Open ghost opened 8 months ago
This is coming from the password_policy
app but it's barely changed lately (managed via Admin settings->Security):
For completeness can you provide the output of:
occ config:list password_policy
(Or equivalent)
It's notable it is only impacting your client app connections and not web.
Everything was working since Nextcloud 21
What version of NC, specifically, were you using immediately before this behavior started / before this most recent upgrade?
Hello,
Thank you very much for your answer. Please find my responses below:
For completeness can you provide the output of:
occ config:list password_policy
(Or equivalent)
$ php8.2 --define apc.enable_cli=1 occ config:list password_policy
{
"apps": {
"password_policy": {
"enabled": "yes",
"types": "authentication",
"enforceUpperLowerCase": "1",
"enforceSpecialCharacters": "1",
"historySize": "10",
"enforceNumericCharacters": "1",
"minLength": "8",
"installed_version": "1.17.0",
"expiration": "365"
}
}
}
It's notable it is only impacting your client app connections and not web.
I'm sorry, I'm not sure I understand what you mean by that. Is it the expected behaviour that client application connections are causing issues but not the web?
Everything was working since Nextcloud 21
What version of NC, specifically, were you using immediately before this behavior started / before this most recent upgrade?
We were using v27.1.2.1.
Thanks again!
"expiration": "365"
Are you sure the password isn't just expired?
Are there many users on this server? Can you provide the output of ./occ user:setting <username> password_policy
for one of your users?
Redact anything you consider confidential.
I'm not sure I understand what you mean by that. Is it the expected behaviour that client application connections are causing issues but not the web?
Not expected. A clue maybe.
Hello!
Are you sure the password isn't just expired?
Why would it have expired if all accounts are still able to login to the web interface?
Are there many users on this server? Can you provide the output of
./occ user:setting <username> password_policy
for one of your users?
There are a little over 100 users on the server, none can connect with a client which isn't the web interface.
See the output of the command below:
$ php8.2 --define apc.enable_cli=1 occ user:setting REDACTED password_policy
- password_policy:
- failedLoginAttempts: 0
- pwd_last_updated: 1667198578
- settings:
- display_name: REDACTED
Considering the UNIX timestamp value printed here, the password seemed to indeed have expired on Mon Oct 31 2022 07:42:58 GMT+0100 (Central European Standard Time). However, that doesn't explain why everyone is still able to login on the web interface. Looks like a bug?
I'm not sure I understand what you mean by that. Is it the expected behaviour that client application connections are causing issues but not the web?
Not expected. A clue maybe.
Okay, thanks again for your help!
However, that doesn't explain why everyone is still able to login on the web interface. Looks like a bug?
Might be a bug indeed. And the timing may just be a coincidence - may have nothing to do with v27.1.2->v27.1.3.
My best guess is a difference between:
We'll have to look closer.
For your information it's still happening. The "Forgot my password" to rotate the password works as expected but this still looks like a serious security issue if you can still login in the web UI while your password has expired.
Did you mean to close your report? I reopened it since it seems like something that still needs to be addressed.
⚠️ This issue respects the following points: ⚠️
Bug description
It's impossible to login on Nextcloud except from the web interface.
Steps to reproduce
Expected behavior
People should be able to use the Nextcloud official clients, not only the web interface. Especially when their credentials are valid and not expired. The error message should also be more informative.
Installation method
Community Manual installation with Archive
Nextcloud Server version
27
Operating system
Debian/Ubuntu
PHP engine version
PHP 8.2
Web server
Nginx
Database engine version
PostgreSQL
Is this bug present after an update or on a fresh install?
Updated from a MINOR version (ex. 22.1 to 22.2)
Are you using the Nextcloud Server Encryption module?
Encryption is Disabled
What user-backends are you using?
Configuration report
List of activated Apps
Nextcloud Signing status
Nextcloud Logs
Additional info
Everything was working since Nextcloud 21, doing upgrades carefully and updating the Nginx example configuration file each time. I'm not sure if it's a desktop (https://github.com/nextcloud/desktop/issues/6204) or a server bug in the end...