Open m4dz opened 3 years ago
joshtrichards
commented
9 months ago I suspect this was the Rate Limiter being hit on the lost password controller rather than BFP:
That'll still trigger after BFP is reset (I just confirmed it as well in testing).
joshtrichards
commented
9 months ago But I can only trigger if in addition to triggering BFP then whitelisting BFP, I also hit the Reset Password button a bunch of times in a short window (10 within 300s will do it per current code). And it'll come back to life within 300s.
That's expected behavior.
I can see how if a user couldn't access the password reset function, after the admin clears them from BFP, that would be a problem.
But I can't see how this would happen under normal circumstances since just using the password reset function a handful of times won't trigger (much) rate limiting. I actively had to go out of my way to trigger like 10 attempts reset my password. :thinking:
How to use GitHub
Steps to reproduce
Expected behaviour
Once whitelisted, the login operations (both login or reset password) should be allowed from the regarding IP.
Actual behaviour
User can login from the IP, but reset password action still returns a HTTP 412 error.
Server configuration
Operating system: Debian Buster
Web server: Apache / PHP-FPM
Database: MySQL 10.4.13
PHP version: 7.4.4
Nextcloud version: 20.0.5
Updated from an older Nextcloud/ownCloud or fresh install: Upgraded
Where did you install Nextcloud from: Official download page
Signing status:
Signing status
``` No errors have been found. ```List of activated apps:
App list
``` Enabled: - accessibility: 1.6.0 - activity: 2.13.4 - bruteforcesettings: 2.0.1 - calendar: 2.1.3 - cloud_federation_api: 1.3.0 - comments: 1.10.0 - contacts: 3.4.3 - contactsinteraction: 1.1.0 - dashboard: 7.0.0 - dav: 1.16.2 - documentserver_community: 0.1.8 - federatedfilesharing: 1.10.2 - federation: 1.10.1 - files: 1.15.0 - files_markdown: 2.3.1 - files_pdfviewer: 2.0.1 - files_rightclick: 0.17.0 - files_sharing: 1.12.2 - files_trashbin: 1.10.1 - files_versions: 1.13.0 - files_videoplayer: 1.9.0 - firstrunwizard: 2.9.0 - groupfolders: 8.2.0 - logreader: 2.5.0 - lookup_server_connector: 1.8.0 - mail: 1.7.2 - nextcloud_announcements: 1.9.0 - notifications: 2.8.0 - oauth2: 1.8.0 - onlyoffice: 6.2.0 - password_policy: 1.10.1 - photos: 1.2.3 - privacy: 1.4.0 - provisioning_api: 1.10.0 - recommendations: 0.8.0 - serverinfo: 1.10.0 - settings: 1.2.0 - sharebymail: 1.10.0 - support: 1.3.0 - survey_client: 1.8.0 - systemtags: 1.10.0 - text: 3.1.0 - theming: 1.11.0 - twofactor_admin: 3.0.0 - twofactor_backupcodes: 1.9.0 - twofactor_totp: 5.0.0 - updatenotification: 1.10.0 - user_status: 1.0.1 - viewer: 1.4.0 - weather_status: 1.0.0 - workflowengine: 2.2.0 Disabled: - admin_audit - encryption - files_external - user_ldap ```Nextcloud configuration:
Config report
``` { "system": { "instanceid": "***REMOVED SENSITIVE VALUE***", "passwordsalt": "***REMOVED SENSITIVE VALUE***", "secret": "***REMOVED SENSITIVE VALUE***", "trusted_domains": [ "nextcloud.alwaysdata.org", "ad-nextcloud.alwaysdata.net" ], "datadirectory": "***REMOVED SENSITIVE VALUE***", "overwrite.cli.url": "https:\/\/ad-nextcloud.alwaysdata.net", "dbtype": "mysql", "version": "20.0.5.2", "dbname": "***REMOVED SENSITIVE VALUE***", "dbhost": "***REMOVED SENSITIVE VALUE***", "dbport": "", "dbtableprefix": "oc_", "mysql.utf8mb4": true, "dbuser": "***REMOVED SENSITIVE VALUE***", "dbpassword": "***REMOVED SENSITIVE VALUE***", "installed": true, "mail_from_address": "***REMOVED SENSITIVE VALUE***", "mail_smtpmode": "smtp", "mail_domain": "***REMOVED SENSITIVE VALUE***", "maintenance": false, "theme": "", "loglevel": 2, "mail_smtphost": "***REMOVED SENSITIVE VALUE***", "mail_smtpsecure": "ssl", "mail_smtpport": "465", "app_install_overwrite": [ "calendar" ], "memcache.local": "\\OC\\Memcache\\APCu", "memcache.distributed": "\\OC\\Memcache\\Memcached", "memcached_servers": [ [ "localhost", 11211 ] ], "memcache.locking": "\\OC\\Memcache\\Redis", "redis": { "host": "***REMOVED SENSITIVE VALUE***", "port": 6379 }, "mail_sendmailmode": "smtp" }, "apps": { "accessibility": { "enabled": "yes", "installed_version": "1.6.0", "types": "" }, "activity": { "enabled": "yes", "installed_version": "2.13.4", "types": "filesystem" }, "backgroundjob": { "lastjob": "254" }, "bruteForce": { "whitelist_1": "81.28.201.184\/0" }, "bruteforcesettings": { "enabled": "yes", "installed_version": "2.0.1", "types": "" }, "calendar": { "enabled": "yes", "installed_version": "2.1.3", "types": "" }, "cloud_federation_api": { "enabled": "yes", "installed_version": "1.3.0", "types": "filesystem" }, "comments": { "enabled": "yes", "installed_version": "1.10.0", "types": "logging" }, "contacts": { "enabled": "yes", "installed_version": "3.4.3", "types": "dav" }, "contactsinteraction": { "enabled": "yes", "installed_version": "1.1.0", "types": "dav" }, "core": { "backgroundjobs_mode": "cron", "enterpriseLogoChecked": "yes", "installedat": "1534865793.7312", "lastcron": "1611058213", "lastupdateResult": "[]", "lastupdatedat": "1611058181", "moveavatarsdone": "yes", "oc.integritycheck.checker": "[]", "previewsCleanedUp": "1", "public_files": "files_sharing\/public.php", "public_webdav": "dav\/appinfo\/v1\/publicwebdav.php", "scss.variables": "acf04738bafad3d2d16346746aeff1ba", "theming.variables": "c96da5636ef759cb25916c25b9288e2a", "updater.secret.created": "1603350162", "vendor": "nextcloud" }, "dashboard": { "enabled": "yes", "installed_version": "7.0.0", "types": "" }, "dav": { "buildCalendarReminderIndex": "yes", "buildCalendarSearchIndex": "yes", "chunks_migrated": "1", "enabled": "yes", "installed_version": "1.16.2", "regeneratedBirthdayCalendarsForYearFix": "yes", "types": "filesystem" }, "documentserver_community": { "enabled": "yes", "installed_version": "0.1.8", "types": "filesystem" }, "federatedfilesharing": { "enabled": "yes", "installed_version": "1.10.2", "types": "" }, "federation": { "autoAddServers": "1", "enabled": "yes", "installed_version": "1.10.1", "types": "authentication" }, "files": { "cronjob_scan_files": "500", "enabled": "yes", "installed_version": "1.15.0", "types": "filesystem" }, "files_fulltextsearch": { "enabled": "no", "installed_version": "1.4.3", "types": "filesystem" }, "files_markdown": { "enabled": "yes", "installed_version": "2.3.1", "types": "" }, "files_pdfviewer": { "enabled": "yes", "installed_version": "2.0.1", "types": "" }, "files_rightclick": { "enabled": "yes", "installed_version": "0.17.0", "types": "" }, "files_sharing": { "enabled": "yes", "installed_version": "1.12.2", "types": "filesystem" }, "files_texteditor": { "enabled": "no", "installed_version": "2.8.0", "types": "" }, "files_trashbin": { "enabled": "yes", "installed_version": "1.10.1", "types": "filesystem,dav" }, "files_versions": { "enabled": "yes", "installed_version": "1.13.0", "types": "filesystem,dav" }, "files_videoplayer": { "enabled": "yes", "installed_version": "1.9.0", "types": "" }, "firstrunwizard": { "enabled": "yes", "installed_version": "2.9.0", "types": "logging" }, "fulltextsearch": { "enabled": "no", "installed_version": "1.4.2", "types": "" }, "gallery": { "enabled": "no", "installed_version": "18.4.0", "types": "" }, "groupfolders": { "enabled": "yes", "installed_version": "8.2.0", "types": "filesystem,dav" }, "logreader": { "enabled": "yes", "installed_version": "2.5.0", "levels": "11111", "types": "" }, "lookup_server_connector": { "enabled": "yes", "installed_version": "1.8.0", "types": "authentication" }, "mail": { "enabled": "yes", "installed_version": "1.7.2", "types": "" }, "nextcloud_announcements": { "enabled": "yes", "installed_version": "1.9.0", "pub_date": "Thu, 24 Oct 2019 00:00:00 +0200", "types": "logging" }, "notifications": { "enabled": "yes", "installed_version": "2.8.0", "types": "logging" }, "oauth2": { "enabled": "yes", "installed_version": "1.8.0", "types": "authentication" }, "onlyoffice": { "DocumentServerUrl": "https:\/\/nextcloud.alwaysdata.org\/index.php\/apps\/documentserver_community\/", "defFormats": "{\"docx\":true,\"pptx\":true,\"xlsx\":true,\"odp\":true,\"ods\":true,\"odt\":true,\"doc\":true,\"ppt\":true,\"xls\":true}", "editFormats": "{\"csv\":true,\"docx\":true,\"pptx\":true,\"txt\":true,\"xlsx\":true,\"odp\":true,\"ods\":true,\"odt\":true,\"rtf\":true}", "enabled": "yes", "installed_version": "6.2.0", "sameTab": "true", "types": "filesystem" }, "ownpad": { "enabled": "no", "installed_version": "0.6.14", "ocsid": "174679", "ownpad_ethercalc_enable": "yes", "ownpad_ethercalc_host": "https:\/\/ethercalc.alwaysdata.org", "ownpad_etherpad_enable": "yes", "ownpad_etherpad_host": "https:\/\/etherpad.alwaysdata.org", "ownpad_etherpad_useapi": "no", "types": "" }, "password_policy": { "enabled": "yes", "installed_version": "1.10.1", "types": "authentication" }, "photos": { "enabled": "yes", "installed_version": "1.2.3", "types": "" }, "privacy": { "enabled": "yes", "installed_version": "1.4.0", "types": "" }, "provisioning_api": { "enabled": "yes", "installed_version": "1.10.0", "types": "prevent_group_restriction" }, "recommendations": { "enabled": "yes", "installed_version": "0.8.0", "types": "" }, "serverinfo": { "enabled": "yes", "installed_version": "1.10.0", "types": "" }, "settings": { "enabled": "yes", "installed_version": "1.2.0", "types": "" }, "sharebymail": { "enabled": "yes", "installed_version": "1.10.0", "types": "filesystem" }, "support": { "SwitchUpdaterServerHasRun": "yes", "enabled": "yes", "installed_version": "1.3.0", "types": "session" }, "survey_client": { "enabled": "yes", "installed_version": "1.8.0", "last_report": "{\"id\":\"ocuv4tp55nnj\",\"items\":[[\"server\",\"version\",\"20.0.5.2\"],[\"server\",\"code\",\"other\"],[\"server\",\"enable_avatars\",\"yes\"],[\"server\",\"enable_previews\",\"yes\"],[\"server\",\"memcache.local\",\"\\\\OC\\\\Memcache\\\\APCu\"],[\"server\",\"memcache.distributed\",\"\\\\OC\\\\Memcache\\\\Memcached\"],[\"server\",\"asset-pipeline.enabled\",\"no\"],[\"server\",\"filelocking.enabled\",\"yes\"],[\"server\",\"memcache.locking\",\"\\\\OC\\\\Memcache\\\\Redis\"],[\"server\",\"debug\",\"no\"],[\"server\",\"cron\",\"cron\"],[\"php\",\"version\",\"7.4.4\"],[\"php\",\"memory_limit\",536870912],[\"php\",\"max_execution_time\",0],[\"php\",\"upload_max_filesize\",268435456],[\"database\",\"type\",\"mysql\"],[\"database\",\"version\",\"10.4.13\"],[\"database\",\"size\",64233472],[\"apps\",\"accessibility\",\"1.6.0\"],[\"apps\",\"activity\",\"2.13.4\"],[\"apps\",\"calendar\",\"2.1.3\"],[\"apps\",\"cloud_federation_api\",\"1.3.0\"],[\"apps\",\"comments\",\"1.10.0\"],[\"apps\",\"contacts\",\"3.4.3\"],[\"apps\",\"contactsinteraction\",\"1.1.0\"],[\"apps\",\"dashboard\",\"7.0.0\"],[\"apps\",\"dav\",\"1.16.2\"],[\"apps\",\"documentserver_community\",\"0.1.8\"],[\"apps\",\"federatedfilesharing\",\"1.10.2\"],[\"apps\",\"federation\",\"1.10.1\"],[\"apps\",\"files\",\"1.15.0\"],[\"apps\",\"files_fulltextsearch\",\"disabled\"],[\"apps\",\"files_markdown\",\"2.3.1\"],[\"apps\",\"files_pdfviewer\",\"2.0.1\"],[\"apps\",\"files_rightclick\",\"0.17.0\"],[\"apps\",\"files_sharing\",\"1.12.2\"],[\"apps\",\"files_texteditor\",\"disabled\"],[\"apps\",\"files_trashbin\",\"1.10.1\"],[\"apps\",\"files_versions\",\"1.13.0\"],[\"apps\",\"files_videoplayer\",\"1.9.0\"],[\"apps\",\"firstrunwizard\",\"2.9.0\"],[\"apps\",\"fulltextsearch\",\"disabled\"],[\"apps\",\"gallery\",\"disabled\"],[\"apps\",\"groupfolders\",\"8.2.0\"],[\"apps\",\"logreader\",\"2.5.0\"],[\"apps\",\"lookup_server_connector\",\"1.8.0\"],[\"apps\",\"mail\",\"1.7.2\"],[\"apps\",\"nextcloud_announcements\",\"1.9.0\"],[\"apps\",\"notifications\",\"2.8.0\"],[\"apps\",\"oauth2\",\"1.8.0\"],[\"apps\",\"onlyoffice\",\"6.2.0\"],[\"apps\",\"ownpad\",\"disabled\"],[\"apps\",\"password_policy\",\"1.10.1\"],[\"apps\",\"photos\",\"1.2.3\"],[\"apps\",\"privacy\",\"1.4.0\"],[\"apps\",\"provisioning_api\",\"1.10.0\"],[\"apps\",\"recommendations\",\"0.8.0\"],[\"apps\",\"serverinfo\",\"1.10.0\"],[\"apps\",\"settings\",\"1.2.0\"],[\"apps\",\"sharebymail\",\"1.10.0\"],[\"apps\",\"support\",\"1.3.0\"],[\"apps\",\"survey_client\",\"1.8.0\"],[\"apps\",\"systemtags\",\"1.10.0\"],[\"apps\",\"text\",\"3.1.0\"],[\"apps\",\"theming\",\"1.11.0\"],[\"apps\",\"twofactor_backupcodes\",\"1.9.0\"],[\"apps\",\"twofactor_totp\",\"5.0.0\"],[\"apps\",\"updatenotification\",\"1.10.0\"],[\"apps\",\"user_status\",\"1.0.1\"],[\"apps\",\"viewer\",\"1.4.0\"],[\"apps\",\"weather_status\",\"1.0.0\"],[\"apps\",\"workflowengine\",\"2.2.0\"],[\"stats\",\"num_files\",122900],[\"stats\",\"num_users\",9],[\"stats\",\"num_storages\",10],[\"stats\",\"num_storages_local\",1],[\"stats\",\"num_storages_home\",9],[\"stats\",\"num_storages_other\",0],[\"stats\",\"num_comments\",2],[\"stats\",\"num_comment_markers\",2],[\"stats\",\"num_systemtags\",0],[\"stats\",\"num_systemtags_mappings\",0],[\"files_sharing\",\"num_shares\",472],[\"files_sharing\",\"num_shares_user\",163],[\"files_sharing\",\"num_shares_groups\",48],[\"files_sharing\",\"num_shares_link\",115],[\"files_sharing\",\"num_shares_link_no_password\",115],[\"files_sharing\",\"num_fed_shares_sent\",0],[\"files_sharing\",\"num_fed_shares_received\",0],[\"files_sharing\",\"permissions_2_0\",\"1\"],[\"files_sharing\",\"permissions_1_1\",\"1\"],[\"files_sharing\",\"permissions_2_1\",\"3\"],[\"files_sharing\",\"permissions_3_1\",\"65\"],[\"files_sharing\",\"permissions_1_3\",\"2\"],[\"files_sharing\",\"permissions_2_3\",\"6\"],[\"files_sharing\",\"permissions_1_15\",\"1\"],[\"files_sharing\",\"permissions_2_15\",\"3\"],[\"files_sharing\",\"permissions_0_17\",\"6\"],[\"files_sharing\",\"permissions_1_17\",\"6\"],[\"files_sharing\",\"permissions_2_17\",\"20\"],[\"files_sharing\",\"permissions_3_17\",\"50\"],[\"files_sharing\",\"permissions_0_19\",\"154\"],[\"files_sharing\",\"permissions_1_19\",\"16\"],[\"files_sharing\",\"permissions_2_19\",\"73\"],[\"files_sharing\",\"permissions_0_31\",\"3\"],[\"files_sharing\",\"permissions_1_31\",\"22\"],[\"files_sharing\",\"permissions_2_31\",\"39\"],[\"files_sharing\",\"permissions_4_31\",\"1\"],[\"encryption\",\"enabled\",\"no\"],[\"encryption\",\"default_module\",\"no\"]]}", "last_sent": "1611050114", "types": "" }, "systemtags": { "enabled": "yes", "installed_version": "1.10.0", "types": "logging" }, "text": { "enabled": "yes", "installed_version": "3.1.0", "types": "dav" }, "theming": { "cachebuster": "17", "color": "#464646", "enabled": "yes", "installed_version": "1.11.0", "logoMime": "image\/png", "name": "Cloud alwaysdata", "slogan": "***REMOVED SENSITIVE VALUE***", "types": "logging", "url": "***REMOVED SENSITIVE VALUE***" }, "twofactor_admin": { "enabled": "yes", "installed_version": "3.0.0", "types": "" }, "twofactor_backupcodes": { "enabled": "yes", "installed_version": "1.9.0", "types": "" }, "twofactor_totp": { "enabled": "yes", "installed_version": "5.0.0", "types": "" }, "updatenotification": { "calendar": "2.1.3", "contacts": "3.4.3", "core": "20.0.5.2", "documentserver_community": "0.1.8", "enabled": "yes", "files_markdown": "2.3.1", "files_rightclick": "0.15.1", "groupfolders": "8.2.0", "installed_version": "1.10.0", "mail": "1.7.2", "onlyoffice": "6.2.0", "twofactor_totp": "5.0.0", "types": "", "update_check_errors": "0" }, "user_status": { "enabled": "yes", "installed_version": "1.0.1", "types": "" }, "viewer": { "enabled": "yes", "installed_version": "1.4.0", "types": "" }, "weather_status": { "enabled": "yes", "installed_version": "1.0.0", "types": "" }, "workflowengine": { "enabled": "yes", "installed_version": "2.2.0", "types": "filesystem" } } } ```Are you using external storage, if yes which one: no
Are you using encryption: no
Are you using an external user-backend, if yes which one: no
Client configuration
Browser: Firefox 84.0.2
Operating system: Ubuntu 20.10