From 61b6d3af97d6363238fb26c24d30e81a00514677 Mon Sep 17 00:00:00 2001
From: Joas Schilling <coding@schilljs.com>
Date: Tue, 3 Feb 2026 07:46:28 +0100
Subject: [PATCH] fix(federation): Don't ask the database for an empty url

Signed-off-by: Joas Schilling <coding@schilljs.com>
---
 .../lib/Controller/OCSAuthAPIController.php   |  5 ++-
 .../Controller/OCSAuthAPIControllerTest.php   | 32 ++++++++-----------
 2 files changed, 18 insertions(+), 19 deletions(-)

diff --git a/apps/federation/lib/Controller/OCSAuthAPIController.php b/apps/federation/lib/Controller/OCSAuthAPIController.php
index 16b401be251..733b6b63544 100644
--- a/apps/federation/lib/Controller/OCSAuthAPIController.php
+++ b/apps/federation/lib/Controller/OCSAuthAPIController.php
@@ -163,7 +163,10 @@ class OCSAuthAPIController extends OCSController {
 	}
 
 	protected function isValidToken(string $url, string $token): bool {
+		if ($url === '' || $token === '') {
+			return false;
+		}
 		$storedToken = $this->dbHandler->getToken($url);
-		return hash_equals($storedToken, $token);
+		return $storedToken !== '' && hash_equals($storedToken, $token);
 	}
 }
diff --git a/apps/federation/tests/Controller/OCSAuthAPIControllerTest.php b/apps/federation/tests/Controller/OCSAuthAPIControllerTest.php
index a054277c5cd..ef6879677f1 100644
--- a/apps/federation/tests/Controller/OCSAuthAPIControllerTest.php
+++ b/apps/federation/tests/Controller/OCSAuthAPIControllerTest.php
@@ -110,28 +110,24 @@ class OCSAuthAPIControllerTest extends TestCase {
 		$token = 'token';
 
 		/** @var OCSAuthAPIController&MockObject $ocsAuthApi */
-		$ocsAuthApi = $this->getMockBuilder(OCSAuthAPIController::class)
-			->setConstructorArgs(
-				[
-					'federation',
-					$this->request,
-					$this->secureRandom,
-					$this->jobList,
-					$this->trustedServers,
-					$this->dbHandler,
-					$this->logger,
-					$this->timeFactory,
-					$this->throttler
-				]
-			)
-			->onlyMethods(['isValidToken'])
-			->getMock();
+		$ocsAuthApi = new OCSAuthAPIController(
+			'federation',
+			$this->request,
+			$this->secureRandom,
+			$this->jobList,
+			$this->trustedServers,
+			$this->dbHandler,
+			$this->logger,
+			$this->timeFactory,
+			$this->throttler,
+		);
 
 		$this->trustedServers
 			->expects($this->any())
 			->method('isTrustedServer')->with($url)->willReturn($isTrustedServer);
-		$ocsAuthApi->expects($this->any())
-			->method('isValidToken')->with($url, $token)->willReturn($isValidToken);
+		$this->dbHandler->method('getToken')
+			->with($url)
+			->willReturn($isValidToken ? $token : 'not $token');
 
 		if ($ok) {
 			$this->secureRandom->expects($this->once())->method('generate')->with(32)