szaimen
commented
1 year ago Hi, please update to 24.0.8 or better 25.0.2 and report back if it fixes the issue. Thank you!
Closed sshambar closed 1 week ago
szaimen
commented
1 year ago Hi, please update to 24.0.8 or better 25.0.2 and report back if it fixes the issue. Thank you!
sshambar
commented
1 year ago I can confirm the bug still exists in 25.0.2 (just reproduced it on a fresh, test, install), and that the patch still fixes it :) -- also using the latest user_external v3.1.0.
joshtrichards
commented
1 week ago Closing per https://github.com/nextcloud/server/pull/20757#issuecomment-2293178176
Going to let this get dealt with in the user_external app.
This issue appears as a bug in any App that supports authentication for database users (eg. user_external). A careful analysis of the core code reveals a design flaw in the nextcloud app-loading logic that makes all such apps prone to frequent logouts. I've reproduced the problem in Nextcloud 18 and 19 (as well as git master), although it likely occurs in earlier versions too...
An issue that describes the symptoms: nextcloud/user_external#101
The root of the problem is that User\Database is added as a User Backend before 'authentication' apps are loaded, leading to a ordering problem (DB can check passwords, but other apps that can aren't loaded yet).
The logic falls apart in OC_App::getEnabledApps(), which calls User\Session::getUser() to get the current user to filter which apps to load. getUser() calls validateSession() which eventually checks a token timeout (5 mins) in checkTokenCredentials() and attempts to check the password... which the DB backend willing to do (user_id is in the DB after all), fails to authenticate (Auth apps aren't loaded yet), and the session is invalidated -- user is back at the login screen!
The solution is simply to skip session validation in the "app-loading" state... token validation will always occur later, after the supporting apps are available.
There are two alternative solutions... add the DB Backend at the same time the other auth backends are added (after the 'prelogin' apps are loaded) -- but this impacts the ordering of lots of code, and would be difficult to do correctly...
Alternatively, authentication apps could add their user-backend when 'session' apps are loaded...(before the user_id is available to be checked)... this again impacts ordering, and is a bit of a hack.
This problem does not affect authentication apps that use a non-database user_ids (such as user_ldap), as the database won't recognize the user_id, and the session validation is delayed. (It will affect any such apps where the app user_id matches an existing database user_id though...)
I have a working patch which I will post to fix this issue by skipping session validation during app-load. It's only a few lines, and shouldn't impact session validation (which will happen later in the page load...)
Steps to reproduce
Expected behaviour
Page should reload
Actual behaviour
Session is logged out
Server configuration
Operating system: Linux fedora 5.6.6-200.fc31.x86_64 #1 SMP Tue Apr 21 15:34:22 UTC 2020 x86_64 x\ 86_64 x86_64 GNU/Linux
Web server: Apache/2.4.43 (Fedora)
Database: mysql Ver 15.1 Distrib 10.3.22-MariaDB,
PHP version: PHP 7.3.17
Nextcloud version: (see Nextcloud admin page) git master
Updated from an older Nextcloud/ownCloud or fresh install: fresh install
Where did you install Nextcloud from: git
Signing status:
Signing status
``` Integrity checker has been disabled. Integrity cannot be verified. ```List of activated apps:
App list
``` Enabled: - accessibility: 1.5.0 - cloud_federation_api: 1.2.0 - comments: 1.9.0 - contactsinteraction: 1.0.0 - dav: 1.15.0 - federatedfilesharing: 1.9.0 - federation: 1.9.0 - files: 1.14.0 - files_sharing: 1.11.0 - files_trashbin: 1.9.0 - files_versions: 1.12.0 - lookup_server_connector: 1.7.0 - oauth2: 1.7.0 - provisioning_api: 1.9.0 - settings: 1.1.0 - sharebymail: 1.9.0 - systemtags: 1.9.0 - theming: 1.10.0 - twofactor_backupcodes: 1.8.0 - updatenotification: 1.9.0 - user_external: 0.9.1 - viewer: 1.3.0 - workflowengine: 2.1.0 Disabled: - admin_audit - encryption - files_external - testing - user_ldap ```Nextcloud configuration:
Config report
``` { "system": { "instanceid": "***REMOVED SENSITIVE VALUE***", "passwordsalt": "***REMOVED SENSITIVE VALUE***", "secret": "***REMOVED SENSITIVE VALUE***", "datadirectory": "***REMOVED SENSITIVE VALUE***", "dbtype": "mysql", "version": "19.0.0.6", "overwrite.cli.url": "/nextcloud-server", "dbname": "***REMOVED SENSITIVE VALUE***", "dbhost": "***REMOVED SENSITIVE VALUE***", "dbport": "", "dbtableprefix": "oc_", "mysql.utf8mb4": true, "dbuser": "***REMOVED SENSITIVE VALUE***", "dbpassword": "***REMOVED SENSITIVE VALUE***", "installed": true, "memcache.local": "\\OC\\Memcache\\APCu", "memcache.locking": "\\OC\\Memcache\\Redis", "redis": { "host": "***REMOVED SENSITIVE VALUE***", "port": 0, "dbindex": 0, "timeout": 1.5 }, "loglevel": 2, "user_backends": [ { "class": "OC_User_IMAP", "arguments": [ "localhost" ] } ], "maintenance": false, "app_install_overwrite": [ "user_external" ] }, "apps": { "accessibility": { "enabled": "yes", "installed_version": "1.5.0", "types": "" }, "backgroundjob": { "lastjob": "8" }, "bruteforcesettings": { "enabled": "no", "installed_version": "1.6.0", "types": "" }, "cloud_federation_api": { "enabled": "yes", "installed_version": "1.2.0", "types": "filesystem" }, "comments": { "enabled": "yes", "installed_version": "1.9.0", "types": "logging" }, "contactsinteraction": { "enabled": "yes", "installed_version": "1.0.0", "types": "dav" }, "core": { "installed.bundles": "[\"CoreBundle\"]", "installedat": "1588148078.2364", "lastcron": "1588156619", "lastupdateResult": "[]", "lastupdatedat": "0", "oc.integritycheck.checker": "[]", "public_files": "files_sharing\/public.php", "public_webdav": "dav\/appinfo\/v1\/publicwebdav.php", "theming.variables": "58af664ffb328263ae58cdb8b7f347aa", "vendor": "nextcloud" }, "dav": { "buildCalendarReminderIndex": "yes", "buildCalendarSearchIndex": "yes", "enabled": "yes", "installed_version": "1.15.0", "regeneratedBirthdayCalendarsForYearFix": "yes", "types": "filesystem" }, "federatedfilesharing": { "enabled": "yes", "installed_version": "1.9.0", "types": "" }, "federation": { "enabled": "yes", "installed_version": "1.9.0", "types": "authentication" }, "files": { "cronjob_scan_files": "500", "enabled": "yes", "installed_version": "1.14.0", "types": "filesystem" }, "files_sharing": { "enabled": "yes", "installed_version": "1.11.0", "types": "filesystem" }, "files_trashbin": { "enabled": "yes", "installed_version": "1.9.0", "types": "filesystem,dav" }, "files_versions": { "enabled": "yes", "installed_version": "1.12.0", "types": "filesystem,dav" }, "lookup_server_connector": { "enabled": "yes", "installed_version": "1.7.0", "types": "authentication" }, "oauth2": { "enabled": "yes", "installed_version": "1.7.0", "types": "authentication" }, "provisioning_api": { "enabled": "yes", "installed_version": "1.9.0", "types": "prevent_group_restriction" }, "settings": { "enabled": "yes", "installed_version": "1.1.0", "types": "" }, "sharebymail": { "enabled": "yes", "installed_version": "1.9.0", "types": "filesystem" }, "systemtags": { "enabled": "yes", "installed_version": "1.9.0", "types": "logging" }, "theming": { "enabled": "yes", "installed_version": "1.10.0", "types": "logging" }, "twofactor_backupcodes": { "enabled": "yes", "installed_version": "1.8.0", "types": "" }, "updatenotification": { "enabled": "yes", "installed_version": "1.9.0", "types": "" }, "user_external": { "enabled": "yes", "installed_version": "0.9.1", "types": "prelogin,authentication" }, "viewer": { "enabled": "yes", "installed_version": "1.3.0", "types": "" }, "workflowengine": { "enabled": "yes", "installed_version": "2.1.0", "types": "filesystem" } } } ```Are you using external storage, if yes which one: no
Are you using encryption: no
Are you using an external user-backend, if yes which one: user_external
Client configuration
Browser: Firefox 75.0
Operating system: MacOS 10.14.6