From 1a0c022f079ae9c17c10dd73fe7c2b9ee7c938a8 Mon Sep 17 00:00:00 2001
From: corentin-soriano <corentin+github@soriano.app>
Date: Wed, 20 Nov 2024 11:22:28 +0100
Subject: [PATCH] Fix login issue with local accounts.

---
 sources/identify.php | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/sources/identify.php b/sources/identify.php
index b105ba7de..559d1262b 100755
--- a/sources/identify.php
+++ b/sources/identify.php
@@ -2510,7 +2510,19 @@ function createOauth2User(
                 'message' => $ret['message'],
             ];
         }
-        
+
+        // login/password attempt on a local account:
+        // Return to avoid overwrite of user password that can allow a user
+        // to steal a local account.
+        if (!$ret['oauth2Connection'] || !$ret['userPasswordVerified']) {
+            return [
+                'error' => false,
+                'message' => $ret['message'],
+                'ldapConnection' => false,
+                'userPasswordVerified' => false,        
+            ];
+        }
+
         // Oauth2 user already exists and authenticated
         if (WIP === true) error_log("--- USER AUTHENTICATED ---");
         $userInfo['has_been_created'] = 0;