From f49ecf222af0f5fe761d88b3baf8049b6d690154 Mon Sep 17 00:00:00 2001
From: Git'Fellow <12234510+solracsf@users.noreply.github.com>
Date: Tue, 24 Feb 2026 19:29:04 +0100
Subject: [PATCH] fix(Session): Prevent immediate token invalidation

Signed-off-by: Git'Fellow <12234510+solracsf@users.noreply.github.com>
---
 lib/private/User/Session.php | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/lib/private/User/Session.php b/lib/private/User/Session.php
index 811c5ba4bc326..10c63ec6f9a83 100644
--- a/lib/private/User/Session.php
+++ b/lib/private/User/Session.php
@@ -731,10 +731,21 @@ private function checkTokenCredentials(IToken $dbToken, $token) {
 			return false;
 		}
 
-		// If the token password is no longer valid mark it as such
-		if ($this->manager->checkPassword($dbToken->getLoginName(), $pwd) === false) {
+		$tokenLoginName = $dbToken->getLoginName();
+		if ($this->manager->checkPassword($tokenLoginName, $pwd) === false) {
+			// If the decrypted password is empty or not a valid local password,
+			// but the user exists and is enabled, we DO NOT permanently invalidate the token.
+			if (empty($pwd) || $this->manager->get($tokenLoginName) !== null) {
+				$this->logger->warning('Password check failed for user {user}, but user is active. Token preserved.', [
+					'app' => 'core',
+					'user' => $tokenLoginName,
+				]);
+				return false;
+			}
+
+			// Legitimate password change or invalid user
+			// Invalidate the token
 			$this->tokenProvider->markPasswordInvalid($dbToken, $token);
-			// User is logged out
 			return false;
 		}