allow login with prefix of "<domain>\" for selected domains

schlimmchen · schlimmchen · commit 51fa32d8c541 · 2023-02-01T21:31:35.000+01:00
Some WebDAV clients force to use a domain name for authentication. That
domain name is prepended to the username and separated from it using a
backslash.

This commit allows any user to login with a prefix of "WORKGROUP\",
"NC\", or "NEXTCLOUD\" added to their username. The respective prefix is
removed from the given username when trying to login, if the login
failed using the original username. The same logic is applied when
testing login tokens.

In particular, this can help allowing access to Nextcloud for devices
with an interface to SharePoint that forces to specify a domain name for
authentication. As an example, HP LaserJet M428/M429 (and many others)
can then "Scan to Nextcloud" by using the "Scan to SharePoint" feature
(wich is essentially WebDav) and configuring a domain name of "NC",
"NEXTCLOUD" or "WORKGROUP".

Signed-off-by: Bernhard Kirchen &lt;schlimmchen@posteo.net&gt;
diff --git a/lib/private/User/Session.php b/lib/private/User/Session.php
@@ -408,6 +408,15 @@ public function completeLogin(IUser $user, array $loginDetails, $regenerateSessi
 		throw new LoginException($message);
 	}
 
+	/**
+	 * Removes domain prefix from username, if any, for defined domain names
+	 * @param string $user
+	 * @return string
+	 */
+	private function stripDomainName($user) {
+		return preg_replace("/^(?:(?:NC|NEXTCLOUD|WORKGROUP)\\\)?(.*)/", "\${1}", $user);
+	}
+
 	/**
 	 * Tries to log in a client
 	 *
@@ -447,7 +456,7 @@ public function logClientIn($user,
 		}
 
 		// Try to login with this username and password
-		if (!$this->login($user, $password)) {
+		if (!$this->login($user, $password) && !$this->login($this->stripDomainName($user), $password)) {
 			// Failed, maybe the user used their email address
 			if (!filter_var($user, FILTER_VALIDATE_EMAIL)) {
 				return false;
@@ -779,7 +788,7 @@ private function validateToken($token, $user = null) {
 		}
 
 		// Check if login names match
-		if (!is_null($user) && $dbToken->getLoginName() !== $user) {
+		if (!is_null($user) && $dbToken->getLoginName() !== $user && $dbToken->getLoginName() !== $this->stripDomainName($user)) {
 			// TODO: this makes it impossible to use different login names on browser and client
 			// e.g. login by e-mail 'user@example.com' on browser for generating the token will not
 			//      allow to use the client token with the login name 'user'.
