[BUG]: Tokens created for SAML users expire after 5 minutes

cuthulino commented 1 year ago

⚠️ This issue respects the following points: ⚠️

[X] This is a single bug, not a question or a configuration/webserver/proxy issue.
[X] This is not a bug in the browser extension or another client.
[X] This issue is not already reported on Github (I've searched it).
[X] Nextcloud Server and the Passwords App is up to date. See Nextcloud Apps.
[X] There are no warnings and errors reported in the Passwords App settings in the admin area
[X] The following apps are not installed: Rainloop

Server Information

{
    "version": {
        "server": "26.0.1.1",
        "app": "2023.4.30",
        "lsr": false,
        "php": "8.1.18",
        "cronPhp": "8.1.18"
    },
    "environment": {
        "os": "Linux",
        "architecture": "x86_64",
        "bits": 64,
        "database": "mysql",
        "cron": "cron",
        "proxy": false,
        "sslProxy": true,
        "subdirectory": false
    },
    "services": {
        "images": "imagick",
        "favicons": "local",
        "previews": "default",
        "security": "hibp",
        "words": "random",
        "previewApi": false,
        "faviconApi": false
    },
    "status": {
        "autoBackupRestored": false
    },
    "settings": {
        "channel": "stable",
        "nightlies": false,
        "handbook": false,
        "performance": 5
    },
    "encryption": {
        "sse": {
            "SSEv1r1": false,
            "SSEv1r2": true,
            "SSEv2r1": false,
            "SSEv3r1": false,
            "none": false,
            "default": "SSEv1r2"
        },
        "cse": {
            "CSEv1r1": false,
            "none": true,
            "default": "none"
        }
    }
}

Client Information

Browser and Version: Firefox (112.0.2 (64-Bit)) Client OS and Version: Windows 10 Pro (22H2)

Bug description

When I am browsing my cloud, and I switch over to the Passwords app sometimes I get Error 401 unauthorized. (not every Time). I already found this thread which sounds similar but has no solution.

I am using the SAML backend for Logins.

For example the XHR Request to "https://cloud.xxx.de/index.php/apps/passwords/api/1.0/folder/show" sometimes work, sometimes errors out with 401.

I searched the Logs and did not find anything useful, only the one line.

Steps to reproduce

Not exactly reproducable.. On my cloud I do:

browse to different apps in my cloud
switch to passwords app
50:50 to get 200 or 401

Expected behavior

While I am logged in I should be authorized.

Nextcloud Logs

`{"reqId":"mXH3h75zybgp1vjaZ9yZ","level":2,"time":"2023-05-04T17:24:12+00:00","remoteAddr":"10.10.20.57","user":"--","app":"core","method":"POST","url":"/index.php/apps/passwords/api/1.0/session/open","message":"Login failed: 'cthulhu' (Remote IP: '10.10.20.57')","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0","version":"26.0.1.1","data":{"app":"core"}}`

Browser Logs

XHRPOST
https://cloud.xxx.de/index.php/apps/passwords/api/1.0/session/open
[HTTP/2 401 Unauthorized 25ms]

XHRPOST
https://cloud.xxx.de/index.php/apps/passwords/api/1.0/folder/show
[HTTP/2 401 Unauthorized 19ms]

XHRPOST
https://cloud.xxx.de/index.php/apps/passwords/api/1.0/folder/show
[HTTP/2 401 Unauthorized 21ms]

Passwords Error <empty string> 
Object { message: "", response: Response }
app.js:2:1172017
Uncaught (in promise) 
Object { message: "", response: Response }
app.js:2:944225
Passwords Error <empty string> 
Object { message: "", response: Response }
app.js:2:1172017
Passwords Error <empty string> 
Object { message: "", response: Response }
app.js:2:1172017
Uncaught (in promise) 
Object { message: "", response: Response }

Some Details of the first XHR Request:
HTTP/2 401 Unauthorized
cache-control: no-store, no-cache, must-revalidate
content-encoding: gzip
content-security-policy: default-src 'self'; script-src 'self' 'nonce-akg2RDBaTXChangedSomethingHerenhMOVhsK2VzZEI3VT06NHpYYmw3aFZodVNOUkptRWxOOElpUGw1eC9DbHBnc1llWUtremExb1Vvdz0='; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *; object-src 'none'; base-uri 'self';
content-type: application/json; charset=utf-8
date: Thu, 04 May 2023 18:06:07 GMT
expires: Thu, 19 Nov 1981 08:52:00 GMT
pragma: no-cache
referrer-policy: no-referrer
server: Apache/2.4.56 (Debian)
set-cookie: oc_sessionPassphrase=RLHT2agChangedSomethingHerezZ5tUGhm8oihGhXZCFIgxV4aQh79WmUdc7Lx0OAzIEELNAwmLV9xpiOp1y7TbmUHuoi9sCaChangedSomethingHereTiWrc29ZKKjN3d; path=/; secure; HttpOnly; SameSite=Lax
set-cookie: __Host-nc_sameSiteCookielax=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax
set-cookie: __Host-nc_sameSiteCookiestrict=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict
set-cookie: ocrp7e31h5e3=u1oi9umsjm1jad8uklrqti20t3; expires=Fri, 05-May-2023 02:06:07 GMT; Max-Age=28800; path=/; secure; HttpOnly; SameSite=Lax
strict-transport-security: max-age=31536000; includeSubDomains; preload
vary: Accept-Encoding
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-permitted-cross-domain-policies: none
x-robots-tag: noindex, nofollow
x-xss-protection: 1; mode=block
X-Firefox-Spdy: h2

simmstein commented 1 year ago

Same issue. Need to refresh and then it works.

CamZie commented 1 year ago

We get the same error on our Nextcloud installation version 26.0.1.

This results to multiple "Login failed" errors and will therefore be listed in the "brute force" security of Nextcloud, which causes the network affected to be slow.

2023/07/11 10:44:11 [error] 32438#32438: *145844 FastCGI sent in stderr: "PHP message: [nextcloud][core][2] {"reqId":"","level":2,"time":"2023-07-11T10:44:11+02:00","remoteAddr":"***REMOVED***","user":"--","app":"core","method":"POST","url":"/index.php/apps/passwords/api/1.0/password/show","message":"Login failed: '***REMOVED***' (Remote IP: '***REMOVED***')","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36","version":"26.0.1.1","data":{"app":"core"}}" while reading response header from upstream, client: ***REMOVED***, server: ***REMOVED***, request: "POST /index.php/apps/passwords/api/1.0/password/show HTTP/2.0", upstream: "fastcgi://unix:/var/run/phpfpm.sock:", host: "***REMOVED***"

marius-wieschollek commented 1 year ago

There seems to be a bug in how the app handles passwordless logins when it creates the temporary session token/tokens for browser extensions. An empty string is stored in the token as the user password instead of null. These tokens then expire after 5 minutes.

The latest nighty build (5155) contains a patch for this.

marius-wieschollek commented 1 year ago

This bug should now be fixed with the latest update

marius-wieschollek / passwords