Server: Password reset button broken

Created on 14 Apr 2017  路  4Comments  路  Source: nextcloud/server

Steps to reproduce

  1. Generate password reset link
  2. click on link in the Mail
  3. Type in new password
  4. Press "reset" button

Expected behaviour

Password should be reset

Actual behaviour

Nothing

Server configuration

Operating system:
debian 8.7 jessie
Web server:
apache2
Database:
mysql Ver 14.14 Distrib 5.5.54, for debian-linux-gnu (x86_64) using readline 6.3
PHP version:
php 7.0
Nextcloud version: (see Nextcloud admin page)
11.02 (stable)
Updated from an older Nextcloud/ownCloud or fresh install:
updated from previous stable
Where did you install Nextcloud from:
debian image with nextcloud provided by hosting provider
Signing status:


Signing status

Login as admin user into your Nextcloud and access 
http://example.com/index.php/settings/integrity/failed 
paste the results here.
No errors have been found.

List of activated apps:


activity, gallery, contacts, calendar, gpxpod, gpxedit, tasks, collabora CODE

Enabled:

  • activity: 2.4.1
  • admin_audit: 1.1.0
  • admin_notifications: 1.0.0
  • calendar: 1.5.2
  • comments: 1.1.0
  • contacts: 1.5.3
  • dav: 1.1.1
  • federatedfilesharing: 1.1.1
  • federation: 1.1.1
  • files: 1.6.1
  • files_downloadactivity: 1.0.1
  • files_pdfviewer: 1.0.1
  • files_sharing: 1.1.1
  • files_texteditor: 2.2
  • files_trashbin: 1.1.0
  • files_versions: 1.4.0
  • files_videoplayer: 1.0.0
  • firstrunwizard: 2.0
  • gallery: 16.0.0
  • gpxedit: 0.0.5
  • gpxpod: 2.1.0
  • logreader: 2.0.0
  • lookup_server_connector: 1.0.0
  • nextcloud_announcements: 1.0
  • notifications: 1.0.1
  • password_policy: 1.1.0
  • provisioning_api: 1.1.0
  • richdocuments: 1.1.25
  • serverinfo: 1.1.1
  • sharebymail: 1.0.1
  • survey_client: 0.1.5
  • systemtags: 1.1.3
  • tasks: 0.9.5
  • templateeditor: 0.2
  • theming: 1.1.1
  • twofactor_backupcodes: 1.0.0
  • updatenotification: 1.1.1
  • workflowengine: 1.1.1
    Disabled:
  • encryption
  • external
  • files_accesscontrol
  • files_automatedtagging
  • files_external
  • files_retention
  • user_external
  • user_ldap
  • user_saml

Nextcloud configuration:


Config report

{
"system": {
"passwordsalt": "REMOVED SENSITIVE VALUE",
"secret": "REMOVED SENSITIVE VALUE",
"trusted_domains": [
"localhost",
"REMOVED SENSITIVE VALUE",
"REMOVED SENSITIVE VALUE",
"REMOVED SENSITIVE VALUE"
],
"datadirectory": "/var/nextclouddata/data",
"appstoreurl": "https://apps.nextcloud.com/api/v0",
"overwrite.cli.url": "http://localhost",
"dbtype": "mysql",
"version": "11.0.2.7",
"dbname": "nextcloud",
"dbhost": "localhost",
"dbtableprefix": "oc_",
"dbuser": "REMOVED SENSITIVE VALUE",
"dbpassword": "REMOVED SENSITIVE VALUE",
"logtimezone": "UTC",
"installed": true,
"default_language": "de",
"auth.bruteforce.protection.enabled": true,
"instanceid": "REMOVED SENSITIVE VALUE",
"updater.release.channel": "stable",
"maintenance": false,
"theme": "",
"logtype": "owncloud",
"logfile": "/var/log/nextcloud.log",
"loglevel": 0,
"appstore.experimental.enabled": true,
"mail_from_address": "info",
"mail_smtpmode": "sendmail",
"mail_domain": "REMOVED SENSITIVE VALUE",
"mail_smtpsecure": "tls",
"mail_smtpauthtype": "PLAIN",
"mail_smtpauth": 1,
"mail_smtphost": "REMOVED SENSITIVE VALUE",
"mail_smtpname": "REMOVED SENSITIVE VALUE",
"mail_smtppassword": "REMOVED SENSITIVE VALUE"
}
}

Are you using external storage, if yes which one: no

Are you using encryption: no

Are you using an external user-backend, if yes which one: no

Client configuration

Browser:
chrome/firefox
Operating system:
fedora linux

Logs

Web server error log


web server error log

[Fri Apr 14 10:38:12.241769 2017] [mpm_prefork:notice] [pid 28702] AH00169: caught SIGTERM, shutting down
[Fri Apr 14 10:38:13.409503 2017] [mpm_prefork:notice] [pid 28826] AH00163: Apache/2.4.10 (Debian) OpenSSL/1.0.1t configured -- resuming normal operations
[Fri Apr 14 10:38:13.409580 2017] [core:notice] [pid 28826] AH00094: Command line: '/usr/sbin/apache2'



cat nextcloud.access.log | grep pass

REMOVED SENSITIVE VALUE - - [14/Apr/2017:10:31:28 +0200] "GET /core/js/lostpassword.js?v=REMOVED SENSITIVE VALUE HTTP/1.1" 200 1843 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36"
REMOVED SENSITIVE VALUE- - [14/Apr/2017:10:38:32 +0200] "GET /core/js/lostpassword.js?v=REMOVED SENSITIVE VALUE HTTP/1.1" 200 2009 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36"
REMOVED SENSITIVE VALUE- - [14/Apr/2017:15:40:24 +0200] "GET /core/js/lostpassword.js?v=REMOVED SENSITIVE VALUE HTTP/1.1" 200 2009 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36"
REMOVED SENSITIVE VALUE - - [14/Apr/2017:15:40:31 +0200] "POST /index.php/lostpassword/email HTTP/1.1" 200 971 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36"
REMOVED SENSITIVE VALUE - - [14/Apr/2017:15:40:57 +0200] "GET /index.php/lostpassword/reset/form/REMOVED SENSITIVE VALUE HTTP/1.1" 200 8189 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0"

Nextcloud log (data/nextcloud.log)


Nextcloud log

{"reqId":"REMOVED SENSITIVE VALUE","remoteAddr":"REMOVED SENSITIVE VALUE","app":"core","message":"Sent mail to \"Array\n(\n [REMOVED SENSITIVE VALUE] => REMOVED SENSITIVE VALUE\n)\n\" with subject \"Nextcloud password reset\"","level":0,"time":"2017-04-14T13:40:32+00:00","method":"POST","url":"/index.php/lostpassword/email","user":"--","version":"11.0.2.7"}

Browser log


Browser log

Mixed Content: The page at 'https://nextcloud.***REMOVED SENSITIVE VALUE***/index.php/lostpassword/reset/form/***REMOVED SENSITIVE VALUE***' was loaded over a secure connection, but contains a form which targets an insecure endpoint 'http://nextcloud.***REMOVED SENSITIVE VALUE***/index.php/lostpassword/set/***REMOVED SENSITIVE VALUE***'. This endpoint should be made available over a secure connection.

picture typorian

Most helpful comment

Thank you @MorrisJobke
It was not the exact problem you pointed out, but I solved it by adding
'overwriteprotocol' => 'https',
as instructed in the NC manual here

picture typorian on 14 Apr 2017
👍4 🎉2

All 4 comments

Anything in the webdev tools of your browser? Any JS errors or something like that?

MorrisJobke picture MorrisJobke on 14 Apr 2017

@MorrisJobke I added it under browser logs, didn't find it before. I think it tries to set the password over http and somehow fails because of that.

typorian picture typorian on 14 Apr 2017

"overwrite.cli.url": "http://localhost",

Set this properly - maybe it helps.

MorrisJobke picture MorrisJobke on 14 Apr 2017

Thank you @MorrisJobke
It was not the exact problem you pointed out, but I solved it by adding
'overwriteprotocol' => 'https',
as instructed in the NC manual here

typorian picture typorian on 14 Apr 2017
👍4 🎉2
Was this page helpful?
0 / 5 - 0 ratings

Related issues

e-alfred picture e-alfred  路  3Comments
georgehrke picture georgehrke  路  3Comments
MariusBluem picture MariusBluem  路  3Comments
georgehrke picture georgehrke  路  3Comments
brylie picture brylie  路  3Comments