Add flag to avoid setting/creating user on login

Fixes #9377 . Allows rcmail::login() to be reused in plugins providing an API. The login function provides some useful logic for connecting to IMAP sources like checking credentials for validity or converting usernames in some cases. Before this change the login function always also created non-existing users or set some sesison vars, which what API plugins would like to avoid.
roundcube · May 16, 2024 · e695303 · e695303
1 parent e5af91c
commit e695303
Show file tree

Hide file tree

Showing 2 changed files with 50 additions and 5 deletions.
diff --git a/program/include/rcmail.php b/program/include/rcmail.php
@@ -645,14 +645,15 @@ public function session_init()
      * Perform login to the mail server and to the webmail service.
      * This will also create a new user entry if auto_create_user is configured.
      *
-     * @param string $username    Mail storage (IMAP) user name
-     * @param string $password    Mail storage (IMAP) password
-     * @param string $host        Mail storage (IMAP) host
-     * @param bool   $cookiecheck Enables cookie check
+     * @param string $username     Mail storage (IMAP) user name
+     * @param string $password     Mail storage (IMAP) password
+     * @param string $host         Mail storage (IMAP) host
+     * @param bool   $cookiecheck  Enables cookie check
+     * @param bool   $just_connect Breaks after successful connect
      *
      * @return bool True on success, False on failure
      */
-    public function login($username, $password, $host = null, $cookiecheck = false)
+    public function login($username, $password, $host = null, $cookiecheck = false, $just_connect = false)
     {
         $this->login_error = null;
 
@@ -771,6 +772,15 @@ public function login($username, $password, $host = null, $cookiecheck = false)
             return false;
         }
 
+        // Only set user if just wanting to connect
+        if ($just_connect) {
+            if (is_object($user)) {
+                $this->set_user($user);
+            }
+            return true;
+        }
+
+
         // user already registered -> update user's record
         if (is_object($user)) {
             // update last login timestamp

diff --git a/program/lib/Roundcube/rcube.php b/program/lib/Roundcube/rcube.php
@@ -1862,6 +1862,41 @@ public function deliver_message($message, $from, $mailto, &$error,
 
         return $sent;
     }
+
+    /**
+     * Helper method to establish connection to an IMAP backend.
+     *
+     * @param rcube_storage $imap         IMAP storage handler
+     * @param string        $host         IMAP host
+     * @param string        $username     IMAP username
+     * @param string        $password     IMAP password
+     * @param int           $port         IMAP port to connect to
+     * @param string        $ssl          SSL schema or false if plain connection
+     * @param rcube_user    $user         Roundcube user (if it already exists)
+     * @param array         $imap_options Additional IMAP options
+     *
+     * @return bool Return true on successful login
+     */
+    public function imap_connect($imap, $host, $username, $password, $port, $ssl, $user = null, $imap_options = [])
+    {
+        // enable proxy authentication
+        if (!empty($imap_options)) {
+            $imap->set_options($imap_options);
+        }
+
+        // try to log in
+        if (!$imap->connect($host, $username, $password, $port, $ssl)) {
+            if ($user) {
+                $user->failed_login();
+            }
+
+            // Wait a second to slow down brute-force attacks (#1490549)
+            sleep(1);
+            return false;
+        }
+
+        return true;
+    }
 }
 
 /**