememberLogin(bool $rememberLogin): void {
+        $this->rememberLogin = $rememberLogin;
+    }
+
+    public function isRememberLogin(): bool {
+        return $this->rememberLogin;
+    }
 }

core/Controller/LoginController.php

Indentation +387 added lines, -387 removed lines

@@ -47,391 +47,391 @@
 use OCP\Util;
 
 class LoginController extends Controller {
-	public const LOGIN_MSG_INVALIDPASSWORD = 'invalidpassword';
-	public const LOGIN_MSG_USERDISABLED = 'userdisabled';
-	public const LOGIN_MSG_CSRFCHECKFAILED = 'csrfCheckFailed';
-	public const LOGIN_MSG_INVALID_ORIGIN = 'invalidOrigin';
-
-	public function __construct(
-		?string $appName,
-		IRequest $request,
-		private IUserManager $userManager,
-		private IConfig $config,
-		private ISession $session,
-		private Session $userSession,
-		private IURLGenerator $urlGenerator,
-		private Defaults $defaults,
-		private IThrottler $throttler,
-		private IInitialState $initialState,
-		private WebAuthnManager $webAuthnManager,
-		private IManager $manager,
-		private IL10N $l10n,
-		private IAppManager $appManager,
-	) {
-		parent::__construct($appName, $request);
-	}
-
-	/**
-	 * @return RedirectResponse
-	 */
-	#[NoAdminRequired]
-	#[UseSession]
-	#[FrontpageRoute(verb: 'GET', url: '/logout')]
-	public function logout() {
-		$loginToken = $this->request->getCookie('nc_token');
-		if (!is_null($loginToken)) {
-			$this->config->deleteUserValue($this->userSession->getUser()->getUID(), 'login_token', $loginToken);
-		}
-		$this->userSession->logout();
-
-		$response = new RedirectResponse($this->urlGenerator->linkToRouteAbsolute(
-			'core.login.showLoginForm',
-			['clear' => true] // this param the code in login.js may be removed when the "Clear-Site-Data" is working in the browsers
-		));
-
-		$this->session->set('clearingExecutionContexts', '1');
-		$this->session->close();
-
-		if (
-			$this->request->getServerProtocol() === 'https'
-			&& !$this->request->isUserAgent([Request::USER_AGENT_CHROME, Request::USER_AGENT_ANDROID_MOBILE_CHROME])
-		) {
-			$response->addHeader('Clear-Site-Data', '"cache", "storage"');
-		}
-
-		return $response;
-	}
-
-	/**
-	 * @param string $user
-	 * @param string $redirect_url
-	 *
-	 * @return TemplateResponse|RedirectResponse
-	 */
-	#[NoCSRFRequired]
-	#[PublicPage]
-	#[UseSession]
-	#[OpenAPI(scope: OpenAPI::SCOPE_IGNORE)]
-	#[FrontpageRoute(verb: 'GET', url: '/login')]
-	public function showLoginForm(?string $user = null, ?string $redirect_url = null): Response {
-		if ($this->userSession->isLoggedIn()) {
-			return new RedirectResponse($this->urlGenerator->linkToDefaultPageUrl());
-		}
-
-		$loginMessages = $this->session->get('loginMessages');
-		if (!$this->manager->isFairUseOfFreePushService()) {
-			if (!is_array($loginMessages)) {
-				$loginMessages = [[], []];
-			}
-			$loginMessages[1][] = $this->l10n->t('This community release of Nextcloud is unsupported and push notifications are limited.');
-		}
-		if (is_array($loginMessages)) {
-			[$errors, $messages] = $loginMessages;
-			$this->initialState->provideInitialState('loginMessages', $messages);
-			$this->initialState->provideInitialState('loginErrors', $errors);
-		}
-		$this->session->remove('loginMessages');
-
-		if ($user !== null && $user !== '') {
-			$this->initialState->provideInitialState('loginUsername', $user);
-		} else {
-			$this->initialState->provideInitialState('loginUsername', '');
-		}
-
-		$this->initialState->provideInitialState(
-			'loginAutocomplete',
-			$this->config->getSystemValue('login_form_autocomplete', true) === true
-		);
-
-		$this->initialState->provideInitialState(
-			'loginCanRememberme',
-			$this->config->getSystemValueInt('remember_login_cookie_lifetime', 60 * 60 * 24 * 15) > 0
-		);
-
-		if (!empty($redirect_url)) {
-			[$url, ] = explode('?', $redirect_url);
-			if ($url !== $this->urlGenerator->linkToRoute('core.login.logout')) {
-				$this->initialState->provideInitialState('loginRedirectUrl', $redirect_url);
-			}
-		}
-
-		$this->initialState->provideInitialState(
-			'loginThrottleDelay',
-			$this->throttler->getDelay($this->request->getRemoteAddress())
-		);
-
-		$this->setPasswordResetInitialState($user);
-
-		$this->setEmailStates();
-
-		$this->initialState->provideInitialState('webauthn-available', $this->webAuthnManager->isWebAuthnAvailable());
-
-		$this->initialState->provideInitialState('hideLoginForm', $this->config->getSystemValueBool('hide_login_form', false));
-
-		// OpenGraph Support: http://ogp.me/
-		Util::addHeader('meta', ['property' => 'og:title', 'content' => Util::sanitizeHTML($this->defaults->getName())]);
-		Util::addHeader('meta', ['property' => 'og:description', 'content' => Util::sanitizeHTML($this->defaults->getSlogan())]);
-		Util::addHeader('meta', ['property' => 'og:site_name', 'content' => Util::sanitizeHTML($this->defaults->getName())]);
-		Util::addHeader('meta', ['property' => 'og:url', 'content' => $this->urlGenerator->getAbsoluteURL('/')]);
-		Util::addHeader('meta', ['property' => 'og:type', 'content' => 'website']);
-		Util::addHeader('meta', ['property' => 'og:image', 'content' => $this->urlGenerator->getAbsoluteURL($this->urlGenerator->imagePath('core', 'favicon-touch.png'))]);
-
-		// Add same-origin referrer policy so we can check for valid requests
-		Util::addHeader('meta', ['name' => 'referrer', 'content' => 'same-origin']);
-
-		$parameters = [
-			'alt_login' => OC_App::getAlternativeLogIns(),
-			'pageTitle' => $this->l10n->t('Login'),
-		];
-
-		$this->initialState->provideInitialState('countAlternativeLogins', count($parameters['alt_login']));
-		$this->initialState->provideInitialState('alternativeLogins', $parameters['alt_login']);
-		$this->initialState->provideInitialState('loginTimeout', $this->config->getSystemValueInt('login_form_timeout', 5 * 60));
-
-		return new TemplateResponse(
-			$this->appName,
-			'login',
-			$parameters,
-			TemplateResponse::RENDER_AS_GUEST,
-		);
-	}
-
-	/**
-	 * Sets the password reset state
-	 *
-	 * @param string $username
-	 */
-	private function setPasswordResetInitialState(?string $username): void {
-		if ($username !== null && $username !== '') {
-			$user = $this->userManager->get($username);
-		} else {
-			$user = null;
-		}
-
-		$passwordLink = $this->config->getSystemValueString('lost_password_link', '');
-
-		$this->initialState->provideInitialState(
-			'loginResetPasswordLink',
-			$passwordLink
-		);
-
-		$this->initialState->provideInitialState(
-			'loginCanResetPassword',
-			$this->canResetPassword($passwordLink, $user)
-		);
-	}
-
-	/**
-	 * Sets the initial state of whether or not a user is allowed to login with their email
-	 * initial state is passed in the array of 1 for email allowed and 0 for not allowed
-	 */
-	private function setEmailStates(): void {
-		$emailStates = []; // true: can login with email, false otherwise - default to true
-
-		// check if user_ldap is enabled, and the required classes exist
-		if ($this->appManager->isAppLoaded('user_ldap')
-			&& class_exists(Helper::class)) {
-			$helper = Server::get(Helper::class);
-			$allPrefixes = $helper->getServerConfigurationPrefixes();
-			// check each LDAP server the user is connected too
-			foreach ($allPrefixes as $prefix) {
-				$emailConfig = new Configuration($prefix);
-				array_push($emailStates, $emailConfig->__get('ldapLoginFilterEmail'));
-			}
-		}
-		$this->initialState->provideInitialState('emailStates', $emailStates);
-	}
-
-	/**
-	 * @param string|null $passwordLink
-	 * @param IUser|null $user
-	 *
-	 * Users may not change their passwords if:
-	 * - The account is disabled
-	 * - The backend doesn't support password resets
-	 * - The password reset function is disabled
-	 *
-	 * @return bool
-	 */
-	private function canResetPassword(?string $passwordLink, ?IUser $user): bool {
-		if ($passwordLink === 'disabled') {
-			return false;
-		}
-
-		if (!$passwordLink && $user !== null) {
-			return $user->canChangePassword();
-		}
-
-		if ($user !== null && $user->isEnabled() === false) {
-			return false;
-		}
-
-		return true;
-	}
-
-	private function generateRedirect(?string $redirectUrl): RedirectResponse {
-		if ($redirectUrl !== null && $this->userSession->isLoggedIn()) {
-			$location = $this->urlGenerator->getAbsoluteURL($redirectUrl);
-			// Deny the redirect if the URL contains a @
-			// This prevents unvalidated redirects like ?redirect_url=:user@domain.com
-			if (!str_contains($location, '@')) {
-				return new RedirectResponse($location);
-			}
-		}
-		return new RedirectResponse($this->urlGenerator->linkToDefaultPageUrl());
-	}
-
-	#[NoCSRFRequired]
-	#[PublicPage]
-	#[BruteForceProtection(action: 'login')]
-	#[UseSession]
-	#[OpenAPI(scope: OpenAPI::SCOPE_IGNORE)]
-	#[FrontpageRoute(verb: 'POST', url: '/login')]
-	public function tryLogin(
-		Chain $loginChain,
-		ITrustedDomainHelper $trustedDomainHelper,
-		string $user = '',
-		string $password = '',
-		bool $rememberme = false,
-		?string $redirect_url = null,
-		string $timezone = '',
-		string $timezone_offset = '',
-	): RedirectResponse {
-		$error = '';
-
-		$origin = $this->request->getHeader('Origin');
-		$throttle = true;
-		if ($origin === '' || !$trustedDomainHelper->isTrustedUrl($origin)) {
-			// Login attempt not from the same origin,
-			// We only allow this on the login flow but not on the UI login page.
-			// This could have come from someone malicious who tries to block a user by triggering the bruteforce protection.
-			$error = self::LOGIN_MSG_INVALID_ORIGIN;
-			$throttle = false;
-		} elseif (!$this->request->passesCSRFCheck()) {
-			if ($this->userSession->isLoggedIn()) {
-				// If the user is already logged in and the CSRF check does not pass then
-				// simply redirect the user to the correct page as required. This is the
-				// case when a user has already logged-in, in another tab.
-				return $this->generateRedirect($redirect_url);
-			}
-			$error = self::LOGIN_MSG_CSRFCHECKFAILED;
-		}
-
-		if ($error !== '') {
-			// Clear any auth remnants like cookies to ensure a clean login
-			// For the next attempt
-			$this->userSession->logout();
-			return $this->createLoginFailedResponse(
-				$user,
-				$user,
-				$redirect_url,
-				$error,
-				$throttle,
-			);
-		}
-
-		$user = trim($user);
-
-		if (strlen($user) > 255) {
-			return $this->createLoginFailedResponse(
-				$user,
-				$user,
-				$redirect_url,
-				$this->l10n->t('Unsupported email length (>255)')
-			);
-		}
-
-		$data = new LoginData(
-			$this->request,
-			$user,
-			$password,
-			$rememberme,
-			$redirect_url,
-			$timezone,
-			$timezone_offset,
-		);
-		$result = $loginChain->process($data);
-		if (!$result->isSuccess()) {
-			return $this->createLoginFailedResponse(
-				$data->getUsername(),
-				$user,
-				$redirect_url,
-				$result->getErrorMessage()
-			);
-		}
-
-		if ($result->getRedirectUrl() !== null) {
-			return new RedirectResponse($result->getRedirectUrl());
-		}
-		return $this->generateRedirect($redirect_url);
-	}
-
-	/**
-	 * Creates a login failed response.
-	 *
-	 * @param string $user
-	 * @param string $originalUser
-	 * @param string $redirect_url
-	 * @param string $loginMessage
-	 *
-	 * @return RedirectResponse
-	 */
-	private function createLoginFailedResponse(
-		$user,
-		$originalUser,
-		$redirect_url,
-		string $loginMessage,
-		bool $throttle = true,
-	) {
-		// Read current user and append if possible we need to
-		// return the unmodified user otherwise we will leak the login name
-		$args = $user !== null ? ['user' => $originalUser, 'direct' => 1] : [];
-		if ($redirect_url !== null) {
-			$args['redirect_url'] = $redirect_url;
-		}
-		$response = new RedirectResponse(
-			$this->urlGenerator->linkToRoute('core.login.showLoginForm', $args)
-		);
-		if ($throttle) {
-			$response->throttle(['user' => substr($user, 0, 64)]);
-		}
-		$this->session->set('loginMessages', [
-			[$loginMessage], []
-		]);
-
-		return $response;
-	}
-
-	/**
-	 * Confirm the user password
-	 *
-	 * @license GNU AGPL version 3 or any later version
-	 *
-	 * @param string $password The password of the user
-	 *
-	 * @return DataResponse<Http::STATUS_OK, array{lastLogin: int}, array{}>|DataResponse<Http::STATUS_FORBIDDEN, list<empty>, array{}>
-	 *
-	 * 200: Password confirmation succeeded
-	 * 403: Password confirmation failed
-	 */
-	#[NoAdminRequired]
-	#[BruteForceProtection(action: 'sudo')]
-	#[UseSession]
-	#[NoCSRFRequired]
-	#[FrontpageRoute(verb: 'POST', url: '/login/confirm')]
-	#[OpenAPI(scope: OpenAPI::SCOPE_DEFAULT)]
-	public function confirmPassword(string $password): DataResponse {
-		$loginName = $this->userSession->getLoginName();
-		$loginResult = $this->userManager->checkPassword($loginName, $password);
-		if ($loginResult === false) {
-			$response = new DataResponse([], Http::STATUS_FORBIDDEN);
-			$response->throttle(['loginName' => $loginName]);
-			return $response;
-		}
-
-		$confirmTimestamp = time();
-		$this->session->set('last-password-confirm', $confirmTimestamp);
-		$this->throttler->resetDelay($this->request->getRemoteAddress(), 'sudo', ['loginName' => $loginName]);
-		return new DataResponse(['lastLogin' => $confirmTimestamp], Http::STATUS_OK);
-	}
+    public const LOGIN_MSG_INVALIDPASSWORD = 'invalidpassword';
+    public const LOGIN_MSG_USERDISABLED = 'userdisabled';
+    public const LOGIN_MSG_CSRFCHECKFAILED = 'csrfCheckFailed';
+    public const LOGIN_MSG_INVALID_ORIGIN = 'invalidOrigin';
+
+    public function __construct(
+        ?string $appName,
+        IRequest $request,
+        private IUserManager $userManager,
+        private IConfig $config,
+        private ISession $session,
+        private Session $userSession,
+        private IURLGenerator $urlGenerator,
+        private Defaults $defaults,
+        private IThrottler $throttler,
+        private IInitialState $initialState,
+        private WebAuthnManager $webAuthnManager,
+        private IManager $manager,
+        private IL10N $l10n,
+        private IAppManager $appManager,
+    ) {
+        parent::__construct($appName, $request);
+    }
+
+    /**
+     * @return RedirectResponse
+     */
+    #[NoAdminRequired]
+    #[UseSession]
+    #[FrontpageRoute(verb: 'GET', url: '/logout')]
+    public function logout() {
+        $loginToken = $this->request->getCookie('nc_token');
+        if (!is_null($loginToken)) {
+            $this->config->deleteUserValue($this->userSession->getUser()->getUID(), 'login_token', $loginToken);
+        }
+        $this->userSession->logout();
+
+        $response = new RedirectResponse($this->urlGenerator->linkToRouteAbsolute(
+            'core.login.showLoginForm',
+            ['clear' => true] // this param the code in login.js may be removed when the "Clear-Site-Data" is working in the browsers
+        ));
+
+        $this->session->set('clearingExecutionContexts', '1');
+        $this->session->close();
+
+        if (
+            $this->request->getServerProtocol() === 'https'
+            && !$this->request->isUserAgent([Request::USER_AGENT_CHROME, Request::USER_AGENT_ANDROID_MOBILE_CHROME])
+        ) {
+            $response->addHeader('Clear-Site-Data', '"cache", "storage"');
+        }
+
+        return $response;
+    }
+
+    /**
+     * @param string $user
+     * @param string $redirect_url
+     *
+     * @return TemplateResponse|RedirectResponse
+     */
+    #[NoCSRFRequired]
+    #[PublicPage]
+    #[UseSession]
+    #[OpenAPI(scope: OpenAPI::SCOPE_IGNORE)]
+    #[FrontpageRoute(verb: 'GET', url: '/login')]
+    public function showLoginForm(?string $user = null, ?string $redirect_url = null): Response {
+        if ($this->userSession->isLoggedIn()) {
+            return new RedirectResponse($this->urlGenerator->linkToDefaultPageUrl());
+        }
+
+        $loginMessages = $this->session->get('loginMessages');
+        if (!$this->manager->isFairUseOfFreePushService()) {
+            if (!is_array($loginMessages)) {
+                $loginMessages = [[], []];
+            }
+            $loginMessages[1][] = $this->l10n->t('This community release of Nextcloud is unsupported and push notifications are limited.');
+        }
+        if (is_array($loginMessages)) {
+            [$errors, $messages] = $loginMessages;
+            $this->initialState->provideInitialState('loginMessages', $messages);
+            $this->initialState->provideInitialState('loginErrors', $errors);
+        }
+        $this->session->remove('loginMessages');
+
+        if ($user !== null && $user !== '') {
+            $this->initialState->provideInitialState('loginUsername', $user);
+        } else {
+            $this->initialState->provideInitialState('loginUsername', '');
+        }
+
+        $this->initialState->provideInitialState(
+            'loginAutocomplete',
+            $this->config->getSystemValue('login_form_autocomplete', true) === true
+        );
+
+        $this->initialState->provideInitialState(
+            'loginCanRememberme',
+            $this->config->getSystemValueInt('remember_login_cookie_lifetime', 60 * 60 * 24 * 15) > 0
+        );
+
+        if (!empty($redirect_url)) {
+            [$url, ] = explode('?', $redirect_url);
+            if ($url !== $this->urlGenerator->linkToRoute('core.login.logout')) {
+                $this->initialState->provideInitialState('loginRedirectUrl', $redirect_url);
+            }
+        }
+
+        $this->initialState->provideInitialState(
+            'loginThrottleDelay',
+            $this->throttler->getDelay($this->request->getRemoteAddress())
+        );
+
+        $this->setPasswordResetInitialState($user);
+
+        $this->setEmailStates();
+
+        $this->initialState->provideInitialState('webauthn-available', $this->webAuthnManager->isWebAuthnAvailable());
+
+        $this->initialState->provideInitialState('hideLoginForm', $this->config->getSystemValueBool('hide_login_form', false));
+
+        // OpenGraph Support: http://ogp.me/
+        Util::addHeader('meta', ['property' => 'og:title', 'content' => Util::sanitizeHTML($this->defaults->getName())]);
+        Util::addHeader('meta', ['property' => 'og:description', 'content' => Util::sanitizeHTML($this->defaults->getSlogan())]);
+        Util::addHeader('meta', ['property' => 'og:site_name', 'content' => Util::sanitizeHTML($this->defaults->getName())]);
+        Util::addHeader('meta', ['property' => 'og:url', 'content' => $this->urlGenerator->getAbsoluteURL('/')]);
+        Util::addHeader('meta', ['property' => 'og:type', 'content' => 'website']);
+        Util::addHeader('meta', ['property' => 'og:image', 'content' => $this->urlGenerator->getAbsoluteURL($this->urlGenerator->imagePath('core', 'favicon-touch.png'))]);
+
+        // Add same-origin referrer policy so we can check for valid requests
+        Util::addHeader('meta', ['name' => 'referrer', 'content' => 'same-origin']);
+
+        $parameters = [
+            'alt_login' => OC_App::getAlternativeLogIns(),
+            'pageTitle' => $this->l10n->t('Login'),
+        ];
+
+        $this->initialState->provideInitialState('countAlternativeLogins', count($parameters['alt_login']));
+        $this->initialState->provideInitialState('alternativeLogins', $parameters['alt_login']);
+        $this->initialState->provideInitialState('loginTimeout', $this->config->getSystemValueInt('login_form_timeout', 5 * 60));
+
+        return new TemplateResponse(
+            $this->appName,
+            'login',
+            $parameters,
+            TemplateResponse::RENDER_AS_GUEST,
+        );
+    }
+
+    /**
+     * Sets the password reset state
+     *
+     * @param string $username
+     */
+    private function setPasswordResetInitialState(?string $username): void {
+        if ($username !== null && $username !== '') {
+            $user = $this->userManager->get($username);
+        } else {
+            $user = null;
+        }
+
+        $passwordLink = $this->config->getSystemValueString('lost_password_link', '');
+
+        $this->initialState->provideInitialState(
+            'loginResetPasswordLink',
+            $passwordLink
+        );
+
+        $this->initialState->provideInitialState(
+            'loginCanResetPassword',
+            $this->canResetPassword($passwordLink, $user)
+        );
+    }
+
+    /**
+     * Sets the initial state of whether or not a user is allowed to login with their email
+     * initial state is passed in the array of 1 for email allowed and 0 for not allowed
+     */
+    private function setEmailStates(): void {
+        $emailStates = []; // true: can login with email, false otherwise - default to true
+
+        // check if user_ldap is enabled, and the required classes exist
+        if ($this->appManager->isAppLoaded('user_ldap')
+            && class_exists(Helper::class)) {
+            $helper = Server::get(Helper::class);
+            $allPrefixes = $helper->getServerConfigurationPrefixes();
+            // check each LDAP server the user is connected too
+            foreach ($allPrefixes as $prefix) {
+                $emailConfig = new Configuration($prefix);
+                array_push($emailStates, $emailConfig->__get('ldapLoginFilterEmail'));
+            }
+        }
+        $this->initialState->provideInitialState('emailStates', $emailStates);
+    }
+
+    /**
+     * @param string|null $passwordLink
+     * @param IUser|null $user
+     *
+     * Users may not change their passwords if:
+     * - The account is disabled
+     * - The backend doesn't support password resets
+     * - The password reset function is disabled
+     *
+     * @return bool
+     */
+    private function canResetPassword(?string $passwordLink, ?IUser $user): bool {
+        if ($passwordLink === 'disabled') {
+            return false;
+        }
+
+        if (!$passwordLink && $user !== null) {
+            return $user->canChangePassword();
+        }
+
+        if ($user !== null && $user->isEnabled() === false) {
+            return false;
+        }
+
+        return true;
+    }
+
+    private function generateRedirect(?string $redirectUrl): RedirectResponse {
+        if ($redirectUrl !== null && $this->userSession->isLoggedIn()) {
+            $location = $this->urlGenerator->getAbsoluteURL($redirectUrl);
+            // Deny the redirect if the URL contains a @
+            // This prevents unvalidated redirects like ?redirect_url=:user@domain.com
+            if (!str_contains($location, '@')) {
+                return new RedirectResponse($location);
+            }
+        }
+        return new RedirectResponse($this->urlGenerator->linkToDefaultPageUrl());
+    }
+
+    #[NoCSRFRequired]
+    #[PublicPage]
+    #[BruteForceProtection(action: 'login')]
+    #[UseSession]
+    #[OpenAPI(scope: OpenAPI::SCOPE_IGNORE)]
+    #[FrontpageRoute(verb: 'POST', url: '/login')]
+    public function tryLogin(
+        Chain $loginChain,
+        ITrustedDomainHelper $trustedDomainHelper,
+        string $user = '',
+        string $password = '',
+        bool $rememberme = false,
+        ?string $redirect_url = null,
+        string $timezone = '',
+        string $timezone_offset = '',
+    ): RedirectResponse {
+        $error = '';
+
+        $origin = $this->request->getHeader('Origin');
+        $throttle = true;
+        if ($origin === '' || !$trustedDomainHelper->isTrustedUrl($origin)) {
+            // Login attempt not from the same origin,
+            // We only allow this on the login flow but not on the UI login page.
+            // This could have come from someone malicious who tries to block a user by triggering the bruteforce protection.
+            $error = self::LOGIN_MSG_INVALID_ORIGIN;
+            $throttle = false;
+        } elseif (!$this->request->passesCSRFCheck()) {
+            if ($this->userSession->isLoggedIn()) {
+                // If the user is already logged in and the CSRF check does not pass then
+                // simply redirect the user to the correct page as required. This is the
+                // case when a user has already logged-in, in another tab.
+                return $this->generateRedirect($redirect_url);
+            }
+            $error = self::LOGIN_MSG_CSRFCHECKFAILED;
+        }
+
+        if ($error !== '') {
+            // Clear any auth remnants like cookies to ensure a clean login
+            // For the next attempt
+            $this->userSession->logout();
+            return $this->createLoginFailedResponse(
+                $user,
+                $user,
+                $redirect_url,
+                $error,
+                $throttle,
+            );
+        }
+
+        $user = trim($user);
+
+        if (strlen($user) > 255) {
+            return $this->createLoginFailedResponse(
+                $user,
+                $user,
+                $redirect_url,
+                $this->l10n->t('Unsupported email length (>255)')
+            );
+        }
+
+        $data = new LoginData(
+            $this->request,
+            $user,
+            $password,
+            $rememberme,
+            $redirect_url,
+            $timezone,
+            $timezone_offset,
+        );
+        $result = $loginChain->process($data);
+        if (!$result->isSuccess()) {
+            return $this->createLoginFailedResponse(
+                $data->getUsername(),
+                $user,
+                $redirect_url,
+                $result->getErrorMessage()
+            );
+        }
+
+        if ($result->getRedirectUrl() !== null) {
+            return new RedirectResponse($result->getRedirectUrl());
+        }
+        return $this->generateRedirect($redirect_url);
+    }
+
+    /**
+     * Creates a login failed response.
+     *
+     * @param string $user
+     * @param string $originalUser
+     * @param string $redirect_url
+     * @param string $loginMessage
+     *
+     * @return RedirectResponse
+     */
+    private function createLoginFailedResponse(
+        $user,
+        $originalUser,
+        $redirect_url,
+        string $loginMessage,
+        bool $throttle = true,
+    ) {
+        // Read current user and append if possible we need to
+        // return the unmodified user otherwise we will leak the login name
+        $args = $user !== null ? ['user' => $originalUser, 'direct' => 1] : [];
+        if ($redirect_url !== null) {
+            $args['redirect_url'] = $redirect_url;
+        }
+        $response = new RedirectResponse(
+            $this->urlGenerator->linkToRoute('core.login.showLoginForm', $args)
+        );
+        if ($throttle) {
+            $response->throttle(['user' => substr($user, 0, 64)]);
+        }
+        $this->session->set('loginMessages', [
+            [$loginMessage], []
+        ]);
+
+        return $response;
+    }
+
+    /**
+     * Confirm the user password
+     *
+     * @license GNU AGPL version 3 or any later version
+     *
+     * @param string $password The password of the user
+     *
+     * @return DataResponse<Http::STATUS_OK, array{lastLogin: int}, array{}>|DataResponse<Http::STATUS_FORBIDDEN, list<empty>, array{}>
+     *
+     * 200: Password confirmation succeeded
+     * 403: Password confirmation failed
+     */
+    #[NoAdminRequired]
+    #[BruteForceProtection(action: 'sudo')]
+    #[UseSession]
+    #[NoCSRFRequired]
+    #[FrontpageRoute(verb: 'POST', url: '/login/confirm')]
+    #[OpenAPI(scope: OpenAPI::SCOPE_DEFAULT)]
+    public function confirmPassword(string $password): DataResponse {
+        $loginName = $this->userSession->getLoginName();
+        $loginResult = $this->userManager->checkPassword($loginName, $password);
+        if ($loginResult === false) {
+            $response = new DataResponse([], Http::STATUS_FORBIDDEN);
+            $response->throttle(['loginName' => $loginName]);
+            return $response;
+        }
+
+        $confirmTimestamp = time();
+        $this->session->set('last-password-confirm', $confirmTimestamp);
+        $this->throttler->resetDelay($this->request->getRemoteAddress(), 'sudo', ['loginName' => $loginName]);
+        return new DataResponse(['lastLogin' => $confirmTimestamp], Http::STATUS_OK);
+    }
 }

tests/lib/Authentication/Login/ALoginTestCommand.php

Indentation +87 added lines, -87 removed lines

@@ -16,91 +16,91 @@
 use Test\TestCase;
 
 abstract class ALoginTestCommand extends TestCase {
-	/** @var IRequest|MockObject */
-	protected $request;
-
-	/** @var string */
-	protected $username = 'user123';
-
-	/** @var string */
-	protected $password = '123456';
-
-	/** @var string */
-	protected $redirectUrl = '/apps/contacts';
-
-	/** @var string */
-	protected $timezone = 'Europe/Vienna';
-
-	protected $timeZoneOffset = '2';
-
-	/** @var IUser|MockObject */
-	protected $user;
-
-	/** @var ALoginTestCommand */
-	protected $cmd;
-
-	protected function setUp(): void {
-		parent::setUp();
-
-		$this->request = $this->createMock(IRequest::class);
-		$this->user = $this->createMock(IUser::class);
-	}
-
-	protected function getBasicLoginData(): LoginData {
-		return new LoginData(
-			$this->request,
-			$this->username,
-			$this->password
-		);
-	}
-
-	protected function getInvalidLoginData(): LoginData {
-		return new LoginData(
-			$this->request,
-			$this->username,
-			$this->password
-		);
-	}
-
-	protected function getFailedLoginData(): LoginData {
-		$data = new LoginData(
-			$this->request,
-			$this->username,
-			$this->password
-		);
-		$data->setUser(false);
-		return $data;
-	}
-
-	protected function getLoggedInLoginData(): LoginData {
-		$basic = $this->getBasicLoginData();
-		$basic->setUser($this->user);
-		return $basic;
-	}
-
-	protected function getLoggedInLoginDataWithRedirectUrl(): LoginData {
-		$data = new LoginData(
-			$this->request,
-			$this->username,
-			$this->password,
-			true,
-			$this->redirectUrl
-		);
-		$data->setUser($this->user);
-		return $data;
-	}
-
-	protected function getLoggedInLoginDataWithTimezone(): LoginData {
-		$data = new LoginData(
-			$this->request,
-			$this->username,
-			$this->password,
-			true,
-			null,
-			$this->timezone,
-			$this->timeZoneOffset
-		);
-		$data->setUser($this->user);
-		return $data;
-	}
+    /** @var IRequest|MockObject */
+    protected $request;
+
+    /** @var string */
+    protected $username = 'user123';
+
+    /** @var string */
+    protected $password = '123456';
+
+    /** @var string */
+    protected $redirectUrl = '/apps/contacts';
+
+    /** @var string */
+    protected $timezone = 'Europe/Vienna';
+
+    protected $timeZoneOffset = '2';
+
+    /** @var IUser|MockObject */
+    protected $user;
+
+    /** @var ALoginTestCommand */
+    protected $cmd;
+
+    protected function setUp(): void {
+        parent::setUp();
+
+        $this->request = $this->createMock(IRequest::class);
+        $this->user = $this->createMock(IUser::class);
+    }
+
+    protected function getBasicLoginData(): LoginData {
+        return new LoginData(
+            $this->request,
+            $this->username,
+            $this->password
+        );
+    }
+
+    protected function getInvalidLoginData(): LoginData {
+        return new LoginData(
+            $this->request,
+            $this->username,
+            $this->password
+        );
+    }
+
+    protected function getFailedLoginData(): LoginData {
+        $data = new LoginData(
+            $this->request,
+            $this->username,
+            $this->password
+        );
+        $data->setUser(false);
+        return $data;
+    }
+
+    protected function getLoggedInLoginData(): LoginData {
+        $basic = $this->getBasicLoginData();
+        $basic->setUser($this->user);
+        return $basic;
+    }
+
+    protected function getLoggedInLoginDataWithRedirectUrl(): LoginData {
+        $data = new LoginData(
+            $this->request,
+            $this->username,
+            $this->password,
+            true,
+            $this->redirectUrl
+        );
+        $data->setUser($this->user);
+        return $data;
+    }
+
+    protected function getLoggedInLoginDataWithTimezone(): LoginData {
+        $data = new LoginData(
+            $this->request,
+            $this->username,
+            $this->password,
+            true,
+            null,
+            $this->timezone,
+            $this->timeZoneOffset
+        );
+        $data->setUser($this->user);
+        return $data;
+    }
 }

tests/Core/Controller/LoginControllerTest.php

Indentation +688 added lines, -688 removed lines

@@ -36,692 +36,692 @@
 use Test\TestCase;
 
 class LoginControllerTest extends TestCase {
-	/** @var LoginController */
-	private $loginController;
-
-	/** @var IRequest|MockObject */
-	private $request;
-
-	/** @var IUserManager|MockObject */
-	private $userManager;
-
-	/** @var IConfig|MockObject */
-	private $config;
-
-	/** @var ISession|MockObject */
-	private $session;
-
-	/** @var Session|MockObject */
-	private $userSession;
-
-	/** @var IURLGenerator|MockObject */
-	private $urlGenerator;
-
-	/** @var Manager|MockObject */
-	private $twoFactorManager;
-
-	/** @var Defaults|MockObject */
-	private $defaults;
-
-	/** @var IThrottler|MockObject */
-	private $throttler;
-
-	/** @var IInitialState|MockObject */
-	private $initialState;
-
-	/** @var \OC\Authentication\WebAuthn\Manager|MockObject */
-	private $webAuthnManager;
-
-	/** @var IManager|MockObject */
-	private $notificationManager;
-
-	/** @var IL10N|MockObject */
-	private $l;
-
-	/** @var IAppManager|MockObject */
-	private $appManager;
-
-	protected function setUp(): void {
-		parent::setUp();
-		$this->request = $this->createMock(IRequest::class);
-		$this->userManager = $this->createMock(\OC\User\Manager::class);
-		$this->config = $this->createMock(IConfig::class);
-		$this->session = $this->createMock(ISession::class);
-		$this->userSession = $this->createMock(Session::class);
-		$this->urlGenerator = $this->createMock(IURLGenerator::class);
-		$this->twoFactorManager = $this->createMock(Manager::class);
-		$this->defaults = $this->createMock(Defaults::class);
-		$this->throttler = $this->createMock(IThrottler::class);
-		$this->initialState = $this->createMock(IInitialState::class);
-		$this->webAuthnManager = $this->createMock(\OC\Authentication\WebAuthn\Manager::class);
-		$this->notificationManager = $this->createMock(IManager::class);
-		$this->l = $this->createMock(IL10N::class);
-		$this->appManager = $this->createMock(IAppManager::class);
-
-		$this->l->expects($this->any())
-			->method('t')
-			->willReturnCallback(function ($text, $parameters = []) {
-				return vsprintf($text, $parameters);
-			});
-
-
-		$this->request->method('getRemoteAddress')
-			->willReturn('1.2.3.4');
-		$this->request->method('getHeader')
-			->with('Origin')
-			->willReturn('domain.example.com');
-		$this->throttler->method('getDelay')
-			->with(
-				$this->equalTo('1.2.3.4'),
-				$this->equalTo('')
-			)->willReturn(1000);
-
-		$this->loginController = new LoginController(
-			'core',
-			$this->request,
-			$this->userManager,
-			$this->config,
-			$this->session,
-			$this->userSession,
-			$this->urlGenerator,
-			$this->defaults,
-			$this->throttler,
-			$this->initialState,
-			$this->webAuthnManager,
-			$this->notificationManager,
-			$this->l,
-			$this->appManager,
-		);
-	}
-
-	public function testLogoutWithoutToken(): void {
-		$this->request
-			->expects($this->once())
-			->method('getCookie')
-			->with('nc_token')
-			->willReturn(null);
-		$this->request
-			->method('getServerProtocol')
-			->willReturn('https');
-		$this->request
-			->expects($this->once())
-			->method('isUserAgent')
-			->willReturn(false);
-		$this->config
-			->expects($this->never())
-			->method('deleteUserValue');
-		$this->urlGenerator
-			->expects($this->once())
-			->method('linkToRouteAbsolute')
-			->with('core.login.showLoginForm')
-			->willReturn('/login');
-
-		$expected = new RedirectResponse('/login');
-		$expected->addHeader('Clear-Site-Data', '"cache", "storage"');
-		$this->assertEquals($expected, $this->loginController->logout());
-	}
-
-	public function testLogoutNoClearSiteData(): void {
-		$this->request
-			->expects($this->once())
-			->method('getCookie')
-			->with('nc_token')
-			->willReturn(null);
-		$this->request
-			->method('getServerProtocol')
-			->willReturn('https');
-		$this->request
-			->expects($this->once())
-			->method('isUserAgent')
-			->willReturn(true);
-		$this->urlGenerator
-			->expects($this->once())
-			->method('linkToRouteAbsolute')
-			->with('core.login.showLoginForm')
-			->willReturn('/login');
-
-		$expected = new RedirectResponse('/login');
-		$this->assertEquals($expected, $this->loginController->logout());
-	}
-
-	public function testLogoutWithToken(): void {
-		$this->request
-			->expects($this->once())
-			->method('getCookie')
-			->with('nc_token')
-			->willReturn('MyLoginToken');
-		$this->request
-			->method('getServerProtocol')
-			->willReturn('https');
-		$this->request
-			->expects($this->once())
-			->method('isUserAgent')
-			->willReturn(false);
-		$user = $this->createMock(IUser::class);
-		$user
-			->expects($this->once())
-			->method('getUID')
-			->willReturn('JohnDoe');
-		$this->userSession
-			->expects($this->once())
-			->method('getUser')
-			->willReturn($user);
-		$this->config
-			->expects($this->once())
-			->method('deleteUserValue')
-			->with('JohnDoe', 'login_token', 'MyLoginToken');
-		$this->urlGenerator
-			->expects($this->once())
-			->method('linkToRouteAbsolute')
-			->with('core.login.showLoginForm')
-			->willReturn('/login');
-
-		$expected = new RedirectResponse('/login');
-		$expected->addHeader('Clear-Site-Data', '"cache", "storage"');
-		$this->assertEquals($expected, $this->loginController->logout());
-	}
-
-	public function testShowLoginFormForLoggedInUsers(): void {
-		$this->userSession
-			->expects($this->once())
-			->method('isLoggedIn')
-			->willReturn(true);
-		$this->urlGenerator
-			->expects($this->once())
-			->method('linkToDefaultPageUrl')
-			->willReturn('/default/foo');
-
-		$expectedResponse = new RedirectResponse('/default/foo');
-		$this->assertEquals($expectedResponse, $this->loginController->showLoginForm('', ''));
-	}
-
-	public function testShowLoginFormWithErrorsInSession(): void {
-		$this->userSession
-			->expects($this->once())
-			->method('isLoggedIn')
-			->willReturn(false);
-		$this->session
-			->expects($this->once())
-			->method('get')
-			->with('loginMessages')
-			->willReturn(
-				[
-					[
-						'ErrorArray1',
-						'ErrorArray2',
-					],
-					[
-						'MessageArray1',
-						'MessageArray2',
-					],
-				]
-			);
-
-		$calls = [
-			[
-				'loginMessages',
-				[
-					'MessageArray1',
-					'MessageArray2',
-					'This community release of Nextcloud is unsupported and push notifications are limited.',
-				],
-			],
-			[
-				'loginErrors',
-				[
-					'ErrorArray1',
-					'ErrorArray2',
-				],
-			],
-			[
-				'loginUsername',
-				'',
-			]
-		];
-		$this->initialState->expects($this->exactly(14))
-			->method('provideInitialState')
-			->willReturnCallback(function () use (&$calls): void {
-				$expected = array_shift($calls);
-				if (!empty($expected)) {
-					$this->assertEquals($expected, func_get_args());
-				}
-			});
-
-		$expectedResponse = new TemplateResponse(
-			'core',
-			'login',
-			[
-				'alt_login' => [],
-				'pageTitle' => 'Login'
-			],
-			'guest'
-		);
-		$this->assertEquals($expectedResponse, $this->loginController->showLoginForm('', ''));
-	}
-
-	public function testShowLoginFormForFlowAuth(): void {
-		$this->userSession
-			->expects($this->once())
-			->method('isLoggedIn')
-			->willReturn(false);
-		$calls = [
-			[], [], [],
-			[
-				'loginAutocomplete',
-				false
-			],
-			[
-				'loginCanRememberme',
-				false
-			],
-			[
-				'loginRedirectUrl',
-				'login/flow'
-			],
-		];
-		$this->initialState->expects($this->exactly(15))
-			->method('provideInitialState')
-			->willReturnCallback(function () use (&$calls): void {
-				$expected = array_shift($calls);
-				if (!empty($expected)) {
-					$this->assertEquals($expected, func_get_args());
-				}
-			});
-
-		$expectedResponse = new TemplateResponse(
-			'core',
-			'login',
-			[
-				'alt_login' => [],
-				'pageTitle' => 'Login'
-			],
-			'guest'
-		);
-		$this->assertEquals($expectedResponse, $this->loginController->showLoginForm('', 'login/flow'));
-	}
-
-	/**
-	 * @return array
-	 */
-	public static function passwordResetDataProvider(): array {
-		return [
-			[
-				true,
-				true,
-			],
-			[
-				false,
-				false,
-			],
-		];
-	}
-
-	#[DataProvider('passwordResetDataProvider')]
-	public function testShowLoginFormWithPasswordResetOption($canChangePassword,
-		$expectedResult): void {
-		$this->userSession
-			->expects($this->once())
-			->method('isLoggedIn')
-			->willReturn(false);
-		$this->config
-			->expects(self::once())
-			->method('getSystemValue')
-			->willReturnMap([
-				['login_form_autocomplete', true, true],
-			]);
-		$this->config
-			->expects(self::once())
-			->method('getSystemValueString')
-			->willReturnMap([
-				['lost_password_link', '', ''],
-			]);
-		$user = $this->createMock(IUser::class);
-		$user
-			->expects($this->once())
-			->method('canChangePassword')
-			->willReturn($canChangePassword);
-		$this->userManager
-			->expects($this->once())
-			->method('get')
-			->with('LdapUser')
-			->willReturn($user);
-		$calls = [
-			[], [],
-			[
-				'loginUsername',
-				'LdapUser'
-			],
-			[], [], [], [],
-			[
-				'loginCanResetPassword',
-				$expectedResult
-			],
-		];
-		$this->initialState->expects($this->exactly(14))
-			->method('provideInitialState')
-			->willReturnCallback(function () use (&$calls): void {
-				$expected = array_shift($calls);
-				if (!empty($expected)) {
-					$this->assertEquals($expected, func_get_args());
-				}
-			});
-
-		$expectedResponse = new TemplateResponse(
-			'core',
-			'login',
-			[
-				'alt_login' => [],
-				'pageTitle' => 'Login'
-			],
-			'guest'
-		);
-		$this->assertEquals($expectedResponse, $this->loginController->showLoginForm('LdapUser', ''));
-	}
-
-	public function testShowLoginFormForUserNamed0(): void {
-		$this->userSession
-			->expects($this->once())
-			->method('isLoggedIn')
-			->willReturn(false);
-		$this->config
-			->expects(self::once())
-			->method('getSystemValue')
-			->willReturnMap([
-				['login_form_autocomplete', true, true],
-			]);
-		$this->config
-			->expects(self::once())
-			->method('getSystemValueString')
-			->willReturnMap([
-				['lost_password_link', '', ''],
-			]);
-		$user = $this->createMock(IUser::class);
-		$user->expects($this->once())
-			->method('canChangePassword')
-			->willReturn(false);
-		$this->userManager
-			->expects($this->once())
-			->method('get')
-			->with('0')
-			->willReturn($user);
-		$calls = [
-			[], [], [],
-			[
-				'loginAutocomplete',
-				true
-			],
-			[
-				'loginCanRememberme',
-				false
-			],
-			[],
-			[
-				'loginResetPasswordLink',
-				false
-			],
-			[
-				'loginCanResetPassword',
-				false
-			],
-		];
-		$this->initialState->expects($this->exactly(14))
-			->method('provideInitialState')
-			->willReturnCallback(function () use (&$calls): void {
-				$expected = array_shift($calls);
-				if (!empty($expected)) {
-					$this->assertEquals($expected, func_get_args());
-				}
-			});
-
-		$expectedResponse = new TemplateResponse(
-			'core',
-			'login',
-			[
-				'alt_login' => [],
-				'pageTitle' => 'Login'
-			],
-			'guest'
-		);
-		$this->assertEquals($expectedResponse, $this->loginController->showLoginForm('0', ''));
-	}
-
-	public static function remembermeProvider(): array {
-		return [
-			[
-				true,
-			],
-			[
-				false,
-			],
-		];
-	}
-
-	#[DataProvider('remembermeProvider')]
-	public function testLoginWithInvalidCredentials(bool $rememberme): void {
-		$user = 'MyUserName';
-		$password = 'secret';
-		$loginPageUrl = '/login?redirect_url=/apps/files';
-		$loginChain = $this->createMock(LoginChain::class);
-		$trustedDomainHelper = $this->createMock(ITrustedDomainHelper::class);
-		$trustedDomainHelper->method('isTrustedUrl')->willReturn(true);
-		$this->request
-			->expects($this->once())
-			->method('passesCSRFCheck')
-			->willReturn(true);
-		$loginData = new LoginData(
-			$this->request,
-			$user,
-			$password,
-			$rememberme,
-			'/apps/files'
-		);
-		$loginResult = LoginResult::failure($loginData, LoginController::LOGIN_MSG_INVALIDPASSWORD);
-		$loginChain->expects($this->once())
-			->method('process')
-			->with($this->equalTo($loginData))
-			->willReturn($loginResult);
-		$this->urlGenerator->expects($this->once())
-			->method('linkToRoute')
-			->with('core.login.showLoginForm', [
-				'user' => $user,
-				'redirect_url' => '/apps/files',
-				'direct' => 1,
-			])
-			->willReturn($loginPageUrl);
-		$expected = new RedirectResponse($loginPageUrl);
-		$expected->throttle(['user' => 'MyUserName']);
-
-		$response = $this->loginController->tryLogin($loginChain, $trustedDomainHelper, $user, $password, $rememberme, '/apps/files');
-
-		$this->assertEquals($expected, $response);
-	}
-
-	#[DataProvider('remembermeProvider')]
-	public function testLoginWithValidCredentials(bool $rememberme): void {
-		$user = 'MyUserName';
-		$password = 'secret';
-		$loginChain = $this->createMock(LoginChain::class);
-		$trustedDomainHelper = $this->createMock(ITrustedDomainHelper::class);
-		$trustedDomainHelper->method('isTrustedUrl')->willReturn(true);
-		$this->request
-			->expects($this->once())
-			->method('passesCSRFCheck')
-			->willReturn(true);
-		$loginData = new LoginData(
-			$this->request,
-			$user,
-			$password,
-			$rememberme,
-		);
-		$loginResult = LoginResult::success($loginData);
-		$loginChain->expects($this->once())
-			->method('process')
-			->with($this->equalTo($loginData))
-			->willReturn($loginResult);
-		$this->urlGenerator
-			->expects($this->once())
-			->method('linkToDefaultPageUrl')
-			->willReturn('/default/foo');
-
-		$expected = new RedirectResponse('/default/foo');
-		$this->assertEquals($expected, $this->loginController->tryLogin($loginChain, $trustedDomainHelper, $user, $password, $rememberme));
-	}
-
-	#[DataProvider('remembermeProvider')]
-	public function testLoginWithoutPassedCsrfCheckAndNotLoggedIn(bool $rememberme): void {
-		/** @var IUser|MockObject $user */
-		$user = $this->createMock(IUser::class);
-		$user->expects($this->any())
-			->method('getUID')
-			->willReturn('jane');
-		$password = 'secret';
-		$originalUrl = 'another%20url';
-		$loginChain = $this->createMock(LoginChain::class);
-		$trustedDomainHelper = $this->createMock(ITrustedDomainHelper::class);
-		$trustedDomainHelper->method('isTrustedUrl')->willReturn(true);
-		$this->request
-			->expects($this->once())
-			->method('passesCSRFCheck')
-			->willReturn(false);
-		$this->userSession
-			->method('isLoggedIn')
-			->with()
-			->willReturn(false);
-		$this->config->expects($this->never())
-			->method('deleteUserValue');
-		$this->userSession->expects($this->never())
-			->method('createRememberMeToken');
-
-		$response = $this->loginController->tryLogin($loginChain, $trustedDomainHelper, 'Jane', $password, $rememberme, $originalUrl);
-
-		$expected = new RedirectResponse('');
-		$expected->throttle(['user' => 'Jane']);
-		$this->assertEquals($expected, $response);
-	}
-
-	#[DataProvider('remembermeProvider')]
-	public function testLoginWithoutPassedCsrfCheckAndLoggedIn(bool $rememberme): void {
-		/** @var IUser|MockObject $user */
-		$user = $this->createMock(IUser::class);
-		$user->expects($this->any())
-			->method('getUID')
-			->willReturn('jane');
-		$password = 'secret';
-		$originalUrl = 'another url';
-		$redirectUrl = 'http://localhost/another url';
-		$loginChain = $this->createMock(LoginChain::class);
-		$trustedDomainHelper = $this->createMock(ITrustedDomainHelper::class);
-		$trustedDomainHelper->method('isTrustedUrl')->willReturn(true);
-		$this->request
-			->expects($this->once())
-			->method('passesCSRFCheck')
-			->willReturn(false);
-		$this->userSession
-			->method('isLoggedIn')
-			->with()
-			->willReturn(true);
-		$this->urlGenerator->expects($this->once())
-			->method('getAbsoluteURL')
-			->with(urldecode($originalUrl))
-			->willReturn($redirectUrl);
-		$this->config->expects($this->never())
-			->method('deleteUserValue');
-		$this->userSession->expects($this->never())
-			->method('createRememberMeToken');
-		$this->config
-			->method('getSystemValue')
-			->with('remember_login_cookie_lifetime')
-			->willReturn(1234);
-
-		$response = $this->loginController->tryLogin($loginChain, $trustedDomainHelper, 'Jane', $password, $rememberme, $originalUrl);
-
-		$expected = new RedirectResponse($redirectUrl);
-		$this->assertEquals($expected, $response);
-	}
-
-	#[DataProvider('remembermeProvider')]
-	public function testLoginWithValidCredentialsAndRedirectUrl(bool $rememberme): void {
-		$user = 'MyUserName';
-		$password = 'secret';
-		$redirectUrl = 'https://next.cloud/apps/mail';
-		$loginChain = $this->createMock(LoginChain::class);
-		$trustedDomainHelper = $this->createMock(ITrustedDomainHelper::class);
-		$trustedDomainHelper->method('isTrustedUrl')->willReturn(true);
-		$this->request
-			->expects($this->once())
-			->method('passesCSRFCheck')
-			->willReturn(true);
-		$loginData = new LoginData(
-			$this->request,
-			$user,
-			$password,
-			$rememberme,
-			'/apps/mail'
-		);
-		$loginResult = LoginResult::success($loginData);
-		$loginChain->expects($this->once())
-			->method('process')
-			->with($this->equalTo($loginData))
-			->willReturn($loginResult);
-		$this->userSession->expects($this->once())
-			->method('isLoggedIn')
-			->willReturn(true);
-		$this->urlGenerator->expects($this->once())
-			->method('getAbsoluteURL')
-			->with('/apps/mail')
-			->willReturn($redirectUrl);
-		$expected = new RedirectResponse($redirectUrl);
-
-		$response = $this->loginController->tryLogin($loginChain, $trustedDomainHelper, $user, $password, $rememberme, '/apps/mail');
-
-		$this->assertEquals($expected, $response);
-	}
-
-	#[DataProvider('remembermeProvider')]
-	public function testToNotLeakLoginName(bool $rememberme): void {
-		$loginChain = $this->createMock(LoginChain::class);
-		$trustedDomainHelper = $this->createMock(ITrustedDomainHelper::class);
-		$trustedDomainHelper->method('isTrustedUrl')->willReturn(true);
-		$this->request
-			->expects($this->once())
-			->method('passesCSRFCheck')
-			->willReturn(true);
-		$loginPageUrl = '/login?redirect_url=/apps/files';
-		$loginData = new LoginData(
-			$this->request,
-			'john@doe.com',
-			'just wrong',
-			$rememberme,
-			'/apps/files'
-		);
-		$loginResult = LoginResult::failure($loginData, LoginController::LOGIN_MSG_INVALIDPASSWORD);
-		$loginChain->expects($this->once())
-			->method('process')
-			->with($this->equalTo($loginData))
-			->willReturnCallback(function (LoginData $data) use ($loginResult) {
-				$data->setUsername('john');
-				return $loginResult;
-			});
-		$this->urlGenerator->expects($this->once())
-			->method('linkToRoute')
-			->with('core.login.showLoginForm', [
-				'user' => 'john@doe.com',
-				'redirect_url' => '/apps/files',
-				'direct' => 1,
-			])
-			->willReturn($loginPageUrl);
-		$expected = new RedirectResponse($loginPageUrl);
-		$expected->throttle(['user' => 'john']);
-
-		$response = $this->loginController->tryLogin(
-			$loginChain,
-			$trustedDomainHelper,
-			'john@doe.com',
-			'just wrong',
-			$rememberme,
-			'/apps/files'
-		);
-
-		$this->assertEquals($expected, $response);
-	}
+    /** @var LoginController */
+    private $loginController;
+
+    /** @var IRequest|MockObject */
+    private $request;
+
+    /** @var IUserManager|MockObject */
+    private $userManager;
+
+    /** @var IConfig|MockObject */
+    private $config;
+
+    /** @var ISession|MockObject */
+    private $session;
+
+    /** @var Session|MockObject */
+    private $userSession;
+
+    /** @var IURLGenerator|MockObject */
+    private $urlGenerator;
+
+    /** @var Manager|MockObject */
+    private $twoFactorManager;
+
+    /** @var Defaults|MockObject */
+    private $defaults;
+
+    /** @var IThrottler|MockObject */
+    private $throttler;
+
+    /** @var IInitialState|MockObject */
+    private $initialState;
+
+    /** @var \OC\Authentication\WebAuthn\Manager|MockObject */
+    private $webAuthnManager;
+
+    /** @var IManager|MockObject */
+    private $notificationManager;
+
+    /** @var IL10N|MockObject */
+    private $l;
+
+    /** @var IAppManager|MockObject */
+    private $appManager;
+
+    protected function setUp(): void {
+        parent::setUp();
+        $this->request = $this->createMock(IRequest::class);
+        $this->userManager = $this->createMock(\OC\User\Manager::class);
+        $this->config = $this->createMock(IConfig::class);
+        $this->session = $this->createMock(ISession::class);
+        $this->userSession = $this->createMock(Session::class);
+        $this->urlGenerator = $this->createMock(IURLGenerator::class);
+        $this->twoFactorManager = $this->createMock(Manager::class);
+        $this->defaults = $this->createMock(Defaults::class);
+        $this->throttler = $this->createMock(IThrottler::class);
+        $this->initialState = $this->createMock(IInitialState::class);
+        $this->webAuthnManager = $this->createMock(\OC\Authentication\WebAuthn\Manager::class);
+        $this->notificationManager = $this->createMock(IManager::class);
+        $this->l = $this->createMock(IL10N::class);
+        $this->appManager = $this->createMock(IAppManager::class);
+
+        $this->l->expects($this->any())
+            ->method('t')
+            ->willReturnCallback(function ($text, $parameters = []) {
+                return vsprintf($text, $parameters);
+            });
+
+
+        $this->request->method('getRemoteAddress')
+            ->willReturn('1.2.3.4');
+        $this->request->method('getHeader')
+            ->with('Origin')
+            ->willReturn('domain.example.com');
+        $this->throttler->method('getDelay')
+            ->with(
+                $this->equalTo('1.2.3.4'),
+                $this->equalTo('')
+            )->willReturn(1000);
+
+        $this->loginController = new LoginController(
+            'core',
+            $this->request,
+            $this->userManager,
+            $this->config,
+            $this->session,
+            $this->userSession,
+            $this->urlGenerator,
+            $this->defaults,
+            $this->throttler,
+            $this->initialState,
+            $this->webAuthnManager,
+            $this->notificationManager,
+            $this->l,
+            $this->appManager,
+        );
+    }
+
+    public function testLogoutWithoutToken(): void {
+        $this->request
+            ->expects($this->once())
+            ->method('getCookie')
+            ->with('nc_token')
+            ->willReturn(null);
+        $this->request
+            ->method('getServerProtocol')
+            ->willReturn('https');
+        $this->request
+            ->expects($this->once())
+            ->method('isUserAgent')
+            ->willReturn(false);
+        $this->config
+            ->expects($this->never())
+            ->method('deleteUserValue');
+        $this->urlGenerator
+            ->expects($this->once())
+            ->method('linkToRouteAbsolute')
+            ->with('core.login.showLoginForm')
+            ->willReturn('/login');
+
+        $expected = new RedirectResponse('/login');
+        $expected->addHeader('Clear-Site-Data', '"cache", "storage"');
+        $this->assertEquals($expected, $this->loginController->logout());
+    }
+
+    public function testLogoutNoClearSiteData(): void {
+        $this->request
+            ->expects($this->once())
+            ->method('getCookie')
+            ->with('nc_token')
+            ->willReturn(null);
+        $this->request
+            ->method('getServerProtocol')
+            ->willReturn('https');
+        $this->request
+            ->expects($this->once())
+            ->method('isUserAgent')
+            ->willReturn(true);
+        $this->urlGenerator
+            ->expects($this->once())
+            ->method('linkToRouteAbsolute')
+            ->with('core.login.showLoginForm')
+            ->willReturn('/login');
+
+        $expected = new RedirectResponse('/login');
+        $this->assertEquals($expected, $this->loginController->logout());
+    }
+
+    public function testLogoutWithToken(): void {
+        $this->request
+            ->expects($this->once())
+            ->method('getCookie')
+            ->with('nc_token')
+            ->willReturn('MyLoginToken');
+        $this->request
+            ->method('getServerProtocol')
+            ->willReturn('https');
+        $this->request
+            ->expects($this->once())
+            ->method('isUserAgent')
+            ->willReturn(false);
+        $user = $this->createMock(IUser::class);
+        $user
+            ->expects($this->once())
+            ->method('getUID')
+            ->willReturn('JohnDoe');
+        $this->userSession
+            ->expects($this->once())
+            ->method('getUser')
+            ->willReturn($user);
+        $this->config
+            ->expects($this->once())
+            ->method('deleteUserValue')
+            ->with('JohnDoe', 'login_token', 'MyLoginToken');
+        $this->urlGenerator
+            ->expects($this->once())
+            ->method('linkToRouteAbsolute')
+            ->with('core.login.showLoginForm')
+            ->willReturn('/login');
+
+        $expected = new RedirectResponse('/login');
+        $expected->addHeader('Clear-Site-Data', '"cache", "storage"');
+        $this->assertEquals($expected, $this->loginController->logout());
+    }
+
+    public function testShowLoginFormForLoggedInUsers(): void {
+        $this->userSession
+            ->expects($this->once())
+            ->method('isLoggedIn')
+            ->willReturn(true);
+        $this->urlGenerator
+            ->expects($this->once())
+            ->method('linkToDefaultPageUrl')
+            ->willReturn('/default/foo');
+
+        $expectedResponse = new RedirectResponse('/default/foo');
+        $this->assertEquals($expectedResponse, $this->loginController->showLoginForm('', ''));
+    }
+
+    public function testShowLoginFormWithErrorsInSession(): void {
+        $this->userSession
+            ->expects($this->once())
+            ->method('isLoggedIn')
+            ->willReturn(false);
+        $this->session
+            ->expects($this->once())
+            ->method('get')
+            ->with('loginMessages')
+            ->willReturn(
+                [
+                    [
+                        'ErrorArray1',
+                        'ErrorArray2',
+                    ],
+                    [
+                        'MessageArray1',
+                        'MessageArray2',
+                    ],
+                ]
+            );
+
+        $calls = [
+            [
+                'loginMessages',
+                [
+                    'MessageArray1',
+                    'MessageArray2',
+                    'This community release of Nextcloud is unsupported and push notifications are limited.',
+                ],
+            ],
+            [
+                'loginErrors',
+                [
+                    'ErrorArray1',
+                    'ErrorArray2',
+                ],
+            ],
+            [
+                'loginUsername',
+                '',
+            ]
+        ];
+        $this->initialState->expects($this->exactly(14))
+            ->method('provideInitialState')
+            ->willReturnCallback(function () use (&$calls): void {
+                $expected = array_shift($calls);
+                if (!empty($expected)) {
+                    $this->assertEquals($expected, func_get_args());
+                }
+            });
+
+        $expectedResponse = new TemplateResponse(
+            'core',
+            'login',
+            [
+                'alt_login' => [],
+                'pageTitle' => 'Login'
+            ],
+            'guest'
+        );
+        $this->assertEquals($expectedResponse, $this->loginController->showLoginForm('', ''));
+    }
+
+    public function testShowLoginFormForFlowAuth(): void {
+        $this->userSession
+            ->expects($this->once())
+            ->method('isLoggedIn')
+            ->willReturn(false);
+        $calls = [
+            [], [], [],
+            [
+                'loginAutocomplete',
+                false
+            ],
+            [
+                'loginCanRememberme',
+                false
+            ],
+            [
+                'loginRedirectUrl',
+                'login/flow'
+            ],
+        ];
+        $this->initialState->expects($this->exactly(15))
+            ->method('provideInitialState')
+            ->willReturnCallback(function () use (&$calls): void {
+                $expected = array_shift($calls);
+                if (!empty($expected)) {
+                    $this->assertEquals($expected, func_get_args());
+                }
+            });
+
+        $expectedResponse = new TemplateResponse(
+            'core',
+            'login',
+            [
+                'alt_login' => [],
+                'pageTitle' => 'Login'
+            ],
+            'guest'
+        );
+        $this->assertEquals($expectedResponse, $this->loginController->showLoginForm('', 'login/flow'));
+    }
+
+    /**
+     * @return array
+     */
+    public static function passwordResetDataProvider(): array {
+        return [
+            [
+                true,
+                true,
+            ],
+            [
+                false,
+                false,
+            ],
+        ];
+    }
+
+    #[DataProvider('passwordResetDataProvider')]
+    public function testShowLoginFormWithPasswordResetOption($canChangePassword,
+        $expectedResult): void {
+        $this->userSession
+            ->expects($this->once())
+            ->method('isLoggedIn')
+            ->willReturn(false);
+        $this->config
+            ->expects(self::once())
+            ->method('getSystemValue')
+            ->willReturnMap([
+                ['login_form_autocomplete', true, true],
+            ]);
+        $this->config
+            ->expects(self::once())
+            ->method('getSystemValueString')
+            ->willReturnMap([
+                ['lost_password_link', '', ''],
+            ]);
+        $user = $this->createMock(IUser::class);
+        $user
+            ->expects($this->once())
+            ->method('canChangePassword')
+            ->willReturn($canChangePassword);
+        $this->userManager
+            ->expects($this->once())
+            ->method('get')
+            ->with('LdapUser')
+            ->willReturn($user);
+        $calls = [
+            [], [],
+            [
+                'loginUsername',
+                'LdapUser'
+            ],
+            [], [], [], [],
+            [
+                'loginCanResetPassword',
+                $expectedResult
+            ],
+        ];
+        $this->initialState->expects($this->exactly(14))
+            ->method('provideInitialState')
+            ->willReturnCallback(function () use (&$calls): void {
+                $expected = array_shift($calls);
+                if (!empty($expected)) {
+                    $this->assertEquals($expected, func_get_args());
+                }
+            });
+
+        $expectedResponse = new TemplateResponse(
+            'core',
+            'login',
+            [
+                'alt_login' => [],
+                'pageTitle' => 'Login'
+            ],
+            'guest'
+        );
+        $this->assertEquals($expectedResponse, $this->loginController->showLoginForm('LdapUser', ''));
+    }
+
+    public function testShowLoginFormForUserNamed0(): void {
+        $this->userSession
+            ->expects($this->once())
+            ->method('isLoggedIn')
+            ->willReturn(false);
+        $this->config
+            ->expects(self::once())
+            ->method('getSystemValue')
+            ->willReturnMap([
+                ['login_form_autocomplete', true, true],
+            ]);
+        $this->config
+            ->expects(self::once())
+            ->method('getSystemValueString')
+            ->willReturnMap([
+                ['lost_password_link', '', ''],
+            ]);
+        $user = $this->createMock(IUser::class);
+        $user->expects($this->once())
+            ->method('canChangePassword')
+            ->willReturn(false);
+        $this->userManager
+            ->expects($this->once())
+            ->method('get')
+            ->with('0')
+            ->willReturn($user);
+        $calls = [
+            [], [], [],
+            [
+                'loginAutocomplete',
+                true
+            ],
+            [
+                'loginCanRememberme',
+                false
+            ],
+            [],
+            [
+                'loginResetPasswordLink',
+                false
+            ],
+            [
+                'loginCanResetPassword',
+                false
+            ],
+        ];
+        $this->initialState->expects($this->exactly(14))
+            ->method('provideInitialState')
+            ->willReturnCallback(function () use (&$calls): void {
+                $expected = array_shift($calls);
+                if (!empty($expected)) {
+                    $this->assertEquals($expected, func_get_args());
+                }
+            });
+
+        $expectedResponse = new TemplateResponse(
+            'core',
+            'login',
+            [
+                'alt_login' => [],
+                'pageTitle' => 'Login'
+            ],
+            'guest'
+        );
+        $this->assertEquals($expectedResponse, $this->loginController->showLoginForm('0', ''));
+    }
+
+    public static function remembermeProvider(): array {
+        return [
+            [
+                true,
+            ],
+            [
+                false,
+            ],
+        ];
+    }
+
+    #[DataProvider('remembermeProvider')]
+    public function testLoginWithInvalidCredentials(bool $rememberme): void {
+        $user = 'MyUserName';
+        $password = 'secret';
+        $loginPageUrl = '/login?redirect_url=/apps/files';
+        $loginChain = $this->createMock(LoginChain::class);
+        $trustedDomainHelper = $this->createMock(ITrustedDomainHelper::class);
+        $trustedDomainHelper->method('isTrustedUrl')->willReturn(true);
+        $this->request
+            ->expects($this->once())
+            ->method('passesCSRFCheck')
+            ->willReturn(true);
+        $loginData = new LoginData(
+            $this->request,
+            $user,
+            $password,
+            $rememberme,
+            '/apps/files'
+        );
+        $loginResult = LoginResult::failure($loginData, LoginController::LOGIN_MSG_INVALIDPASSWORD);
+        $loginChain->expects($this->once())
+            ->method('process')
+            ->with($this->equalTo($loginData))
+            ->willReturn($loginResult);
+        $this->urlGenerator->expects($this->once())
+            ->method('linkToRoute')
+            ->with('core.login.showLoginForm', [
+                'user' => $user,
+                'redirect_url' => '/apps/files',
+                'direct' => 1,
+            ])
+            ->willReturn($loginPageUrl);
+        $expected = new RedirectResponse($loginPageUrl);
+        $expected->throttle(['user' => 'MyUserName']);
+
+        $response = $this->loginController->tryLogin($loginChain, $trustedDomainHelper, $user, $password, $rememberme, '/apps/files');
+
+        $this->assertEquals($expected, $response);
+    }
+
+    #[DataProvider('remembermeProvider')]
+    public function testLoginWithValidCredentials(bool $rememberme): void {
+        $user = 'MyUserName';
+        $password = 'secret';
+        $loginChain = $this->createMock(LoginChain::class);
+        $trustedDomainHelper = $this->createMock(ITrustedDomainHelper::class);
+        $trustedDomainHelper->method('isTrustedUrl')->willReturn(true);
+        $this->request
+            ->expects($this->once())
+            ->method('passesCSRFCheck')
+            ->willReturn(true);
+        $loginData = new LoginData(
+            $this->request,
+            $user,
+            $password,
+            $rememberme,
+        );
+        $loginResult = LoginResult::success($loginData);
+        $loginChain->expects($this->once())
+            ->method('process')
+            ->with($this->equalTo($loginData))
+            ->willReturn($loginResult);
+        $this->urlGenerator
+            ->expects($this->once())
+            ->method('linkToDefaultPageUrl')
+            ->willReturn('/default/foo');
+
+        $expected = new RedirectResponse('/default/foo');
+        $this->assertEquals($expected, $this->loginController->tryLogin($loginChain, $trustedDomainHelper, $user, $password, $rememberme));
+    }
+
+    #[DataProvider('remembermeProvider')]
+    public function testLoginWithoutPassedCsrfCheckAndNotLoggedIn(bool $rememberme): void {
+        /** @var IUser|MockObject $user */
+        $user = $this->createMock(IUser::class);
+        $user->expects($this->any())
+            ->method('getUID')
+            ->willReturn('jane');
+        $password = 'secret';
+        $originalUrl = 'another%20url';
+        $loginChain = $this->createMock(LoginChain::class);
+        $trustedDomainHelper = $this->createMock(ITrustedDomainHelper::class);
+        $trustedDomainHelper->method('isTrustedUrl')->willReturn(true);
+        $this->request
+            ->expects($this->once())
+            ->method('passesCSRFCheck')
+            ->willReturn(false);
+        $this->userSession
+            ->method('isLoggedIn')
+            ->with()
+            ->willReturn(false);
+        $this->config->expects($this->never())
+            ->method('deleteUserValue');
+        $this->userSession->expects($this->never())
+            ->method('createRememberMeToken');
+
+        $response = $this->loginController->tryLogin($loginChain, $trustedDomainHelper, 'Jane', $password, $rememberme, $originalUrl);
+
+        $expected = new RedirectResponse('');
+        $expected->throttle(['user' => 'Jane']);
+        $this->assertEquals($expected, $response);
+    }
+
+    #[DataProvider('remembermeProvider')]
+    public function testLoginWithoutPassedCsrfCheckAndLoggedIn(bool $rememberme): void {
+        /** @var IUser|MockObject $user */
+        $user = $this->createMock(IUser::class);
+        $user->expects($this->any())
+            ->method('getUID')
+            ->willReturn('jane');
+        $password = 'secret';
+        $originalUrl = 'another url';
+        $redirectUrl = 'http://localhost/another url';
+        $loginChain = $this->createMock(LoginChain::class);
+        $trustedDomainHelper = $this->createMock(ITrustedDomainHelper::class);
+        $trustedDomainHelper->method('isTrustedUrl')->willReturn(true);
+        $this->request
+            ->expects($this->once())
+            ->method('passesCSRFCheck')
+            ->willReturn(false);
+        $this->userSession
+            ->method('isLoggedIn')
+            ->with()
+            ->willReturn(true);
+        $this->urlGenerator->expects($this->once())
+            ->method('getAbsoluteURL')
+            ->with(urldecode($originalUrl))
+            ->willReturn($redirectUrl);
+        $this->config->expects($this->never())
+            ->method('deleteUserValue');
+        $this->userSession->expects($this->never())
+            ->method('createRememberMeToken');
+        $this->config
+            ->method('getSystemValue')
+            ->with('remember_login_cookie_lifetime')
+            ->willReturn(1234);
+
+        $response = $this->loginController->tryLogin($loginChain, $trustedDomainHelper, 'Jane', $password, $rememberme, $originalUrl);
+
+        $expected = new RedirectResponse($redirectUrl);
+        $this->assertEquals($expected, $response);
+    }
+
+    #[DataProvider('remembermeProvider')]
+    public function testLoginWithValidCredentialsAndRedirectUrl(bool $rememberme): void {
+        $user = 'MyUserName';
+        $password = 'secret';
+        $redirectUrl = 'https://next.cloud/apps/mail';
+        $loginChain = $this->createMock(LoginChain::class);
+        $trustedDomainHelper = $this->createMock(ITrustedDomainHelper::class);
+        $trustedDomainHelper->method('isTrustedUrl')->willReturn(true);
+        $this->request
+            ->expects($this->once())
+            ->method('passesCSRFCheck')
+            ->willReturn(true);
+        $loginData = new LoginData(
+            $this->request,
+            $user,
+            $password,
+            $rememberme,
+            '/apps/mail'
+        );
+        $loginResult = LoginResult::success($loginData);
+        $loginChain->expects($this->once())
+            ->method('process')
+            ->with($this->equalTo($loginData))
+            ->willReturn($loginResult);
+        $this->userSession->expects($this->once())
+            ->method('isLoggedIn')
+            ->willReturn(true);
+        $this->urlGenerator->expects($this->once())
+            ->method('getAbsoluteURL')
+            ->with('/apps/mail')
+            ->willReturn($redirectUrl);
+        $expected = new RedirectResponse($redirectUrl);
+
+        $response = $this->loginController->tryLogin($loginChain, $trustedDomainHelper, $user, $password, $rememberme, '/apps/mail');
+
+        $this->assertEquals($expected, $response);
+    }
+
+    #[DataProvider('remembermeProvider')]
+    public function testToNotLeakLoginName(bool $rememberme): void {
+        $loginChain = $this->createMock(LoginChain::class);
+        $trustedDomainHelper = $this->createMock(ITrustedDomainHelper::class);
+        $trustedDomainHelper->method('isTrustedUrl')->willReturn(true);
+        $this->request
+            ->expects($this->once())
+            ->method('passesCSRFCheck')
+            ->willReturn(true);
+        $loginPageUrl = '/login?redirect_url=/apps/files';
+        $loginData = new LoginData(
+            $this->request,
+            'john@doe.com',
+            'just wrong',
+            $rememberme,
+            '/apps/files'
+        );
+        $loginResult = LoginResult::failure($loginData, LoginController::LOGIN_MSG_INVALIDPASSWORD);
+        $loginChain->expects($this->once())
+            ->method('process')
+            ->with($this->equalTo($loginData))
+            ->willReturnCallback(function (LoginData $data) use ($loginResult) {
+                $data->setUsername('john');
+                return $loginResult;
+            });
+        $this->urlGenerator->expects($this->once())
+            ->method('linkToRoute')
+            ->with('core.login.showLoginForm', [
+                'user' => 'john@doe.com',
+                'redirect_url' => '/apps/files',
+                'direct' => 1,
+            ])
+            ->willReturn($loginPageUrl);
+        $expected = new RedirectResponse($loginPageUrl);
+        $expected->throttle(['user' => 'john']);
+
+        $response = $this->loginController->tryLogin(
+            $loginChain,
+            $trustedDomainHelper,
+            'john@doe.com',
+            'just wrong',
+            $rememberme,
+            '/apps/files'
+        );
+
+        $this->assertEquals($expected, $response);
+    }
 }

Spacing +6 added lines, -6 removed lines

@@ -100,7 +100,7 @@ 
 
 		$this->l->expects($this->any())
 			->method('t')
-			->willReturnCallback(function ($text, $parameters = []) {
+			->willReturnCallback(function($text, $parameters = []) {
 				return vsprintf($text, $parameters);
 			});
 
@@ -280,7 +280,7 @@ 
 		];
 		$this->initialState->expects($this->exactly(14))
 			->method('provideInitialState')
-			->willReturnCallback(function () use (&$calls): void {
+			->willReturnCallback(function() use (&$calls): void {
 				$expected = array_shift($calls);
 				if (!empty($expected)) {
 					$this->assertEquals($expected, func_get_args());
@@ -321,7 +321,7 @@ 
 		];
 		$this->initialState->expects($this->exactly(15))
 			->method('provideInitialState')
-			->willReturnCallback(function () use (&$calls): void {
+			->willReturnCallback(function() use (&$calls): void {
 				$expected = array_shift($calls);
 				if (!empty($expected)) {
 					$this->assertEquals($expected, func_get_args());
@@ -399,7 +399,7 @@ 
 		];
 		$this->initialState->expects($this->exactly(14))
 			->method('provideInitialState')
-			->willReturnCallback(function () use (&$calls): void {
+			->willReturnCallback(function() use (&$calls): void {
 				$expected = array_shift($calls);
 				if (!empty($expected)) {
 					$this->assertEquals($expected, func_get_args());
@@ -466,7 +466,7 @@ 
 		];
 		$this->initialState->expects($this->exactly(14))
 			->method('provideInitialState')
-			->willReturnCallback(function () use (&$calls): void {
+			->willReturnCallback(function() use (&$calls): void {
 				$expected = array_shift($calls);
 				if (!empty($expected)) {
 					$this->assertEquals($expected, func_get_args());
@@ -698,7 +698,7 @@ 
 		$loginChain->expects($this->once())
 			->method('process')
 			->with($this->equalTo($loginData))
-			->willReturnCallback(function (LoginData $data) use ($loginResult) {
+			->willReturnCallback(function(LoginData $data) use ($loginResult) {
 				$data->setUsername('john');
 				return $loginResult;
 			});