[Web] Check app password before user password on web login

2025-12-13 09:56:01 +00:00 · 2025-04-03 12:19:04 +02:00
parent 805634f9a9
commit 62f816e64a
1 changed files with 17 additions and 16 deletions
--- a/data/web/inc/functions.auth.inc.php
+++ b/data/web/inc/functions.auth.inc.php
@@ -22,22 +22,6 @@ function check_login($user, $pass, $app_passwd_data = false, $extra = null) {
    }
  }

-  // Try validate user
-  if (!isset($role) || $role == "user") {
-    $result = user_login($user, $pass);
-    if ($result !== false) {
-      if ($app_passwd_data['eas'] === true) {
-        $service = 'EAS';
-      } elseif ($app_passwd_data['dav'] === true) {
-        $service = 'DAV';
-      } else {
-        $service = 'MAILCOWUI';
-      }
-      $real_rip = ($_SERVER['HTTP_X_REAL_IP'] ?? $_SERVER['REMOTE_ADDR']);
-      set_sasl_log($user, $real_rip, $service);
-      return $result;
-    }
-  }

  // Try validate app password
  if (!isset($role) || $role == "app") {
@@ -56,6 +40,23 @@ function check_login($user, $pass, $app_passwd_data = false, $extra = null) {
    }
  }

+  // Try validate user
+  if (!isset($role) || $role == "user") {
+    $result = user_login($user, $pass);
+    if ($result !== false) {
+      if ($app_passwd_data['eas'] === true) {
+        $service = 'EAS';
+      } elseif ($app_passwd_data['dav'] === true) {
+        $service = 'DAV';
+      } else {
+        $service = 'MAILCOWUI';
+      }
+      $real_rip = ($_SERVER['HTTP_X_REAL_IP'] ?? $_SERVER['REMOTE_ADDR']);
+      set_sasl_log($user, $real_rip, $service);
+      return $result;
+    }
+  }
+
  // skip log and only return false if it's an internal request
  if ($is_internal == true) return false;