docs(AppFramework): note why auth username is ignored in PasswordConfirmationMiddleware

joshtrichards · web-flow · commit 274adbca1dde · 2026-05-28T12:49:00.000-04:00
Signed-off-by: Josh &lt;josh.t.richards@gmail.com&gt;
diff --git a/lib/private/AppFramework/Middleware/Security/PasswordConfirmationMiddleware.php b/lib/private/AppFramework/Middleware/Security/PasswordConfirmationMiddleware.php
@@ -93,7 +93,7 @@ public function beforeController(Controller $controller, string $methodName) {
 			$this->session->set('last-password-confirm', $now);
 			return;
 		}
-		
+
 		$lastConfirm = (int)$this->session->get('last-password-confirm');
 		$minimumRequiredConfirmTime = $now
 			- (self::PASSWORD_CONFIRMATION_TIMEOUT + self::PASSWORD_CONFIRMATION_GRACE_SECONDS);
@@ -162,7 +162,8 @@ private function confirmPasswordFromAuthorizationHeader(): void {
 		}
 
 		[$ignoredUser, $password] = explode(':', $decodedCredentials, 2);
-
+		// Use the session's loginname, not the one from the Authorization header,
+		// to prevent credential stuffing against arbitrary usernames.
 		$loginName = $this->session->get('loginname');
 		$loginResult = $this->userManager->checkPassword($loginName, $password);
 
