fix(Session): Prevent immediate token invalidation

Signed-off-by: Git'Fellow <12234510+solracsf@users.noreply.github.com>

Author: solracsf

lib/private/User/Session.php

@@ -731,10 +731,22 @@ private function checkTokenCredentials(IToken $dbToken, $token) {
 			return false;
 		}
 
-		// If the token password is no longer valid mark it as such
 		if ($this->manager->checkPassword($dbToken->getLoginName(), $pwd) === false) {
+			// If the decrypted password is empty or not a valid local password, 
+			// but the user exists and is enabled, we DO NOT permanently invalidate the token.
+			// This prevents tokens generated via OCC or used in SSO environments 
+			// from being killed after 5 minutes
+			if (empty($pwd) || $this->manager->get($dbToken->getLoginName()) !== null) {
+				$this->logger->warning('Password check failed for user {user}, but user is active. Token preserved.', [
+					'app' => 'core',
+					'user' => $dbToken->getLoginName(),
+				]);
+				return false;
+			}
+
+			// Legitimate password change or invalid user
+			// Invalidate the token
 			$this->tokenProvider->markPasswordInvalid($dbToken, $token);
-			// User is logged out
 			return false;
 		}