Server: User password change leads to logout of all other users

Created on 16 Sep 2019 · 4Comments · Source: nextcloud/server

Steps to reproduce

Open two private tabs in your browser
Log into your nextcloud with two different users
Change the password in the settings/security for user A
User B is logged out, user A stays logged in. (Users C, D, etc. are logged out too)

Has been tested and reproduced on different NC instances (15.0.11, 16.0.4).

SQL query that may cause the problem:
DELETE FROM oc_authtoken WHERE (type = '0') AND (id <> '2') AND (version = 2)

Expected behaviour

All users stay logged in, when one user changes his password.

Actual behaviour

When one user changes his password all other users lose their sessions and are logged out.

Server configuration detail

Operating system: Linux 4.15.0-47-generic #50-Ubuntu SMP Wed Mar 13 10:44:52 UTC 2019 x86_64

Webserver: Apache/2.4.29 (Ubuntu) (apache2handler)

Database: mysql 10.3.18

PHP version:

7.2.19-0ubuntu0.18.04.2
Modules loaded: Core, date, libxml, openssl, pcre, zlib, filter, hash, Reflection, SPL, sodium, session, standard, apache2handler, mysqlnd, PDO, xml, calendar, ctype, curl, dom, mbstring, fileinfo, ftp, gd, gettext, iconv, json, exif, mysqli, pdo_mysql, Phar, posix, readline, shmop, SimpleXML, sockets, sysvmsg, sysvsem, sysvshm, tokenizer, wddx, xmlreader, xmlwriter, xsl, zip, Zend OPcache

Nextcloud version: 16.0.4 - 16.0.4.1

Updated from an older Nextcloud/ownCloud or fresh install: fresh install

Where did you install Nextcloud from: nextcloud

Signing status

Array
(
)

List of activated apps

Enabled:
 - accessibility: 1.2.0
 - activity: 2.9.1
 - bruteforcesettings: 1.4.0
 - cloud_federation_api: 0.2.0
 - comments: 1.6.0
 - dav: 1.9.2
 - federatedfilesharing: 1.6.0
 - federation: 1.6.0
 - files: 1.11.0
 - files_pdfviewer: 1.5.0
 - files_rightclick: 0.13.0
 - files_sharing: 1.8.0
 - files_texteditor: 2.8.0
 - files_trashbin: 1.6.0
 - files_versions: 1.9.0
 - files_videoplayer: 1.5.0
 - firstrunwizard: 2.5.0
 - gallery: 18.3.0
 - issuetemplate: 0.5.0
 - logreader: 2.1.0
 - lookup_server_connector: 1.4.0
 - nextcloud_announcements: 1.5.0
 - oauth2: 1.4.2
 - password_policy: 1.6.0
 - privacy: 1.0.0
 - provisioning_api: 1.6.0
 - recommendations: 0.4.0
 - serverinfo: 1.6.0
 - sharebymail: 1.6.0
 - support: 1.0.0
 - survey_client: 1.4.0
 - systemtags: 1.6.0
 - theming: 1.7.0
 - twofactor_backupcodes: 1.5.0
 - updatenotification: 1.6.0
 - viewer: 1.1.0
 - workflowengine: 1.6.0
Disabled:
 - admin_audit
 - encryption
 - files_external
 - notifications
 - user_ldap

Configuration (config/config.php)

{
    "instanceid": "***REMOVED SENSITIVE VALUE***",
    "passwordsalt": "***REMOVED SENSITIVE VALUE***",
    "secret": "***REMOVED SENSITIVE VALUE***",
    "trusted_domains": [
        "10.0.59.241"
    ],
    "datadirectory": "***REMOVED SENSITIVE VALUE***",
    "dbtype": "mysql",
    "version": "16.0.4.1",
    "overwrite.cli.url": "http:\/\/10.0.59.241\/nextcloud",
    "dbname": "***REMOVED SENSITIVE VALUE***",
    "dbhost": "***REMOVED SENSITIVE VALUE***",
    "dbport": "",
    "dbtableprefix": "oc_",
    "mysql.utf8mb4": true,
    "dbuser": "***REMOVED SENSITIVE VALUE***",
    "dbpassword": "***REMOVED SENSITIVE VALUE***",
    "installed": true
}

Are you using external storage, if yes which one: No

Are you using encryption:

Are you using an external user-backend, if yes which one: No

Client configuration

Browser: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:70.0) Gecko/20100101 Firefox/70.0

Operating system: macOS 10.14.6

1. to develop bug

Source

jbrrrr

Most helpful comment

I can confirm this issue.

https://github.com/nextcloud/server/blob/608f4d3ee9aded5e6b2b9784a1575ffedbd5002f/lib/private/Authentication/Token/PublicKeyTokenProvider.php#L206

After a password change all temporary tokens except the current one are deleted. Not sure why this popups now because the code is there for a long time.

Index: lib/private/Authentication/Token/PublicKeyTokenMapper.php
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
--- lib/private/Authentication/Token/PublicKeyTokenMapper.php   (revision 9629015b4bef62898e38f34b5951407f941827cf)
+++ lib/private/Authentication/Token/PublicKeyTokenMapper.php   (date 1568667048882)
@@ -163,7 +163,8 @@
        $qb = $this->db->getQueryBuilder();

        $qb->delete('authtoken')
-           ->where($qb->expr()->eq('type', $qb->createNamedParameter(IToken::TEMPORARY_TOKEN)))
+           ->where($qb->expr()->eq('uid', $qb->createNamedParameter($except->getUID())))
+           ->andWhere($qb->expr()->eq('type', $qb->createNamedParameter(IToken::TEMPORARY_TOKEN)))
            ->andWhere($qb->expr()->neq('id', $qb->createNamedParameter($except->getId())))
            ->andWhere($qb->expr()->eq('version', $qb->createNamedParameter(PublicKeyToken::VERSION, IQueryBuilder::PARAM_INT)));

Adding the uid to the query deletes the tokens only for the current user.

cc @rullzer :man_shrugging: :confused:

kesselb on 16 Sep 2019

👍3

All 4 comments

Another report here: https://github.com/nextcloud/server/issues/17035

kesselb on 16 Sep 2019

I can confirm this issue.

https://github.com/nextcloud/server/blob/608f4d3ee9aded5e6b2b9784a1575ffedbd5002f/lib/private/Authentication/Token/PublicKeyTokenProvider.php#L206

After a password change all temporary tokens except the current one are deleted. Not sure why this popups now because the code is there for a long time.

Index: lib/private/Authentication/Token/PublicKeyTokenMapper.php
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
--- lib/private/Authentication/Token/PublicKeyTokenMapper.php   (revision 9629015b4bef62898e38f34b5951407f941827cf)
+++ lib/private/Authentication/Token/PublicKeyTokenMapper.php   (date 1568667048882)
@@ -163,7 +163,8 @@
        $qb = $this->db->getQueryBuilder();

        $qb->delete('authtoken')
-           ->where($qb->expr()->eq('type', $qb->createNamedParameter(IToken::TEMPORARY_TOKEN)))
+           ->where($qb->expr()->eq('uid', $qb->createNamedParameter($except->getUID())))
+           ->andWhere($qb->expr()->eq('type', $qb->createNamedParameter(IToken::TEMPORARY_TOKEN)))
            ->andWhere($qb->expr()->neq('id', $qb->createNamedParameter($except->getId())))
            ->andWhere($qb->expr()->eq('version', $qb->createNamedParameter(PublicKeyToken::VERSION, IQueryBuilder::PARAM_INT)));

Adding the uid to the query deletes the tokens only for the current user.

cc @rullzer :man_shrugging: :confused:

kesselb on 16 Sep 2019

👍3

Many thanks to @kesselb for your fast response! That solves our problem which was really tricky to isolate and was a real pain in the ass... 🙏

jbrrrr on 17 Sep 2019

👍2

I can confirm that we have suffered from the same Issue. Applying the Patch fixed it for us aswell.

Server configuration detail

Operating system: Linux 3.10.0-1062.1.1.el7.x86_64 #1 SMP Fri Sep 13 22:55:44 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

Webserver: httpd.x86_64 2.4.6-90.el7.centos base

Database: mariadb-server.x86_64 1:5.5.64-1.el7 base

PHP version:
php-fpm.x86_64 7.1.32-1.el7.remi remi-php71
php-cli.x86_64 7.1.32-1.el7.remi remi-php71
Modules loaded: apcu, bz2, calendar, Core, ctype, curl, date, dom, exif, fileinfo, filter, ftp, gd, gettext, hash, iconv, intl, json, libxml, mbstring, mcrypt, mysqli, mysqlnd, openssl, pcntl, pcre, PDO, pdo_mysql, pdo_sqlite, Phar, posix, readline, Reflection, session, shmop, SimpleXML, sockets, SPL, sqlite3, standard, sysvmsg, sysvsem, sysvshm, tokenizer, wddx, xml, xmlreader, xmlwriter, xsl, Zend OPcache, zip, zlib, Zend OPcache

Nextcloud version: 16.0.3

Updated from an older Nextcloud/ownCloud or fresh install: fresh install

Where did you install Nextcloud from: nextcloud

Are you using external storage, if yes which one: No

Are you using encryption: No

Are you using an external user-backend, if yes which one: No