fix(session): Ensure token and UID are valid

Wrap token retrieval in try-catch to handle InvalidTokenException. Signed-off-by: Git'Fellow <12234510+solracsf@users.noreply.github.com>
2025-10-17 12:19:51 +02:00
1 changed files with 12 additions and 1 deletions
--- a/lib/private/User/Session.php
+++ b/lib/private/User/Session.php
@@ -411,8 +411,19 @@ class Session implements IUserSession, Emitter {
 			}

 			if ($isTokenPassword) {
-				$dbToken = $this->tokenProvider->getToken($password);
+				try {
+					$dbToken = $this->tokenProvider->getToken($password);
+				} catch (InvalidTokenException $ex) {
+					$this->handleLoginFailed($throttler, $currentDelay, $remoteAddress, $user, $password);
+					return false;
+				}
+
 				$userFromToken = $this->manager->get($dbToken->getUID());
+				if ($userFromToken === null) {
+					$this->handleLoginFailed($throttler, $currentDelay, $remoteAddress, $user, $password);
+					return false;
+				}
+
 				$isValidEmailLogin = $userFromToken->getEMailAddress() === $user
 					&& $this->validateTokenLoginName($userFromToken->getEMailAddress(), $dbToken);
 			} else {