nextcloud / server

☁️ Nextcloud server, a safe home for all your data
https://nextcloud.com
GNU Affero General Public License v3.0
27.54k stars 4.08k forks source link

[Bug]: App passwords are invalidated WebDav login fails #39615

Open k-jell opened 1 year ago

k-jell commented 1 year ago

⚠️ This issue respects the following points: ⚠️

Bug description

I'm trying to use app passwords to mount webDAV shares. To create the app passwords I use the occ command php occ user:add-app-password --password-from-env someuser. For mounting I use davfs2 (password set in the secrets file). After creating a fresh app password mounting the share does work for a while (some 5-15 minutes I would say, but it feels random). After that mounting fails bacause the Basic Auth is rejected, so the password apparently stops working: /sbin/mount.davfs: Mounting failed. Could not authenticate to server: rejected Basic challenge

In the nextcloud logs there is this: [core] Warning: Login failed: 'loginbot' (Remote IP: '172.17.0.1')

There is the sociallogin app enabled and set up for authentication using Oauth. But the issue also arises, when creating a user through the CLI which never logs in using a web client or Oauth or anything like that.

To debug it further I have set up a sql trigger, that throws an error, when the password_invalid field is set in the oc_authtkoen table. In the stacktrace it looks like this password check fails, which causes the invalidation (but it's probably not the root of the bug since the password check fails for some other reason).: https://github.com/nextcloud/server/blob/f3bdcfd4272f6caeac1fc5d78aa93cdca2f5d519/lib/private/User/Session.php#L759-L764

Maybe related: https://github.com/nextcloud/server/issues/37637 https://help.nextcloud.com/t/app-tokens-being-set-to-password-invalid-repeatedly/94557

Steps to reproduce

  1. create a user using the occ command php occ user:add someuser
  2. create an app password using the occ command php occ user:add-app-password --password-from-env someuser
  3. mount the webdav using davfs2
  4. wait 5-10 minutes
  5. unmount the webdav share
  6. try to mount the webdav share again

Expected behavior

Webdav share is successfully mounted every time.

Installation method

Community Docker image

Nextcloud Server version

27

Operating system

None

PHP engine version

PHP 8.2

Web server

Apache (supported)

Database engine version

MariaDB

Is this bug present after an update or on a fresh install?

None

Are you using the Nextcloud Server Encryption module?

None

What user-backends are you using?

Configuration report

{
    "system": {
        "htaccess.RewriteBase": "\/",
        "memcache.local": "\\OC\\Memcache\\APCu",
        "apps_paths": [
            {
                "path": "\/var\/www\/html\/apps",
                "url": "\/apps",
                "writable": false
            },
            {
                "path": "\/var\/www\/html\/custom_apps",
                "url": "\/custom_apps",
                "writable": true
            }
        ],
        "overwriteprotocol": "http",
        "objectstore": {
            "class": "\\OC\\Files\\ObjectStore\\S3",
            "arguments": {
                "bucket": "nextcloud27",
                "region": "optional",
                "hostname": "xxx.xxx.xxx.xxx",
                "port": "9970",
                "objectPrefix": "urn:oid:",
                "autocreate": true,
                "use_ssl": false,
                "use_path_style": true,
                "legacy_auth": false,
                "key": "***REMOVED SENSITIVE VALUE***",
                "secret": "***REMOVED SENSITIVE VALUE***"
            }
        },
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "localhost",
            "xxx.xxx.xxx.xxx",
            "domain.example.org"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "27.0.1.2",
        "overwrite.cli.url": "http:\/\/localhost",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "social_login_auto_redirect": "true",
        "loglevel": 2,
        "maintenance": false
    }
}

List of activated Apps

Enabled:
  - activity: 2.19.0
  - calendar: 4.4.3
  - circles: 27.0.1
  - cloud_federation_api: 1.10.0
  - comments: 1.17.0
  - contacts: 5.3.2
  - contactsinteraction: 1.8.0
  - dashboard: 7.7.0
  - dav: 1.27.0
  - federatedfilesharing: 1.17.0
  - federation: 1.17.0
  - files: 1.22.0
  - files_pdfviewer: 2.8.0
  - files_rightclick: 1.6.0
  - files_sharing: 1.19.0
  - files_trashbin: 1.17.0
  - files_versions: 1.20.0
  - firstrunwizard: 2.16.0
  - logreader: 2.12.0
  - lookup_server_connector: 1.15.0
  - nextcloud_announcements: 1.16.0
  - notifications: 2.15.0
  - oauth2: 1.15.1
  - onlyoffice: 8.1.0
  - password_policy: 1.17.0
  - photos: 2.3.0
  - privacy: 1.11.0
  - provisioning_api: 1.17.0
  - recommendations: 1.6.0
  - related_resources: 1.2.0
  - richdocumentscode: 23.5.104
  - serverinfo: 1.17.0
  - settings: 1.9.0
  - sharebymail: 1.17.0
  - sociallogin: 5.4.3
  - support: 1.10.0
  - survey_client: 1.15.0
  - systemtags: 1.17.0
  - text: 3.8.0
  - theming: 2.2.0
  - twofactor_backupcodes: 1.16.0
  - updatenotification: 1.17.0
  - user_status: 1.7.0
  - viewer: 2.1.0
  - weather_status: 1.7.0
  - workflowengine: 2.9.0
Disabled:
  - admin_audit: 1.17.0
  - bruteforcesettings: 2.7.0
  - encryption: 2.15.0
  - files_external: 1.19.0
  - suspicious_login: 5.0.0
  - twofactor_totp: 9.0.0
  - user_ldap: 1.17.0

Nextcloud Signing status

No errors have been found.

Nextcloud Logs

[no app in context] Error: OC\DB\Exceptions\DbalException: An exception occurred while executing a query: SQLSTATE[45000]: <<Unknown error>>: 1644 You will not invalidate my password bro  at <<closure>>

 0. /var/www/html/lib/private/DB/QueryBuilder/QueryBuilder.php line 328
    OC\DB\Exceptions\DbalException::wrap(["Doctrine\\DBAL ... "])
 1. /var/www/html/lib/public/AppFramework/Db/QBMapper.php line 219
    OC\DB\QueryBuilder\QueryBuilder->executeStatement()
 2. /var/www/html/lib/private/Authentication/Token/PublicKeyTokenProvider.php line 483
    OCP\AppFramework\Db\QBMapper->update("*** sensitive parameters replaced ***")
 3. /var/www/html/lib/private/Authentication/Token/Manager.php line 237
    OC\Authentication\Token\PublicKeyTokenProvider->markPasswordInvalid("*** sensitive parameters replaced ***", "*** sensitive parameters replaced ***")
 4. /var/www/html/lib/private/User/Session.php line 761
    OC\Authentication\Token\Manager->markPasswordInvalid("*** sensitive parameters replaced ***", "*** sensitive parameters replaced ***")
 5. /var/www/html/lib/private/User/Session.php line 800
    OC\User\Session->checkTokenCredentials("*** sensitive parameters replaced ***", "*** sensitive parameters replaced ***")
 6. /var/www/html/lib/private/User/Session.php line 352
    OC\User\Session->validateToken("*** sensitive parameters replaced ***")
 7. /var/www/html/lib/private/User/Session.php line 452
    OC\User\Session->login("*** sensitive parameters replaced ***")
 8. /var/www/html/apps/dav/lib/Connector/Sabre/Auth.php line 114
    OC\User\Session->logClientIn("*** sensitive parameters replaced ***")
 9. /var/www/html/3rdparty/sabre/dav/lib/DAV/Auth/Backend/AbstractBasic.php line 103
    OCA\DAV\Connector\Sabre\Auth->validateUserPass("*** sensitive parameters replaced ***")
10. /var/www/html/apps/dav/lib/Connector/Sabre/Auth.php line 232
    Sabre\DAV\Auth\Backend\AbstractBasic->check(["Sabre\\HTTP\\Request"], ["Sabre\\HTTP\\Response"])
11. /var/www/html/apps/dav/lib/Connector/Sabre/Auth.php line 139
    OCA\DAV\Connector\Sabre\Auth->auth(["Sabre\\HTTP\\Request"], ["Sabre\\HTTP\\Response"])
12. /var/www/html/3rdparty/sabre/dav/lib/DAV/Auth/Plugin.php line 179
    OCA\DAV\Connector\Sabre\Auth->check(["Sabre\\HTTP\\Request"], ["Sabre\\HTTP\\Response"])
13. /var/www/html/3rdparty/sabre/dav/lib/DAV/Auth/Plugin.php line 135
    Sabre\DAV\Auth\Plugin->check(["Sabre\\HTTP\\Request"], ["Sabre\\HTTP\\Response"])
14. /var/www/html/3rdparty/sabre/event/lib/WildcardEmitterTrait.php line 89
    Sabre\DAV\Auth\Plugin->beforeMethod(["Sabre\\HTTP\\Request"], ["Sabre\\HTTP\\Response"])
15. /var/www/html/3rdparty/sabre/dav/lib/DAV/Server.php line 456
    Sabre\DAV\Server->emit("beforeMethod:OPTIONS", [["Sabre\\HTTP\\ ... ]])
16. /var/www/html/3rdparty/sabre/dav/lib/DAV/Server.php line 253
    Sabre\DAV\Server->invokeMethod(["Sabre\\HTTP\\Request"], ["Sabre\\HTTP\\Response"])
17. /var/www/html/3rdparty/sabre/dav/lib/DAV/Server.php line 321
    Sabre\DAV\Server->start()
18. /var/www/html/apps/dav/lib/Server.php line 364
    Sabre\DAV\Server->exec()
19. /var/www/html/apps/dav/appinfo/v2/remote.php line 35
    OCA\DAV\Server->exec()
20. /var/www/html/remote.php line 172
    require_once("/var/www/html/a ... p")

Caused by:

Doctrine\DBAL\Exception\DriverException: An exception occurred while executing a query: SQLSTATE[45000]: <<Unknown error>>: 1644 You will not invalidate my password bro  at <<closure>>

 0. /var/www/html/3rdparty/doctrine/dbal/src/Connection.php line 1814
    Doctrine\DBAL\Driver\API\MySQL\ExceptionConverter->convert(["Doctrine\\DBAL ... "], ["Doctrine\\DBAL\\Query"])
 1. /var/www/html/3rdparty/doctrine/dbal/src/Connection.php line 1749
    Doctrine\DBAL\Connection->handleDriverException(["Doctrine\\DBAL ... "], ["Doctrine\\DBAL\\Query"])
 2. /var/www/html/3rdparty/doctrine/dbal/src/Connection.php line 1163
    Doctrine\DBAL\Connection->convertExceptionDuringQuery(["Doctrine\\DBAL ... "], "UPDATE `oc_auth ... ?", [true,30], [5,1])
 3. /var/www/html/lib/private/DB/Connection.php line 295
    Doctrine\DBAL\Connection->executeStatement("UPDATE `oc_auth ... ?", [true,30], [5,1])
 4. /var/www/html/3rdparty/doctrine/dbal/src/Query/QueryBuilder.php line 354
    OC\DB\Connection->executeStatement("UPDATE `oc_auth ... 2", [true,30], [5,1])
 5. /var/www/html/lib/private/DB/QueryBuilder/QueryBuilder.php line 280
    Doctrine\DBAL\Query\QueryBuilder->execute()
 6. /var/www/html/lib/private/DB/QueryBuilder/QueryBuilder.php line 326
    OC\DB\QueryBuilder\QueryBuilder->execute()
 7. /var/www/html/lib/public/AppFramework/Db/QBMapper.php line 219
    OC\DB\QueryBuilder\QueryBuilder->executeStatement()
 8. /var/www/html/lib/private/Authentication/Token/PublicKeyTokenProvider.php line 483
    OCP\AppFramework\Db\QBMapper->update("*** sensitive parameters replaced ***")
 9. /var/www/html/lib/private/Authentication/Token/Manager.php line 237
    OC\Authentication\Token\PublicKeyTokenProvider->markPasswordInvalid("*** sensitive parameters replaced ***", "*** sensitive parameters replaced ***")
10. /var/www/html/lib/private/User/Session.php line 761
    OC\Authentication\Token\Manager->markPasswordInvalid("*** sensitive parameters replaced ***", "*** sensitive parameters replaced ***")
11. /var/www/html/lib/private/User/Session.php line 800
    OC\User\Session->checkTokenCredentials("*** sensitive parameters replaced ***", "*** sensitive parameters replaced ***")
12. /var/www/html/lib/private/User/Session.php line 352
    OC\User\Session->validateToken("*** sensitive parameters replaced ***")
13. /var/www/html/lib/private/User/Session.php line 452
    OC\User\Session->login("*** sensitive parameters replaced ***")
14. /var/www/html/apps/dav/lib/Connector/Sabre/Auth.php line 114
    OC\User\Session->logClientIn("*** sensitive parameters replaced ***")
15. /var/www/html/3rdparty/sabre/dav/lib/DAV/Auth/Backend/AbstractBasic.php line 103
    OCA\DAV\Connector\Sabre\Auth->validateUserPass("*** sensitive parameters replaced ***")
16. /var/www/html/apps/dav/lib/Connector/Sabre/Auth.php line 232
    Sabre\DAV\Auth\Backend\AbstractBasic->check(["Sabre\\HTTP\\Request"], ["Sabre\\HTTP\\Response"])
17. /var/www/html/apps/dav/lib/Connector/Sabre/Auth.php line 139
    OCA\DAV\Connector\Sabre\Auth->auth(["Sabre\\HTTP\\Request"], ["Sabre\\HTTP\\Response"])
18. /var/www/html/3rdparty/sabre/dav/lib/DAV/Auth/Plugin.php line 179
    OCA\DAV\Connector\Sabre\Auth->check(["Sabre\\HTTP\\Request"], ["Sabre\\HTTP\\Response"])
19. /var/www/html/3rdparty/sabre/dav/lib/DAV/Auth/Plugin.php line 135
    Sabre\DAV\Auth\Plugin->check(["Sabre\\HTTP\\Request"], ["Sabre\\HTTP\\Response"])
20. /var/www/html/3rdparty/sabre/event/lib/WildcardEmitterTrait.php line 89
    Sabre\DAV\Auth\Plugin->beforeMethod(["Sabre\\HTTP\\Request"], ["Sabre\\HTTP\\Response"])
21. /var/www/html/3rdparty/sabre/dav/lib/DAV/Server.php line 456
    Sabre\DAV\Server->emit("beforeMethod:OPTIONS", [["Sabre\\HTTP\\ ... ]])
22. /var/www/html/3rdparty/sabre/dav/lib/DAV/Server.php line 253
    Sabre\DAV\Server->invokeMethod(["Sabre\\HTTP\\Request"], ["Sabre\\HTTP\\Response"])
23. /var/www/html/3rdparty/sabre/dav/lib/DAV/Server.php line 321
    Sabre\DAV\Server->start()
24. /var/www/html/apps/dav/lib/Server.php line 364
    Sabre\DAV\Server->exec()
25. /var/www/html/apps/dav/appinfo/v2/remote.php line 35
    OCA\DAV\Server->exec()
26. /var/www/html/remote.php line 172
    require_once("/var/www/html/a ... p")

Caused by:

Doctrine\DBAL\Driver\PDO\Exception: SQLSTATE[45000]: <<Unknown error>>: 1644 You will not invalidate my password bro  at <<closure>>

 0. /var/www/html/3rdparty/doctrine/dbal/src/Driver/PDO/Statement.php line 103
    Doctrine\DBAL\Driver\PDO\Exception::new(["PDOException", ... ]])
 1. /var/www/html/3rdparty/doctrine/dbal/src/Connection.php line 1153
    Doctrine\DBAL\Driver\PDO\Statement->execute()
 2. /var/www/html/lib/private/DB/Connection.php line 295
    Doctrine\DBAL\Connection->executeStatement("UPDATE `oc_auth ... ?", [true,30], [5,1])
 3. /var/www/html/3rdparty/doctrine/dbal/src/Query/QueryBuilder.php line 354
    OC\DB\Connection->executeStatement("UPDATE `oc_auth ... 2", [true,30], [5,1])
 4. /var/www/html/lib/private/DB/QueryBuilder/QueryBuilder.php line 280
    Doctrine\DBAL\Query\QueryBuilder->execute()
 5. /var/www/html/lib/private/DB/QueryBuilder/QueryBuilder.php line 326
    OC\DB\QueryBuilder\QueryBuilder->execute()
 6. /var/www/html/lib/public/AppFramework/Db/QBMapper.php line 219
    OC\DB\QueryBuilder\QueryBuilder->executeStatement()
 7. /var/www/html/lib/private/Authentication/Token/PublicKeyTokenProvider.php line 483
    OCP\AppFramework\Db\QBMapper->update("*** sensitive parameters replaced ***")
 8. /var/www/html/lib/private/Authentication/Token/Manager.php line 237
    OC\Authentication\Token\PublicKeyTokenProvider->markPasswordInvalid("*** sensitive parameters replaced ***", "*** sensitive parameters replaced ***")
 9. /var/www/html/lib/private/User/Session.php line 761
    OC\Authentication\Token\Manager->markPasswordInvalid("*** sensitive parameters replaced ***", "*** sensitive parameters replaced ***")
10. /var/www/html/lib/private/User/Session.php line 800
    OC\User\Session->checkTokenCredentials("*** sensitive parameters replaced ***", "*** sensitive parameters replaced ***")
11. /var/www/html/lib/private/User/Session.php line 352
    OC\User\Session->validateToken("*** sensitive parameters replaced ***")
12. /var/www/html/lib/private/User/Session.php line 452
    OC\User\Session->login("*** sensitive parameters replaced ***")
13. /var/www/html/apps/dav/lib/Connector/Sabre/Auth.php line 114
    OC\User\Session->logClientIn("*** sensitive parameters replaced ***")
14. /var/www/html/3rdparty/sabre/dav/lib/DAV/Auth/Backend/AbstractBasic.php line 103
    OCA\DAV\Connector\Sabre\Auth->validateUserPass("*** sensitive parameters replaced ***")
15. /var/www/html/apps/dav/lib/Connector/Sabre/Auth.php line 232
    Sabre\DAV\Auth\Backend\AbstractBasic->check(["Sabre\\HTTP\\Request"], ["Sabre\\HTTP\\Response"])
16. /var/www/html/apps/dav/lib/Connector/Sabre/Auth.php line 139
    OCA\DAV\Connector\Sabre\Auth->auth(["Sabre\\HTTP\\Request"], ["Sabre\\HTTP\\Response"])
17. /var/www/html/3rdparty/sabre/dav/lib/DAV/Auth/Plugin.php line 179
    OCA\DAV\Connector\Sabre\Auth->check(["Sabre\\HTTP\\Request"], ["Sabre\\HTTP\\Response"])
18. /var/www/html/3rdparty/sabre/dav/lib/DAV/Auth/Plugin.php line 135
    Sabre\DAV\Auth\Plugin->check(["Sabre\\HTTP\\Request"], ["Sabre\\HTTP\\Response"])
19. /var/www/html/3rdparty/sabre/event/lib/WildcardEmitterTrait.php line 89
    Sabre\DAV\Auth\Plugin->beforeMethod(["Sabre\\HTTP\\Request"], ["Sabre\\HTTP\\Response"])
20. /var/www/html/3rdparty/sabre/dav/lib/DAV/Server.php line 456
    Sabre\DAV\Server->emit("beforeMethod:OPTIONS", [["Sabre\\HTTP\\ ... ]])
21. /var/www/html/3rdparty/sabre/dav/lib/DAV/Server.php line 253
    Sabre\DAV\Server->invokeMethod(["Sabre\\HTTP\\Request"], ["Sabre\\HTTP\\Response"])
22. /var/www/html/3rdparty/sabre/dav/lib/DAV/Server.php line 321
    Sabre\DAV\Server->start()
23. /var/www/html/apps/dav/lib/Server.php line 364
    Sabre\DAV\Server->exec()
24. /var/www/html/apps/dav/appinfo/v2/remote.php line 35
    OCA\DAV\Server->exec()
25. /var/www/html/remote.php line 172
    require_once("/var/www/html/a ... p")

Caused by:

PDOException: SQLSTATE[45000]: <<Unknown error>>: 1644 You will not invalidate my password bro  at <<closure>>

 0. /var/www/html/3rdparty/doctrine/dbal/src/Driver/PDO/Statement.php line 101
    PDOStatement->execute(null)
 1. /var/www/html/3rdparty/doctrine/dbal/src/Connection.php line 1153
    Doctrine\DBAL\Driver\PDO\Statement->execute()
 2. /var/www/html/lib/private/DB/Connection.php line 295
    Doctrine\DBAL\Connection->executeStatement("UPDATE `oc_auth ... ?", [true,30], [5,1])
 3. /var/www/html/3rdparty/doctrine/dbal/src/Query/QueryBuilder.php line 354
    OC\DB\Connection->executeStatement("UPDATE `oc_auth ... 2", [true,30], [5,1])
 4. /var/www/html/lib/private/DB/QueryBuilder/QueryBuilder.php line 280
    Doctrine\DBAL\Query\QueryBuilder->execute()
 5. /var/www/html/lib/private/DB/QueryBuilder/QueryBuilder.php line 326
    OC\DB\QueryBuilder\QueryBuilder->execute()
 6. /var/www/html/lib/public/AppFramework/Db/QBMapper.php line 219
    OC\DB\QueryBuilder\QueryBuilder->executeStatement()
 7. /var/www/html/lib/private/Authentication/Token/PublicKeyTokenProvider.php line 483
    OCP\AppFramework\Db\QBMapper->update("*** sensitive parameters replaced ***")
 8. /var/www/html/lib/private/Authentication/Token/Manager.php line 237
    OC\Authentication\Token\PublicKeyTokenProvider->markPasswordInvalid("*** sensitive parameters replaced ***", "*** sensitive parameters replaced ***")
 9. /var/www/html/lib/private/User/Session.php line 761
    OC\Authentication\Token\Manager->markPasswordInvalid("*** sensitive parameters replaced ***", "*** sensitive parameters replaced ***")
10. /var/www/html/lib/private/User/Session.php line 800
    OC\User\Session->checkTokenCredentials("*** sensitive parameters replaced ***", "*** sensitive parameters replaced ***")
11. /var/www/html/lib/private/User/Session.php line 352
    OC\User\Session->validateToken("*** sensitive parameters replaced ***")
12. /var/www/html/lib/private/User/Session.php line 452
    OC\User\Session->login("*** sensitive parameters replaced ***")
13. /var/www/html/apps/dav/lib/Connector/Sabre/Auth.php line 114
    OC\User\Session->logClientIn("*** sensitive parameters replaced ***")
14. /var/www/html/3rdparty/sabre/dav/lib/DAV/Auth/Backend/AbstractBasic.php line 103
    OCA\DAV\Connector\Sabre\Auth->validateUserPass("*** sensitive parameters replaced ***")
15. /var/www/html/apps/dav/lib/Connector/Sabre/Auth.php line 232
    Sabre\DAV\Auth\Backend\AbstractBasic->check(["Sabre\\HTTP\\Request"], ["Sabre\\HTTP\\Response"])
16. /var/www/html/apps/dav/lib/Connector/Sabre/Auth.php line 139
    OCA\DAV\Connector\Sabre\Auth->auth(["Sabre\\HTTP\\Request"], ["Sabre\\HTTP\\Response"])
17. /var/www/html/3rdparty/sabre/dav/lib/DAV/Auth/Plugin.php line 179
    OCA\DAV\Connector\Sabre\Auth->check(["Sabre\\HTTP\\Request"], ["Sabre\\HTTP\\Response"])
18. /var/www/html/3rdparty/sabre/dav/lib/DAV/Auth/Plugin.php line 135
    Sabre\DAV\Auth\Plugin->check(["Sabre\\HTTP\\Request"], ["Sabre\\HTTP\\Response"])
19. /var/www/html/3rdparty/sabre/event/lib/WildcardEmitterTrait.php line 89
    Sabre\DAV\Auth\Plugin->beforeMethod(["Sabre\\HTTP\\Request"], ["Sabre\\HTTP\\Response"])
20. /var/www/html/3rdparty/sabre/dav/lib/DAV/Server.php line 456
    Sabre\DAV\Server->emit("beforeMethod:OPTIONS", [["Sabre\\HTTP\\ ... ]])
21. /var/www/html/3rdparty/sabre/dav/lib/DAV/Server.php line 253
    Sabre\DAV\Server->invokeMethod(["Sabre\\HTTP\\Request"], ["Sabre\\HTTP\\Response"])
22. /var/www/html/3rdparty/sabre/dav/lib/DAV/Server.php line 321
    Sabre\DAV\Server->start()
23. /var/www/html/apps/dav/lib/Server.php line 364
    Sabre\DAV\Server->exec()
24. /var/www/html/apps/dav/appinfo/v2/remote.php line 35
    OCA\DAV\Server->exec()
25. /var/www/html/remote.php line 172
    require_once("/var/www/html/a ... p")

OPTIONS /remote.php/dav/files/loginbot/
from 172.17.0.1 at 2023-07-28T11:39:04+00:00

[webdav] Error: Sabre\DAV\Exception\ServiceUnavailable: OC\DB\Exceptions\DbalException: An exception occurred while executing a query: SQLSTATE[45000]: <<Unknown error>>: 1644 You will not invalidate my password bro  at <<closure>>

0. /var/www/html/3rdparty/sabre/dav/lib/DAV/Auth/Plugin.php line 179
   OCA\DAV\Connector\Sabre\Auth->check(["Sabre\\HTTP\\Request"], ["Sabre\\HTTP\\Response"])
1. /var/www/html/3rdparty/sabre/dav/lib/DAV/Auth/Plugin.php line 135
   Sabre\DAV\Auth\Plugin->check(["Sabre\\HTTP\\Request"], ["Sabre\\HTTP\\Response"])
2. /var/www/html/3rdparty/sabre/event/lib/WildcardEmitterTrait.php line 89
   Sabre\DAV\Auth\Plugin->beforeMethod(["Sabre\\HTTP\\Request"], ["Sabre\\HTTP\\Response"])
3. /var/www/html/3rdparty/sabre/dav/lib/DAV/Server.php line 456
   Sabre\DAV\Server->emit("beforeMethod:OPTIONS", [["Sabre\\HTTP\\ ... ]])
4. /var/www/html/3rdparty/sabre/dav/lib/DAV/Server.php line 253
   Sabre\DAV\Server->invokeMethod(["Sabre\\HTTP\\Request"], ["Sabre\\HTTP\\Response"])
5. /var/www/html/3rdparty/sabre/dav/lib/DAV/Server.php line 321
   Sabre\DAV\Server->start()
6. /var/www/html/apps/dav/lib/Server.php line 364
   Sabre\DAV\Server->exec()
7. /var/www/html/apps/dav/appinfo/v2/remote.php line 35
   OCA\DAV\Server->exec()
8. /var/www/html/remote.php line 172
   require_once("/var/www/html/a ... p")

OPTIONS /remote.php/dav/files/loginbot/
from 172.17.0.1 at 2023-07-28T11:39:04+00:00

Additional info

I am using the sociallogin plugin where I configured a custom provider to connect via Oauth. Not sure how this plays into the issue.

joshtrichards commented 1 year ago

Hi @k-jell -

There is the sociallogin app enabled and set up for authentication using Oauth. But the issue also arises, when creating a user through the CLI which never logs in using a web client or Oauth or anything like that. [..] I am using the sociallogin plugin where I configured a custom provider to connect via Oauth. Not sure how this plays into the issue.

I'm not sure either. Any way you can test with socialogin disabled? Also, does it make any difference if you log in as the target user via the web interface and create their app password there? Lastly, any chance you're also seeing Nextcloud log entries that say App token login name does not match around the same time period?

P.S. Might be worth testing this to see if there's a change in behavior (if it's an option in your environment - there are caveats): https://github.com/nextcloud/server/issues/37637#issuecomment-1510979672

k-jell commented 1 year ago

I'm not sure either. Any way you can test with socialogin disabled? Also, does it make any difference if you log in as the target user via the web interface and create their app password there? Lastly, any chance you're also seeing Nextcloud log entries that say App token login name does not match around the same time period?

After some further testing:

  1. The bug doesn't seem to appear when the app password is created through the web interface.
  2. The bug does appear with passwords created through the cli even with sociallogin disabled.

There are no App token login name does not match messages in the log though.