search

nextcloud / mail

💌 Mail app for Nextcloud
https://apps.nextcloud.com/apps/mail
GNU Affero General Public License v3.0
831 stars 257 forks source link

Does not handle Microsoft OAuth error #9543

Open paulvt opened 5 months ago

paulvt commented 5 months ago

Steps to reproduce

  1. Set up app registration in Azure AD as described in the manual
  2. Instead of setting the supported account types to multi-tentant + personal accounts, select single tentant
  3. Configure the client ID and secret in the Groupware settings
  4. Try to connect a new mail account that uses this Microsoft 365 app
  5. Fill in the correct credentials in the OAuth pop-up and allow the app access

Expected behavior

After logging in the error should be handled that the app is misconfigured instead of creating a non-functional account.

Actual behavior

Account setup fails. The error logs contain the error message

OC\\Security\\Crypto::decrypt(): Argument #1 ($authenticatedCiphertext) must be of type string, null given, called in /var/www/html/custom_apps/mail/lib/IMAP/IMAPClientFactory.php on line 112 in file '/var/www/html/lib/private/Security/Crypto.php' line 113

So, the account was created without valid credentials.

Mail app version

3.5.7

Mailserver or service

Microsoft 365

Operating system

Debian GNU/Linux 12 (bookworm)

PHP engine version

PHP 8.2

Web server

Apache (supported)

Database

PostgreSQL

Additional info

When the OAuth flow redirects after going through the pop-up, the returned error (information) is not handled, thus account creation is not blocked/cancelled. The redirect URL is as follows:

W.X.Y.Z - - [09/Apr/2024:11:44:40 +0200] "GET /apps/mail/integration/microsoft-auth?error=invalid_request&error_description=AADSTS50194%3a+Application+%27[...]+is+not+configured+as+a+multi-tenant+application.+Usage+of+the+%2fcommon+endpoint+is+not+supported+for+such+applications+created+after+%2710%2f15%2f2018%27.+Use+a+tenant-specific+endpoint+or+configure+the+application+to+be+multi-tenant.[...]
Nextcloud log entries of the error ```json { "reqId": "2obomk7psF2hURvNwOc1", "level": 3, "time": "2024-04-09T08:55:56+00:00", "remoteAddr": "[...]", "user": "[...]", "app": "mail", "method": "GET", "url": "/apps/mail/api/mailboxes?accountId=3", "message": "OC\\Security\\Crypto::decrypt(): Argument #1 ($authenticatedCiphertext) must be of type string, null given, called in /var/www/html/custom_apps/mail/lib/IMAP/IMAPClientFactory.php on line 112 in file '/var/www/html/lib/private/Security/Crypto.php' line 113", "userAgent": "[...]", "version": "28.0.4.1", "exception": { "Exception": "Exception", "Message": "OC\\Security\\Crypto::decrypt(): Argument #1 ($authenticatedCiphertext) must be of type string, null given, called in /var/www/html/custom_apps/mail/lib/IMAP/IMAPClientFactory.php on line 112 in file '/var/www/html/lib/private/Security/Crypto.php' line 113", "Code": 0, "Trace": [ { "file": "/var/www/html/lib/private/AppFramework/App.php", "line": 184, "function": "dispatch", "class": "OC\\AppFramework\\Http\\Dispatcher", "type": "->", "args": [ [ "OCA\\Mail\\Controller\\MailboxesController" ], "index" ] }, { "file": "/var/www/html/lib/private/Route/Router.php", "line": 315, "function": "main", "class": "OC\\AppFramework\\App", "type": "::", "args": [ "OCA\\Mail\\Controller\\MailboxesController", "index", [ "OC\\AppFramework\\DependencyInjection\\DIContainer" ], [ "mail.mailboxes.index" ] ] }, { "file": "/var/www/html/lib/base.php", "line": 1069, "function": "match", "class": "OC\\Route\\Router", "type": "->", "args": [ "/apps/mail/api/mailboxes" ] }, { "file": "/var/www/html/index.php", "line": 39, "function": "handleRequest", "class": "OC", "type": "::", "args": [] } ], "File": "/var/www/html/lib/private/AppFramework/Http/Dispatcher.php", "Line": 169, "Previous": { "Exception": "TypeError", "Message": "OC\\Security\\Crypto::decrypt(): Argument #1 ($authenticatedCiphertext) must be of type string, null given, called in /var/www/html/custom_apps/mail/lib/IMAP/IMAPClientFactory.php on line 112", "Code": 0, "Trace": [ { "file": "/var/www/html/custom_apps/mail/lib/IMAP/IMAPClientFactory.php", "line": 112, "function": "decrypt", "class": "OC\\Security\\Crypto", "type": "->", "args": [ "*** sensitive parameters replaced ***" ] }, { "file": "/var/www/html/custom_apps/:", "line": 39, "function": "handleRequest", "class": "OC", "type": "::", "args": [] } ], "File": "/var/www/html/apps/text/lib/Service/DocumentService.php", "Line": 501, "message": "No permission to access this file", "exception": {}, "CustomMessage": "No permission to access this file" } } } ``` ```json { "reqId": "JWjfvreE1UDOj7eqnc8E", "level": 3, "time": "2024-04-09T08:59:11+00:00", "remoteAddr": "[...]", "user": "[...]", "app": "mail", "method": "GET", "url": "/apps/mail/", "message": "Could not load account mailboxes: OC\\Security\\Crypto::decrypt(): Argument #1 ($authenticatedCiphertext) must be of type string, null given, called in /var/www/html/custom_apps/mail/lib/IMAP/IMAPClientFactory.php on line 112", "userAgent": "[...]", "version": "28.0.4.1", "exception": { "Exception": "TypeError", "Message": "OC\\Security\\Crypto::decrypt(): Argument #1 ($authenticatedCiphertext) must be of type string, null given, called in /var/www/html/custom_apps/mail/lib/IMAP/IMAPClientFactory.php on line 112", "Code": 0, "Trace": [ { "file": "/var/www/html/custom_apps/mail/lib/IMAP/IMAPClientFactory.php", "line": 112, "function": "decrypt", "class": "OC\\Security\\Crypto", "type": "->", "args": [ "*** sensitive parameters replaced ***" ] }, { "file": "/var/www/html/custom_apps/mail/lib/IMAP/MailboxSync.php", "line": 103, "function": "getClient", "class": "OCA\\Mail\\IMAP\\IMAPClientFactory", "type": "->", "args": [ "*** sensitive parameters replaced ***" ] }, { "file": "/var/www/html/custom_apps/mail/lib/Service/MailManager.php", "line": 148, "function": "sync", "class": "OCA\\Mail\\IMAP\\MailboxSync", "type": "->", "args": [ "*** sensitive parameters replaced ***" ] }, { "file": "/var/www/html/custom_apps/mail/lib/Controller/PageController.php", "line": 160, "function": "getMailboxes", "class": "OCA\\Mail\\Service\\MailManager", "type": "->", "args": [ "*** sensitive parameters replaced ***" ] }, { "file": "/var/www/html/lib/private/AppFramework/Http/Dispatcher.php", "line": 230, "function": "index", "class": "OCA\\Mail\\Controller\\PageController", "type": "->", "args": [] }, { "file": "/var/www/html/lib/private/AppFramework/Http/Dispatcher.php", "line": 137, "function": "executeController", "class": "OC\\AppFramework\\Http\\Dispatcher", "type": "->", "args": [ [ "OCA\\Mail\\Controller\\PageController" ], "index" ] }, { "file": "/var/www/html/lib/private/AppFramework/App.php", "line": 184, "function": "dispatch", "class": "OC\\AppFramework\\Http\\Dispatcher", "type": "->", "args": [ [ "OCA\\Mail\\Controller\\PageController" ], "index" ] }, { "file": "/var/www/html/lib/private/Route/Router.php", "line": 315, "function": "main", "class": "OC\\AppFramework\\App", "type": "::", "args": [ "OCA\\Mail\\Controller\\PageController", "index", [ "OC\\AppFramework\\DependencyInjection\\DIContainer" ], [ "mail.page.index" ] ] }, { "file": "/var/www/html/lib/base.php", "line": 1069, "function": "match", "class": "OC\\Route\\Router", "type": "->", "args": [ "/apps/mail/" ] }, { "file": "/var/www/html/index.php", "line": 39, "function": "handleRequest", "class": "OC", "type": "::", "args": [] } ], "File": "/var/www/html/lib/private/Security/Crypto.php", "Line": 113, "message": "Could not load account mailboxes: OC\\Security\\Crypto::decrypt(): Argument #1 ($authenticatedCiphertext) must be of type string, null given, called in /var/www/html/custom_apps/mail/lib/IMAP/IMAPClientFactory.php on line 112", "exception": {}, "CustomMessage": "Could not load account mailboxes: OC\\Security\\Crypto::decrypt(): Argument #1 ($authenticatedCiphertext) must be of type string, null given, called in /var/www/html/custom_apps/mail/lib/IMAP/IMAPClientFactory.php on line 112" } } ```
ChristophWurst commented 5 months ago

could you please share the full error entry from nextcloud.log?

paulvt commented 5 months ago

I was planning to, but I forgot. I have amended it at the end of the original issue description.

paulvt commented 5 months ago

The error also feels not very relevant because in my opinion one should not be able to get this far, i.e. to the mail app with the account created.

ChristophWurst commented 5 months ago

You have posted the access log entry. Please find the entry in nextcloud.log that says "Argument #1 ($authenticatedCiphertext) must be of type string, null given".

paulvt commented 5 months ago

I guess, I forgot to press the "Update" button? Now it has been appended for real. Sorry!

ChristophWurst commented 5 months ago

The account is created without an access token, then the decryption fails on a null value. The initial access token is assigned in \OCA\Mail\Integration\MicrosoftIntegration::finishConnect. I see that a possible error is just logged but not handled otherwise. Check your log for "Could not link Microsoft account" too please.

paulvt commented 5 months ago

There is only one error before it. I have prepended it above. There is nothing about "Could not link Microsoft account" or something similar.

There is just a few warnings/errors during the autoconfiguration, like:

{
  "reqId": "V2TIdZFafbfp3A24Cu7T",
  "level": 3,
  "time": "2024-04-09T08:53:33+00:00",
  "remoteAddr": "[...]",
  "user": "[...]",
  "app": "PHP",
  "method": "GET",
  "url": "/apps/mail/api/autoconfig/ispdb/[...]/[...]",
  "message": "dns_get_record(): A temporary server error occurred. at /var/www/html/lib/private/Http/Client/DnsPinMiddleware.php#111",
  "userAgent": "[...]",
  "version": "28.0.4.1",
  "data": {
    "app": "PHP"
  }
}

and then what is in the OP.