[Bug]: Token error in API request

[krakazyabra]

⚠️ This issue respects the following points: ⚠️

• [X] This is a bug, not a question or a configuration/webserver/proxy issue.
• [X] This issue is not already reported on Github (I've searched it).
• [X] Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
• [X] Nextcloud Server is running on 64bit capable CPU, PHP and OS.
• [X] I agree to follow Nextcloud's Code of Conduct.

Bug description

Get error

Token is not valid: Token is too short for a generated token, should be the password during basic auth

during API call

curl -X POST https://admin:password@domain.com/ocs/v1.php/cloud/users/Frank/groups -d groupid="new-group"  -H "OCS-APIRequest: true"

full error (debug)

```json { "reqId":"3oiQeu62mqcKZhIUB3g8", "level":0, "time":"2023-06-06T15:52:12+02:00", "remoteAddr":"10.31.1.173", "user":"--", "app":"no app in context", "method":"POST", "url":"/ocs/v1.php/cloud/users/Frank/groups", "message":"Token is not valid: Token is too short for a generated token, should be the password during basic auth", "userAgent":"curl/7.86.0", "version":"26.0.2.1", "exception":{ "Exception":"OC\\Authentication\\Exceptions\\InvalidTokenException", "Message":"Token is too short for a generated token, should be the password during basic auth", "Code":0, "Trace":[ { "file":"/var/www/nextcloud/lib/private/Authentication/Token/Manager.php", "line":132, "function":"getToken", "class":"OC\\Authentication\\Token\\PublicKeyTokenProvider", "type":"->", "args":[ "*** sensitive parameters replaced ***" ] }, { "file":"/var/www/nextcloud/lib/private/User/Session.php", "line":528, "function":"getToken", "class":"OC\\Authentication\\Token\\Manager", "type":"->", "args":[ "*** sensitive parameters replaced ***" ] }, { "file":"/var/www/nextcloud/lib/private/User/Session.php", "line":438, "function":"isTokenPassword", "class":"OC\\User\\Session", "type":"->", "args":[ "*** sensitive parameters replaced ***" ] }, { "file":"/var/www/nextcloud/lib/private/User/Session.php", "line":580, "function":"logClientIn", "class":"OC\\User\\Session", "type":"->", "args":[ "*** sensitive parameters replaced ***" ] }, { "file":"/var/www/nextcloud/lib/base.php", "line":1137, "function":"tryBasicAuthLogin", "class":"OC\\User\\Session", "type":"->" }, { "file":"/var/www/nextcloud/ocs/v1.php", "line":61, "function":"handleLogin", "class":"OC", "type":"::" } ], "File":"/var/www/nextcloud/lib/private/Authentication/Token/PublicKeyTokenProvider.php", "Line":155, "message":"Token is not valid: Token is too short for a generated token, should be the password during basic auth", "exception":{ }, "CustomMessage":"Token is not valid: Token is too short for a generated token, should be the password during basic auth" } } ```

Login and password are valid. Also tried to create app password and use it - same result. Seems, application expects some token, but I'm using plain password. To prepare requests I used official documentation https://docs.nextcloud.com/server/latest/admin_manual/configuration_user/user_provisioning_api.html

Steps to reproduce

1. Install latest (26.0.2.1) version
2. Using admin account create new User (Frank) via API
3. Put user Frank into new group "new-group" via API

Expected behavior

User Frank is now member on group "new group" API request returns 200 code and message OK

Installation method

Community Manual installation with Archive

Nextcloud Server version

26

Operating system

Debian/Ubuntu

PHP engine version

PHP 8.1

Web server

Nginx

Database engine version

MariaDB

Is this bug present after an update or on a fresh install?

Fresh Nextcloud Server install

Are you using the Nextcloud Server Encryption module?

Encryption is Disabled

What user-backends are you using?

• [X] Default user-backend (database)
• [ ] LDAP/ Active Directory
• [ ] SSO - SAML
• [ ] Other

Configuration report

{
    "system": {
        "trusted_domains": [
            "domain.org",
            "domain.com"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "activity_expire_days": 14,
        "allow_local_remote_servers": true,
        "blacklisted_files": [
            ".htaccess",
            "Thumbs.db",
            "thumbs.db"
        ],
        "cron_log": true,
        "default_phone_region": "CZ",
        "defaultapp": "files,dashboard",
        "enable_previews": true,
        "enabledPreviewProviders": [
            "OC\\Preview\\PNG",
            "OC\\Preview\\JPEG",
            "OC\\Preview\\GIF",
            "OC\\Preview\\BMP",
            "OC\\Preview\\XBitmap",
            "OC\\Preview\\Movie",
            "OC\\Preview\\PDF",
            "OC\\Preview\\MP3",
            "OC\\Preview\\TXT",
            "OC\\Preview\\MarkDown"
        ],
        "filesystem_check_changes": 0,
        "filelocking.enabled": "true",
        "htaccess.RewriteBase": "\/",
        "integrity.check.disabled": false,
        "knowledgebaseenabled": false,
        "logfile": "\/var\/log\/nextcloud\/nextcloud.log",
        "loglevel": 0,
        "logtimezone": "Europe\/Prague",
        "log_rotate_size": "104857600",
        "memcache.local": "\\OC\\Memcache\\APCu",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "overwriteprotocol": "https",
        "preview_max_x": 1024,
        "preview_max_y": 768,
        "preview_max_scale_factor": 1,
        "profile.enabled": false,
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 0,
            "password": "***REMOVED SENSITIVE VALUE***",
            "timeout": 0.5,
            "dbindex": 1
        },
        "quota_include_external_storage": false,
        "skeletondirectory": "",
        "trashbin_retention_obligation": "auto, 7",
        "updater.release.channel": "stable",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "version": "26.0.2.1",
        "overwrite.cli.url": "https:\/\/domain.com",
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "maintenance": false,
        "overwritehost": "domain.com",
        "mail_smtpmode": "sendmail",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": 25,
        "mail_smtptimeout": 10,
        "mail_smtpauthtype": "LOGIN",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "social_login_auto_redirect": "true",
        "theme": "mytheme",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_sendmailmode": "pipe",
        "mail_smtpsecure": "",
        "mail_smtpauth": false,
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***"
    }
}

List of activated Apps

Enabled:
  - activity: 2.18.0
  - admin_audit: 1.16.0
  - calendar: 4.3.4
  - cloud_federation_api: 1.9.0
  - comments: 1.16.0
  - contactsinteraction: 1.7.0
  - dav: 1.25.0
  - deck: 1.9.2
  - federatedfilesharing: 1.16.0
  - federation: 1.16.0
  - files: 1.21.1
  - files_external: 1.18.0
  - files_pdfviewer: 2.7.0
  - files_rightclick: 1.5.0
  - files_sharing: 1.18.0
  - files_trashbin: 1.16.0
  - forms: 3.3.0
  - groupquota: 0.1.11
  - impersonate: 1.13.1
  - logreader: 2.11.0
  - lookup_server_connector: 1.14.0
  - notes: 4.7.2
  - oauth2: 1.14.0
  - photos: 2.2.0
  - polls: 5.0.5
  - previewgenerator: 5.3.0
  - privacy: 1.10.0
  - provisioning_api: 1.16.0
  - recommendations: 1.5.0
  - serverinfo: 1.16.0
  - settings: 1.8.0
  - sharebymail: 1.16.0
  - sociallogin: 5.4.3
  - spreed: 16.0.4
  - support: 1.9.0
  - survey_client: 1.14.0
  - systemtags: 1.16.0
  - tasks: 0.15.0
  - text: 3.7.2
  - theming: 2.1.1
  - twofactor_backupcodes: 1.15.0
  - updatenotification: 1.16.0
  - user_status: 1.6.0
  - user_usage_report: 1.10.0
  - viewer: 1.10.0
  - weather_status: 1.6.0
  - workflowengine: 2.8.0
Disabled:
  - bruteforcesettings: 2.6.0
  - circles: 26.0.0 (installed 23.1.1)
  - dashboard: 7.6.0 (installed 7.3.0)
  - encryption: 2.14.0
  - files_versions: 1.19.1 (installed 1.19.1)
  - firstrunwizard: 2.15.0 (installed 2.12.0)
  - mail: 3.1.1 (installed 3.1.1)
  - nextcloud_announcements: 1.15.0 (installed 1.12.0)
  - notifications: 2.14.0 (installed 2.11.1)
  - password_policy: 1.16.0 (installed 1.16.0)
  - related_resources: 1.1.0-alpha1 (installed 1.0.4)
  - richdocuments: 7.1.4 (installed 7.1.4)
  - richdocumentscode: 22.5.1301
  - suspicious_login: 4.4.0
  - twofactor_totp: 8.0.0
  - user_ldap: 1.16.0

Nextcloud Signing status

No errors have been found.

Nextcloud Logs

{
   "reqId":"3oiQeu62mqcKZhIUB3g8",
   "level":0,
   "time":"2023-06-06T15:52:12+02:00",
   "remoteAddr":"10.31.1.173",
   "user":"--",
   "app":"no app in context",
   "method":"POST",
   "url":"/ocs/v1.php/cloud/users/Frank/groups",
   "message":"Token is not valid: Token is too short for a generated token, should be the password during basic auth",
   "userAgent":"curl/7.86.0",
   "version":"26.0.2.1",
   "exception":{
      "Exception":"OC\\Authentication\\Exceptions\\InvalidTokenException",
      "Message":"Token is too short for a generated token, should be the password during basic auth",
      "Code":0,
      "Trace":[
         {
            "file":"/var/www/nextcloud/lib/private/Authentication/Token/Manager.php",
            "line":132,
            "function":"getToken",
            "class":"OC\\Authentication\\Token\\PublicKeyTokenProvider",
            "type":"->",
            "args":[
               "*** sensitive parameters replaced ***"
            ]
         },
         {
            "file":"/var/www/nextcloud/lib/private/User/Session.php",
            "line":528,
            "function":"getToken",
            "class":"OC\\Authentication\\Token\\Manager",
            "type":"->",
            "args":[
               "*** sensitive parameters replaced ***"
            ]
         },
         {
            "file":"/var/www/nextcloud/lib/private/User/Session.php",
            "line":438,
            "function":"isTokenPassword",
            "class":"OC\\User\\Session",
            "type":"->",
            "args":[
               "*** sensitive parameters replaced ***"
            ]
         },
         {
            "file":"/var/www/nextcloud/lib/private/User/Session.php",
            "line":580,
            "function":"logClientIn",
            "class":"OC\\User\\Session",
            "type":"->",
            "args":[
               "*** sensitive parameters replaced ***"
            ]
         },
         {
            "file":"/var/www/nextcloud/lib/base.php",
            "line":1137,
            "function":"tryBasicAuthLogin",
            "class":"OC\\User\\Session",
            "type":"->"
         },
         {
            "file":"/var/www/nextcloud/ocs/v1.php",
            "line":61,
            "function":"handleLogin",
            "class":"OC",
            "type":"::"
         }
      ],
      "File":"/var/www/nextcloud/lib/private/Authentication/Token/PublicKeyTokenProvider.php",
      "Line":155,
      "message":"Token is not valid: Token is too short for a generated token, should be the password during basic auth",
      "exception":{

      },
      "CustomMessage":"Token is not valid: Token is too short for a generated token, should be the password during basic auth"
   }
}

Additional info

No response

[joshtrichards]

Unable to reproduce.

~$ curl -X POST http://ncadmin:ncadminpass@INT.XXX/ocs/v1.php/cloud/users -d userid="frank" -d password="frankpasswordXXX" -H "OCS-APIRequest: true"
<?xml version="1.0"?>
<ocs>
 <meta>
  <status>ok</status>
  <statuscode>100</statuscode>
  <message>OK</message>
  <totalitems></totalitems>
  <itemsperpage></itemsperpage>
 </meta>
 <data>
  <id>frank</id>
 </data>
</ocs>
~$ curl -X POST http://ncadmin:ncadminpass@INT.XXX/ocs/v1.php/cloud/groups -d groupid="newgroup" -H "OCS-APIRequest: true"
<?xml version="1.0"?>
<ocs>
 <meta>
  <status>ok</status>
  <statuscode>100</statuscode>
  <message>OK</message>
  <totalitems></totalitems>
  <itemsperpage></itemsperpage>
 </meta>
 <data/>
</ocs>
~$ curl -X POST http://ncadmin:ncadminpass@INT.XXX/ocs/v1.php/cloud/users/frank/groups -d groupid="newgroup" -H "OCS-APIRequest: true"
<?xml version="1.0"?>
<ocs>
 <meta>
  <status>ok</status>
  <statuscode>100</statuscode>
  <message>OK</message>
  <totalitems></totalitems>
  <itemsperpage></itemsperpage>
 </meta>
 <data/>
</ocs>

(logged in to UI and confired that user frank now exists and is a member of newgroup)

Maybe it has something to do with your use of Social Login

• 'social_login_auto_redirect' => true
• https://github.com/zorn-v/nextcloud-social-login#config
• The docs make it sound like you have to use noredir=1 to login as a local admin. I have zero idea what implications that has for API requests
• Might try that and/or disable the app outright to confirm it's the cause or not

[krakazyabra]

Hi @joshtrichards I see that you use 3 requests: create user, create group, assign this group to user

But documentation (and in previous versions) says that there can be 2 requests only: create user, assign new group to user (under second requests there expects 2 action: create group, assign it to user). Also that was working before (I was using 22nd version)

I also was able to create group and assign it to user (create user, create group, assign group to user)

Seems, that in new version you have to create new group in advance.

[joshtrichards]

What documentation says that? NC22 docs are here still: https://docs.nextcloud.com/server/22/admin_manual/configuration_user/instruction_set_for_users.html#add-user-to-group

And if I try to add a user to a group that doesn't exist I receive the expected 102 (group does not exist).

So none of that explains the token error message you reported. :-)

[krakazyabra]

may be I've misunderstood and tried to assign non-existing group to existing user. But you can see in log that there is error about token :) Logs say nothing about group

[joshtrichards]

Okay I looked at this again and the "Token is too short for generated token" message is normal. It's only showing up because you have your loglevel set to 0. You can safely ignore it (or set your loglevel to something more conventional like 2 and it'll disappear).

What I'm unclear about: Are you now able to "Make User Frank a member of group new group" successfully by calling the API as documented? (And like in my example).

[krakazyabra]

Hi! Yes, now it is clear. User was created, group was created, group was assigned to user.

[j-ed]

After updating Nextcloud to the latest version several users have reported the same issue. See here:

https://help.nextcloud.com/t/token-is-too-short-for-a-generated-token-should-be-the-password-during-basic-auth/173064

[shawnhaywood]

I have my config.php log level set at 2, but still get these errors.

[Sieboldianus]

Yes, since yesterday's automatic update to 27.1.3, I see about 25 logs of this sort, server for 3 people.

[Update]

A few more days and my logs are flooded with these entries every single day.

[BenS89]

Same here with 27.1.3

[CampusCityNord]

I am trying to connect Moodle to Nextcloud to use the repos. With an older version 25.0.13 it works fine, but not with 27.1.3, where I also get this message: OC\Authentication\Exceptions\InvalidTokenException: Token is too short for a generated token, should be the password during basic auth and OC\Authentication\Exceptions\InvalidTokenException: Token does not exist: token does not exist

[BloodyIron]

I am seeing these errors in my logs even with log level set to 2:

OC\Authentication\Exceptions\InvalidTokenException: Token is too short for a generated token, should be the password during basic auth

Seems to happen periodically. Unsure what to do about it.

[shawnhaywood]

The advice I've seen is to increase your log level to 3 in the config.php. I would also like to resolve the warning.