[Web] Check app password before user password on web login

data/web/inc/functions.auth.inc.php

@@ -22,36 +22,37 @@ function check_login($user, $pass, $app_passwd_data = false, $extra = null) {
     }
   }
 
-  // Try validate user
-  if (!isset($role) || $role == "user") {
-    $result = user_login($user, $pass);
+
+  // Try validate app password
+  if (!isset($role) || $role == "app") {
+    $result = apppass_login($user, $pass, $app_passwd_data);
     if ($result !== false) {
       if ($app_passwd_data['eas'] === true) {
         $service = 'EAS';
       } elseif ($app_passwd_data['dav'] === true) {
         $service = 'DAV';
       } else {
-        $service = 'MAILCOWUI';
+        $service = 'NONE';
       }
       $real_rip = ($_SERVER['HTTP_X_REAL_IP'] ?? $_SERVER['REMOTE_ADDR']);
-      set_sasl_log($user, $real_rip, $service);
+      set_sasl_log($user, $real_rip, $service, $pass);
       return $result;
     }
   }
 
-  // Try validate app password
-  if (!isset($role) || $role == "app") {
-    $result = apppass_login($user, $pass, $app_passwd_data);
+  // Try validate user
+  if (!isset($role) || $role == "user") {
+    $result = user_login($user, $pass);
     if ($result !== false) {
       if ($app_passwd_data['eas'] === true) {
         $service = 'EAS';
       } elseif ($app_passwd_data['dav'] === true) {
         $service = 'DAV';
       } else {
-        $service = 'NONE';
+        $service = 'MAILCOWUI';
       }
       $real_rip = ($_SERVER['HTTP_X_REAL_IP'] ?? $_SERVER['REMOTE_ADDR']);
-      set_sasl_log($user, $real_rip, $service, $pass);
+      set_sasl_log($user, $real_rip, $service);
       return $result;
     }
   }