search

jsxc / xmpp-cloud-auth

:key: Authentication hub for Nextcloud+JSXC→Prosody, ejabberd, saslauthd, Postfix
https://www.jsxc.org
MIT License
60 stars 18 forks source link

Feature Request: Check app passwords #32

Closed GIJack closed 6 years ago

GIJack commented 6 years ago

I have xmpp-cloud-auth successfully running on my nextcloud 12 install. I use the 2FA plugins, and I sync my apps with app passwords.

I would like this plugin to check app passwords as well for login. This is a great security feature, and right now, as it is setup, not only do App passwords not work, this plugin by-passes 2FA security present on nextcloud.

What I would like to see:

If 2FA is activated

  1. Don't check main password(Unless 2FA, or OAUTH is somehow supported)
  2. Check app passwords.
sualko commented 6 years ago

This will be possible with the upcoming 3.3.0 release of jsxc, see https://github.com/nextcloud/jsxc.nextcloud/releases/tag/v3.3.0-beta.1

GIJack commented 6 years ago

let me re-phrase. I am trying to log into jabber with an nextcloud app password. This still does not work.

I can access chat just fine through nextcloud.

I need your ejabberd script to check app passwords.

I am running the 3.3.0 release and it sill just only works with the primary password. This is annoying because it leaves ejabberd as a weak point in the chain

MarcelWaldvogel commented 6 years ago

Let me tell you what I just did. Then you tell me how that is different from what you expect or how it works for you.

Setup:

Before the test started, Prosody already had a working setup for the server, but with the "standard" login password.

Actions:

  1. In Nextcloud: Personal→App Passwords: Type "Gajim", click "Create new app password"
  2. Copy this password (and click "Done" and deactivate file system access at some later point)
  3. In Gajim: Account→Offline
  4. Preferences→paste the password; "Done"
  5. Account→Available: works
  6. In Nextcloud: Delete that account password
  7. In Gajim: Account→Offline; Account→Available: "Bad Password"
GIJack commented 6 years ago

Sorry for not getting back to you.

Server:

Client:

Before I started, chat was functioning with ejabberd linked, 2FA was setup for the account.

Created a new account in pidgin with the main account login, sans 2FA, and it logs in. Created a new app password, and used the app password, and it does not work. Change back to main password and it works.

No idea. It might be an ejabberd problem. Should I switch to prosody?