[Bug]: After upgrade, App token login name does not match

[botsarenthuman]

⚠️ This issue respects the following points: ⚠️

• This is a bug, not a question or a configuration/webserver/proxy issue.
• This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
• Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
• I agree to follow Nextcloud's Code of Conduct.

Bug description

After upgrading to the latest AIO, we get a "App token login name does not match" error. We also disabled talk while doing the upgrade, which had been previously enabled.

Steps to reproduce

1.Upgrade to latest AIO
2.
3.

Expected behavior

Previous app passwords would work

Installation method

Official All-in-One appliance

Nextcloud Server version

27

Operating system

None

PHP engine version

None

Web server

None

Database engine version

None

Is this bug present after an update or on a fresh install?

None

Are you using the Nextcloud Server Encryption module?

None

What user-backends are you using?

• Default user-backend (database)
• LDAP/ Active Directory
• SSO - SAML
• Other

Configuration report

No response

List of activated Apps

No response

Nextcloud Signing status

No response

Nextcloud Logs

No response

Additional info

No response

[botsarenthuman]

Tracked it to this PR #43752
Disabled that plugin manually and we're able to login using the SSO login name, still not email like before though.

[haffmans]

I encounter this issue in Nextcloud server 28.0.3. In my situation the Nextcloud Android app kept logging me out as soon as I logged in through the web flow. Based on the logs, the created login token uses my UID as username, but the session gets tied to the e-mail address. Even when logging into the app with the UID as username, this kept failing. I did not reset the app completely to see if that works, but it did all work fine until the server upgrade to 28.0.3. The log shows two "App token login name does not match" (with identical context data) and one "Login failed" message every time the app attempted to log in.

I could find commit 0e3f680 (7f2fdd8 in NC 29), which seems at least related; I'm not entirely sure if this one causes this bug or not.

Looking at that patch, the call made to validateTokenLoginName seems to check if the e-mail of the token's user matches the token's loginName. It looks like this is called with the e-mail address twice, while the token contains the UID/Username.

I modified validateTokenLoginName(?string $loginName, IToken $token) to this:

        private function validateTokenLoginName(?string $loginName, IToken $token): bool {
                $tokenUser = $this->manager->get($token->getUID());
                $tokenEmail = $tokenUser->getEMailAddress();

                if ($token->getLoginName() !== $loginName && $tokenEmail != $loginName) {
                        $this->logger->error('App token login name does not match', [
                                'tokenLoginName' => $token->getLoginName(),
                                'tokenEmailAddress' => $tokenEmail,
                                'sessionLoginName' => $loginName,
                                'app' => 'core',
                                'user' => $token->getUID(),
                        ]);

                        return false;
                }

                return true;
        }

This makes tokens valid if the passed $loginName is either the loginName of the e-mail address of the token's user. That also seems to solve the TODO currently marked in that function.

I'm not certain if this is the correct approach to solving this, but after making this change I no longer get errors in the Android app or the server logs.