X-Git-Url: https://git.mxchange.org/?a=blobdiff_plain;f=src%2FModel%2FUser.php;h=029613b17b0b692e19e3301fcd6d2b841d54640e;hb=8bdfdc7d52e149edb711c6d238c1f7593e237e83;hp=4b716f260632dc92ff975c98b1bf79a191421f1f;hpb=9ab57de3562a584519485579e85a45bedc9352c6;p=friendica.git

diff --git a/src/Model/User.php b/src/Model/User.php
index 4b716f2606..029613b17b 100644
--- a/src/Model/User.php
+++ b/src/Model/User.php
@@ -312,8 +312,8 @@ class User
 	 */
 	public static function getIdForURL(string $url)
 	{
-		// Avoid any database requests when the hostname isn't even part of the url.
-		if (!strpos($url, DI::baseUrl()->getHostname())) {
+		// Avoid database queries when the local node hostname isn't even part of the url.
+		if (!Contact::isLocal($url)) {
 			return 0;
 		}
 
@@ -523,11 +523,18 @@ class User
 		try {
 			$user = self::getAuthenticationInfo($user_info);
 		} catch (Exception $e) {
-			if (is_string($user_info)) {
-				return self::getIdFromAuthenticateHooks($user_info, $password);
-			} else {
+			$username = (is_string($user_info) ? $user_info : $user_info['nickname'] ?? '');
+
+			// Addons can create users, and since this 'catch' branch should only
+			// execute if getAuthenticationInfo can't find an existing user, that's
+			// exactly what will happen here. Creating a numeric username would create
+			// abiguity with user IDs, possibly opening up an attack vector.
+			// So let's be very careful about that.
+			if (empty($username) || is_numeric($username)) {
 				throw $e;
 			}
+
+			return self::getIdFromAuthenticateHooks($username, $password);
 		}
 
 		if ($third_party && DI::pConfig()->get($user['uid'], '2fa', 'verified')) {
@@ -574,7 +581,8 @@ class User
 	 * @return int User Id if authentication is successful
 	 * @throws HTTPException\ForbiddenException
 	 */
-	public static function getIdFromAuthenticateHooks($username, $password) {
+	public static function getIdFromAuthenticateHooks($username, $password)
+	{
 		$addon_auth = [
 			'username'      => $username,
 			'password'      => $password,
@@ -590,7 +598,7 @@ class User
 		Hook::callAll('authenticate', $addon_auth);
 
 		if ($addon_auth['authenticated'] && $addon_auth['user_record']) {
-			return $user['uid'];
+			return $addon_auth['user_record']['uid'];
 		}
 
 		throw new HTTPException\ForbiddenException(DI::l10n()->t('Login failed'));
@@ -1115,6 +1123,8 @@ class User
 					Photo::update(['profile' => 1], ['resource-id' => $resource_id]);
 				}
 			}
+
+			Contact::updateSelfFromUserID($uid, true);
 		}
 
 		Hook::callAll('register_account', $uid);