From 3f6745a1c45193b54dd30ab448fdcfd539ba583f Mon Sep 17 00:00:00 2001
From: Julien Veyssier <eneiluj@posteo.net>
Date: Tue, 16 Nov 2021 11:39:40 +0100
Subject: [PATCH] set 'app_password' session value only when using a permanent
 token

Signed-off-by: Julien Veyssier <eneiluj@posteo.net>
---
 lib/private/Authentication/Token/IToken.php         | 7 +++++++
 lib/private/Authentication/Token/PublicKeyToken.php | 5 ++++-
 lib/private/User/Session.php                        | 3 +--
 3 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/lib/private/Authentication/Token/IToken.php b/lib/private/Authentication/Token/IToken.php
index 5ca4eaea84372..9a96e0ec23890 100644
--- a/lib/private/Authentication/Token/IToken.php
+++ b/lib/private/Authentication/Token/IToken.php
@@ -111,6 +111,13 @@ public function getName(): string;
 	 */
 	public function getRemember(): int;
 
+	/**
+	 * Get the token type
+	 *
+	 * @return int
+	 */
+	public function getType(): int;
+
 	/**
 	 * Set the token
 	 *
diff --git a/lib/private/Authentication/Token/PublicKeyToken.php b/lib/private/Authentication/Token/PublicKeyToken.php
index d060fe141032b..f7ec6fd592e85 100644
--- a/lib/private/Authentication/Token/PublicKeyToken.php
+++ b/lib/private/Authentication/Token/PublicKeyToken.php
@@ -35,7 +35,6 @@
  * @method void setLoginName(string $loginname)
  * @method string getToken()
  * @method void setType(int $type)
- * @method int getType()
  * @method void setRemember(int $remember)
  * @method void setLastActivity(int $lastactivity)
  * @method int getLastActivity()
@@ -201,6 +200,10 @@ public function setName(string $name): void {
 		parent::setName($name);
 	}
 
+	public function getType(): int {
+		return parent::getType();
+	}
+
 	public function getRemember(): int {
 		return parent::getRemember();
 	}
diff --git a/lib/private/User/Session.php b/lib/private/User/Session.php
index cd26337cd2041..8b86e0844608d 100644
--- a/lib/private/User/Session.php
+++ b/lib/private/User/Session.php
@@ -847,8 +847,7 @@ public function tryTokenLogin(IRequest $request) {
 			return true;
 		}
 
-		// Remember me tokens are not app_passwords
-		if ($dbToken->getRemember() === IToken::DO_NOT_REMEMBER) {
+		if ($dbToken->getType() === IToken::PERMANENT_TOKEN) {
 			// Set the session variable so we know this is an app password
 			$this->session->set('app_password', $token);
 		}