Open wshanks opened 7 years ago
cc @nickvergessen @LukasReschke
cc @ChristophWurst
I see the problem, but I don't really have an idea how this could be done.
Just another point of view: I have server in different timezone than I'm sitting. Times are correct (UTC is same) but Nextcloud refuse log me in with confirm dialog.
Hi, please update to at least 23.0.12 and report back if it fixes the issue. Thank you!
Still an issue.
on 25?
Yes 25.0.1 and also master, the parts where never touched as we also don't know how.
When checking the timeout for certain admin actions like creating a user or adding an app, it seems that NextCloud compares the last authentication time on the server against the client's current time. If the server and client clocks are not synchronized and are off by more than the timeout, it is impossible to authenticate because the server always sees the new authentication as happening too long ago already. Of course, it is good practice to keep clocks synchronized any way, but NextCloud should compare two times on the server, not one on the server and one on the client. Otherwise, the timeout could be bypassed by someone setting the client's clock back.
If you need more information, see #2734 which I created for this problem. It was opened with a generic title about password authentication and then closed with a fix for an LDAP problem that was identified, but this is a separate password authentication problem from that.