Server: App passwords vanish

Created on 1 Dec 2016 · 60Comments · Source: nextcloud/server

Steps to reproduce

Enable TOTP Plugin in
Create 2 or more App Passwords
After some time the Desktop App starts asking for the per-device Token.

Expected behaviour

App Passwords (per-device passwords) should work infinite,

Actual behaviour

somehow the app passwords vanish from the personal menu in NC. I have to genereate a new App Password, then the Desktop Client works again.

Server configuration

Operating system: Ubuntu 16.04

Web server: Apache 2.4

Database: Mysql

PHP version: 5.6

Nextcloud version: (see Nextcloud admin page) 10.0

Updated from an older Nextcloud/ownCloud or fresh install: Updated

Where did you install Nextcloud from: NC tarball

Signing status:

Signing status

Results
=======
- core
    - INVALID_HASH
        - core/js/mimetypelist.js
        - lib/private/Share/MailNotifications.php
    - EXTRA_FILE
        - resources/config/mimetypemapping.json

Raw output
==========
Array
(
    [core] => Array
        (
            [INVALID_HASH] => Array
                (
                    [core/js/mimetypelist.js] => Array
                        (
                            [expected] => 013e97237eeb9627ac398a50d0924621f1faa5d84ba94ab7bcc4970fbf6af55232afcf9bdef601f7f8fd6663e8e59bcb32877fd6353e893fde2c63c0893f537c
                            [current] => 1533e80c77d5eb738008b5c4c045ea014fe3653053c4c118e1eca267c4e56102788ed31a5d79d6041f1e639fa5ab55d060ea0035980fbb4915989a36ebcf96f0
                        )

                    [lib/private/Share/MailNotifications.php] => Array
                        (
                            [expected] => ff4d6280890f3d370907086c8f920a51674c72224ab5cf865b1ae42140ea2c614bb03cc0547a59205810d62e35a3d365925738d7983375e272acf826bce1633f
                            [current] => 1875a25f8593737e2e3e00b0e2ecccb14471a844922f5232275cc69ceddc144b5b6bbde350aad5f817164e390808c3c3b9ca8fe76ad6cb037e4ad7498a1a5366
                        )

                )

            [EXTRA_FILE] => Array
                (
                    [resources/config/mimetypemapping.json] => Array
                        (
                            [expected] => 
                            [current] => e98fd0313bc3ced2ab0d92d87d73cf38b3104c93cafce38ebd079d2c0b419378831b9d7635df8e078dc2bd56ef7b141e78fdea6a8012c471843509cef6a427bc
                        )

                )

        )

)

List of activated apps:

App list

Enabled:
  - activity: 2.3.2
  - admin_audit: 1.0.0
  - calendar: 1.4.0
  - comments: 1.0.0
  - contacts: true
  - dav: 1.0.0
  - documents: true
  - federatedfilesharing: 1.0.1
  - federation: 1.0.1
  - files: 1.5.2
  - files_accesscontrol: 1.1.2
  - files_automatedtagging: 1.1.1
  - files_pdfviewer: 0.8.1
  - files_retention: 1.0.0
  - files_sharing: 1.0.0
  - files_texteditor: 2.1
  - files_trashbin: 1.0.0
  - files_versions: 1.3.0
  - files_videoplayer: 0.9.8
  - gallery: 15.0.0
  - notifications: 0.3.0
  - password_policy: 1.0.0
  - provisioning_api: 1.0.0
  - serverinfo: 1.1.1
  - survey_client: 0.1.5
  - systemtags: 1.0.2
  - tasks: 0.9.3
  - templateeditor: 0.1
  - theming: 1.0.1
  - twofactor_totp: 0.4.1
  - updatenotification: 1.0.1
  - user_external: 0.4
  - workflowengine: 1.0.1
Disabled:
  - encryption
  - external
  - files_external
  - firstrunwizard
  - user_ldap
  - user_saml

The content of config/config.php:

Config report

$CONFIG = array (
  'instanceid' => '',
  'passwordsalt' => '',
  'trusted_domains' => 
  array (
    0 => 'nc.niedermayr.net',
    1 => 'oc.niedermayr.net',
    2 => 'nct.niedermayr.net',
  ),
  'datadirectory' => '/var/www/nc.niedermayr.net/data',
  'dbtype' => 'mysql',
  'version' => '9.1.0.16',
  'dbname' => 'oc_niedermayr_net',
  'dbhost' => 'localhost',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'oc_niedermayr_ne',
  'dbpassword' => '',
  'installed' => true,
  'defaultapp' => 'activity',
  'theme' => '',
  'maintenance' => false,
  'forcessl' => true,
  'secret' => '',
  'mail_from_address' => 'oc',
  'mail_smtpmode' => 'php',
  'mail_domain' => 'niedermayr.net',
  'filelocking.enabled' => 'true',
  'memcache.local' => '\\OC\\Memcache\\Redis',
  'memcache.distributed' => '\\OC\\Memcache\\Redis',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'redis' => 
  array (
    'host' => 'localhost',
    0 => '/tmp/redis.sock',
    'port' => 6379,
    'timeout' => 0,
    'dbindex' => 0,
  ),
  'user_backends' => 
  array (
    0 => 
    array (
      'class' => 'OC_User_IMAP',
      'arguments' => 
      array (
        0 => '{XXXX:993/imap/ssl}INBOX',
      ),
    ),
  ),
  'loglevel' => 2,
  'trashbin_retention_obligation' => 'auto',
  'updater.release.channel' => 'stable',
);

Are you using external storage, if yes which one: local/smb/sftp/...

Are you using encryption: yes/no

Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/...

yes, user_external (imap)

Client configuration

Browser:

Palemoon X64 / Linux

Operating system:

Ubuntu 16.04

Logs

Web server error log

Insert your webserver log here

Nextcloud log (data/nextcloud.log)

Nextcloud log

Insert your Nextcloud log here

Browser log

Insert your browser log here, this could for example include:

a) The javascript console log
b) The network log
c) ...

bug authentication

Source

lephisto

👀1 🎉1

All 60 comments

Did you change your user password in the meanwhile?

LukasReschke on 1 Dec 2016

No.

lephisto on 1 Dec 2016

FYI @ChristophWurst

LukasReschke on 1 Dec 2016

The only "unusual" thing is, that it's external user authentication...

lephisto on 1 Dec 2016

@ChristophWurst is there maybe a background job which deletes tokens of deleted users and it doesn't check for the external users?

nickvergessen on 1 Dec 2016

@ChristophWurst is there maybe a background job which deletes tokens of deleted users and it doesn't check for the external users?

No. We only delete old temporary tokens in the background (session tokens): https://github.com/nextcloud/server/blob/stable10/lib/private/Authentication/Token/DefaultTokenMapper.php#L50-L62 https://github.com/nextcloud/server/blob/stable10/lib/private/Authentication/Token/DefaultTokenProvider.php#L191-L193 https://github.com/nextcloud/server/blob/master/lib/private/Authentication/Token/DefaultTokenCleanupJob.php#L33 regardless of the user.

The only "unusual" thing is, that it's external user authentication...

We periodically check the password that is encoded in device password. Maybe that check fails because the external user back end is having some hiccups? What user back end are you using?

ChristophWurst on 1 Dec 2016

After some time

What are we talking about here? Minutes? Hours? Days? :-)

ChristophWurst on 1 Dec 2016

@ChristophWurst ah mmm that could explain it. But we should really be resilient against backend hickups. Mmmm of course we don't get back if it failed (timeout whatever) or really failed.

Maybe we could just add a column that says if the token is valid/invalid? Or a counter or whatever. So that we at least try a few times?

Then if a user logins in using it username and password we could check the invalidated tokens and check if they are still valid right?

rullzer on 1 Dec 2016

@ChristophWurst c.nc.c uses LDAP.

LukasReschke on 5 Dec 2016

https://github.com/owncloud/core/issues/26731 might also be related

LukasReschke on 6 Dec 2016

owncloud/core#26731 might also be related
Are you using an external user-backend, if yes which one: no

Interesting. If that report is correct it happens with local users too.

ChristophWurst on 6 Dec 2016

Do we have some reliable steps to reproduce? Otherwise it's tricky to find and verify a bugfix.

ChristophWurst on 6 Dec 2016

@ChristophWurst In my Installation it happens nearly daily: I create a new per-device Token, use it, and next Day the Client will ask for a password - Device pw has vanished..

lephisto on 6 Dec 2016

I started a simply testing user backend for this purpose, but I could not yet figure out where external user backends might fail. https://github.com/ChristophWurst/user_crappy/blob/master/lib/CrappyUserBackend.php Currently we invalidate device passwords if the password check fails, because those clients should be logged out.
Do we have any logs or stack traces? E.g. from the LDAP user backend?

ChristophWurst on 6 Dec 2016

Btw does it also happen if you disable all 2FA providers?

ChristophWurst on 6 Dec 2016

Some thought:

the user sessions checks the device token periodically (~once in 5 minutes)
it uses the user manager to check the password
the user manager uses the registered user backends to check the password

Therefore, I assume it could also happen that for some reason the user backend is not (yet) registered when we check the token and therefore the user manager falsely fails the password check and the user session deletes the token. Again, this is just an assumption, something else could fail too.

ChristophWurst on 6 Dec 2016

@ChristophWurst do you try to fetch the user from a user backend? Externals might be offline at some point, for example. Or do you listen to delete hooks?

blizzz on 6 Dec 2016

Externals might be offline at some point, for example

Do we have an mechanism to detect whether a user backend is just temporarily unavailable? That sound problematic otherwise. https://github.com/nextcloud/server/blob/b1901534be20ab768c4f5dccaa5c7c81fb472aa8/lib/private/User/Manager.php#L187-L202 will iterate over all registered backends. If one is not there temporarily, the password check will fail because the method returns false. The client code can not distinguish between "user backend not available" and "wrong password".

Or do you listen to delete hooks?

What do you mean? There's no hook involved in the token code.

ChristophWurst on 6 Dec 2016

Could it be related to mis-casing of the login name? We had problems with avatars and sharing related to that. If so the problem should be fixed with stable10 and master?

nickvergessen on 6 Dec 2016

@ChristophWurst LDAP throws an Exception if the server is not reachable or has gone. But, what if a user was removed there by accident and restored a bit later (example scenario)? Or for instance is temporarily not available because of a buggy configuration change? Do tokens need to be removed this aggressively?

blizzz on 6 Dec 2016

Do tokens need to be removed this aggressively?

Can't give a clear answer to that because I'm not sure of the implications of changing this behavior. I would say that if we can distinguish between temporary user backend issues and wrong password we can relax the logic a bit. Using a device password that has an invalid password stored in it can cause other bugs, like failures when connecting to external storage.
cc @nextcloud/security

ChristophWurst on 12 Dec 2016

Today I replaced a failed hard drive in my server, took a bit of time. Once the server was back up, my desktop owncloud client keeps asking for the password, the prefilled/saved one doesn't work anymore ....

last time I had to shutdown the server for two days, same thing happened, had to regenerate passwords/ reconfigure every app. Very annoying believe me when you use Enpass on phone and desktop, desktop client, davdroid, phone client etc. etc.

laurentdinclaux on 14 Dec 2016

I can reproduce easily, I have LDAP setup for user accounts:

stop the LDAP service on the LDAP server (samba in my case)
exit the client, restart it (or wait a bit)
The client asks for password
start the LDAP server
The client still asks for password
The app password has been invalidated and isn't listed anymore in Nextcloud webUI

laurentdinclaux on 22 Dec 2016

I'm having this issue since yesterday I guess because since then I see these errors in the admin account:

Error PHP Undefined index: redirect_url at /var/www/nextcloud/core/templates/twofactorshowchallenge.php#24

This happens in only one user account and the passwords set for various apps still seem to work.

nextcloud.log shows:

{"reqId":"GImwQKrjtJkp4dRuzcmW","remoteAddr":,"app":"PHP","message":"Undefined index: redirect_url at \/var\/www\/nextcloud\/core\/templates\/twofactorshowchallenge.php#24","level":3,"time":"2017-01-06T15:08:38+01:00","method":"GET","url":"\/nextcloud\/index.php\/login\/challenge\/totp","user":,"version":"11.0.0.10"}

Update: ok, also had my first password mismatch on one of my android apps

eggithub on 6 Jan 2017

The undefined index should be fixed by https://github.com/nextcloud/server/pull/2854/files

nickvergessen on 9 Jan 2017

Can I fix this by just changing these lines? Or is there a more decent way to do this (I'm a bit of a git noob).

eggithub on 9 Jan 2017

yes, you will not find the second file, but only changing the first one should work fine already

nickvergessen on 9 Jan 2017

@ChristophWurst LDAP throws an Exception if the server is not reachable or has gone. But, what if a user was removed there by accident and restored a bit later (example scenario)? Or for instance is temporarily not available because of a buggy configuration change? Do tokens need to be removed this aggressively?

@blizzz this code looks like it swallows exceptions that occur when we check the password but the ldap connection is lost (because the server is down or not reachable at the moment): https://github.com/nextcloud/server/blob/203436b16be40109131720f06ca39e393c373bae/apps/user_ldap/lib/User_LDAP.php#L147-L154

ChristophWurst on 16 Jan 2017

We can change \Exception to NotOnLDAP, this should continue to work and connection issues will get through.

blizzz on 16 Jan 2017

Any news on this issue? The above mentioned file patch did fix something but not this issue...

Cheers!

eggithub on 29 Jan 2017

I gave up settings up phones all over again when the bug happens... Tedious.

laurentdinclaux on 30 Jan 2017

The above mentioned file patch did fix something but not this issue...

Which patch do you mean?

ChristophWurst on 30 Jan 2017

nickvergessen commented 21 days ago

The undefined index should be fixed by https://github.com/nextcloud/server/pull/2854/files

eggithub on 30 Jan 2017

👍1

Possible fix in https://github.com/nextcloud/server/pull/3324

blizzz on 30 Jan 2017

I should add that I don't use any external authentication api; just the local one provided my the nextcloud core.

If you need any specific information regarding my server setup, please let me know...

Cheers!

eggithub on 30 Jan 2017

Any news on this issue?

eggithub on 7 Feb 2017

I also experience this exact bug as described by @lephisto. I have Nextcloud 11.0.1 (stable), running on docker wonderfall/nextcloud:latest.

Nitroxaddict on 8 Feb 2017

I also experience this exact bug as described by @lephisto. I have Nextcloud 11.0.1 (stable),

I experienced one time randomly as i rebooted the domain controller.

RogerSik on 11 Feb 2017

Just happened when upgrading to 11.0.2 RC2

oparoz on 13 Feb 2017

Reopening as I'm not entirely convinced this is caused by LDAP only.

LukasReschke on 13 Feb 2017

👍1

@oparoz Can you still see the app passwords at /settings/personal?

LukasReschke on 13 Feb 2017

OK, so that's strange. I have a token which still works. The one I use for the desktop.
The one(s) I use for other devices (no filesystem access) have vanished

oparoz on 13 Feb 2017

Upgraded to 11.0.2: problem not solved, more problems have popped up.

Also setting for TOTP enable is not working for the user I had this problem with in the first place. After enabling, the option is set but the clients do not ask for new password (after client app restart).

Also unable to save backup passwords -> user gets redirected to "Files" without the option to save password file.

Will check more scenarios by trying to reproduce on new user. Will provide more info later...

Update 1:
With a new user it is possible to create multiple (8) entries for App Passwords and they don't appear to vanish... for now...

Also the TOTP enable option is persistent and clients need to give there App Password in order to have access to nextcloud

However, new user is still unable to save backup passwords to file -> user gets redirected to "Files" without the option to save password file.

Update 2:
I also see weird behaviour when I use occ to enable/disable totp, can't lay my finger on it. It does not always seem to work and when using occ, the nc personal settings do not adapt to these setting.

Another thing that has changed is that it takes about 30 secs to login, which used to be about 1 to 2 secs. updated nextcloud on my RPi server as well and there no problems at all...

Is there a table in the database that stores the App Passwords... which one?

Next couple of days i'm busy so... laterz... let me know if you need anything...

eggithub on 27 Feb 2017

Reopening, because this is not caused by the LDAP code alone, also local user backend affected.

blizzz on 7 Mar 2017

I just noticed something. I generated an app password a few weeks back, and it held until yesterday when I connected to the Nextcloud portal through the browser. This morning I have my Nextcloud client asking for a password again. I'm not sure if this tells something to someone, but I thought I would mention it.

Nitroxaddict on 20 Mar 2017

Any news on this issue?

Cheers

eggithub on 28 Mar 2017

Any news on this issue?

As you see:

bildschirmfoto 2017-03-28 um 00 33 37

No 😉

MorrisJobke on 28 Mar 2017

Fixed in 12.0.0 and also the upcoming 11.0.3

MorrisJobke on 11 Apr 2017

That is good to hear!

can you tell where/how it was fixed so we can play around with it, see if it works?

Cheers!

eggithub on 11 Apr 2017

Please re-open issue. Issue still not solved in 11.0.3

Entries vanish immediately and app passwords stop working within the hour.

@MorrisJobke (or the dev working on this issue):

How did you come to the conclusion that this issue had been fixed?
Were you able to test the fix on an erroneous setup?

Again I appreciate the work being done by the community, but this issue has been stated "fixed" for a number of times, which I think is a bad thing. Please ask me what you need to trip this issue.

Cheers!

eggithub on 25 Apr 2017

Again I appreciate the work being done by the community, but this issue has been stated "fixed" for a number of times, which I think is a bad thing. Please ask me what you need to trip this issue.

We had this on one of our instances and there the issue went away.

@eggithub This ticket is about following case:

having an 11.0.1
start update and in the meantime have the desktop/android/ios client (or a native calendar/contacts sync) with an app password running (basically something that connects during the upgrade via an app password)
go into maintenance mode <- there the problem happens, when the desktop client is connecting during this period
update done
now the desktop client is not connected anymore

@eggithub If this is not the case for you: could you please create a new ticket and describe what happens and what you did during this time. Also try to turn of all clients to check if this is related to clients or to the server solely.

MorrisJobke on 25 Apr 2017

@MorrisJobke

The initial issue opened by lephisto applies to my situation. I have been having this issue since 11.0.1 through 11.0.2/3. Probably clients have been active during update in 11.0.1, but can't remember. Weird thing is that this issue only shows up at one user account (my oldest account that I've had since owncloud 6 or so)

Now, this issue in 11.0.2/3 appears after an update when no App Passwords are set but instead are created after update and after a while disappear.

what did I do this time: I entered an App Password before I enabled TOTP. Could this issue be related to TOTP?
Point is that App Passwords disappear immediately after creation and page refresh even when no Clients are connected (just checked).
I cannot mimic this behaviour on newly created accounts... which to me sound like a legacy account issue or something... server related...
what is also weird is that, in the Personal settings right above the App Password section, an endless list of old sessions appear dating back from 6 to 9 months ago. I don't see that with other user accounts. Is there a way to clear this? The number of old session lines appear to be exactly 1000.

Should I create a new issue? If this triggers more focus I'd be happy to.

eggithub on 25 Apr 2017

Should I create a new issue? If this triggers more focus I'd be happy to.

Yes - please. This one is too long already.

If I understood you right: the passwords don't vanish during the upgrade is running, but on a completely upgraded instance, while creating a new password?

MorrisJobke on 26 Apr 2017

Check, you understand correctly! I'll create a new issue for the app passwords disappear + one for the sessions log with 1000 entries in the personal settings...

eggithub on 26 Apr 2017

👍1

New issue: #4535

eggithub on 26 Apr 2017

issue still persists in version 12.0.0

eggithub on 23 May 2017

👍1

Didn't have this problem more until i changed my Active Directory password. After changing it some of my App passwords were deleted. Nextcloud Version 12.0.0

RogerSik on 18 Jun 2017

@RogerSik this is by design. The main password is encrypted with the app passwords and if this changes, the app passwords get invalidated.

blizzz on 19 Jun 2017

Ok but then should all passwords vanish not only half of it. And for most application I could use my main password because i need to re-enter everytime. I thought one of the reason for the App Password is that it is secure long and dont need to re-enter after password change. Examples: Windows Live ID / Account and their App Passwords.

RogerSik on 19 Jun 2017

Let's continue this discussion at https://github.com/nextcloud/server/issues/2581#issuecomment-266452286. Thanks.

ChristophWurst on 19 Jun 2017

Was this page helpful?

0 / 5 - 0 ratings