App Passwords disappear in personal settings and are revoked shortly after (11.0.1/2/3)

[eggithub]

### Steps to reproduce 1. Upgrade nextcloud 2. Create App Password 3. Browser Refresh personal settings page 4. App password has disappeared 5. App password is revoked shortly after (but can be used for a short period of time) Note: also session log shows 1000 entries in personal settings dating back from 6 to 9 months ago ### Expected behaviour App Password entriy should be listed ### Actual behaviour Instead App Password has disappeared ### Server configuration **Operating system**: Linux 3.16.0-4-amd64 #1 SMP Debian 3.16.39-1+deb8u2 (2017-03-07) x86_64 GNU/Linux **Web server:** Server version: Apache/2.4.23 (Debian) Server built: 2016-11-19T23:33:13 **Database:** Server version 5.5.54-0+deb8u1-log **PHP version:** PHP 5.6.30-0+deb8u1 (cli) (built: Feb 8 2017 08:50:21) **Nextcloud version:** (see Nextcloud admin page) 11.01/2/3 **Updated from an older Nextcloud/ownCloud or fresh install:** Update from nextcloud and owncloud **Where did you install Nextcloud from:** installed from downloaded archive from nextcloud downloads **Signing status:**

Signing status

``` No errors have been found. ```

**List of activated apps:**

App list

``` Enabled: - activity: 2.4.1 - bookmarks: 0.9.1 - calendar: 1.5.2 - comments: 1.1.0 - contacts: 1.5.3 - dav: 1.1.1 - external: true - federatedfilesharing: 1.1.1 - federation: 1.1.1 - files: 1.6.1 - files_external: 1.1.2 - files_markdown: 1.0.1 - files_pdfviewer: 1.0.1 - files_sharing: 1.1.1 - files_texteditor: 2.2 - files_trashbin: 1.1.0 - files_versions: 1.4.0 - files_videoplayer: 1.0.0 - firstrunwizard: 2.0 - gallery: 16.0.0 - logreader: 2.0.0 - lookup_server_connector: 1.0.0 - mail: 0.6.3 - news: 10.2.0 - nextcloud_announcements: 1.0 - notifications: 1.0.1 - password_policy: 1.1.0 - provisioning_api: 1.1.0 - serverinfo: 1.1.1 - sharebymail: 1.0.1 - survey_client: 0.1.5 - systemtags: 1.1.3 - tasks: 0.9.5 - templateeditor: 0.2 - theming: 1.1.1 - twofactor_backupcodes: 1.0.0 - twofactor_totp: 1.1.0 - updatenotification: 1.1.1 - workflowengine: 1.1.1 Disabled: - admin_audit - encryption - files_accesscontrol - files_automatedtagging - files_retention - user_external - user_ldap - user_saml ```

**Nextcloud configuration:**

Config report

``` { "system": { "passwordsalt": "***REMOVED SENSITIVE VALUE***", "datadirectory": "\/backup\/cloud\/data", "dbtype": "mysql", "version": "11.0.3.2", "dbname": "owncloud", "dbhost": "***REMOVED SENSITIVE VALUE**", "dbtableprefix": "oc_", "dbuser": "***REMOVED SENSITIVE VALUE***", "dbpassword": "***REMOVED SENSITIVE VALUE***", "installed": true, "instanceid": "***REMOVED SENSITIVE VALUE**", "loglevel": 3, "logtimezone": "***REMOVED SENSITIVE VALUE**", "overwritehost": "", "maintenance": false, "maxZipInputSize": 838860800, "allowZipDownload": true, "theme": "", "trusted_domains": [ "***REMOVED SENSITIVE VALUE**" ], "forcessl": true, "secret": "***REMOVED SENSITIVE VALUE***", "preview_max_scale_factor": 1, "enabledPreviewProviders": [ "OC\\Preview\\Image", "OC\\Preview\\Illustrator", "OC\\Preview\\Postscript", "OC\\Preview\\Photoshop", "OC\\Preview\\TIFF" ], "trashbin_retention_obligation": "auto", "memcache.local": "\\OC\\Memcache\\Redis", "filelocking.enabled": "true", "memcache.locking": "\\OC\\Memcache\\Redis", "redis": { "host": "***REMOVED SENSITIVE VALUE**", "port": ***REMOVED SENSITIVE VALUE**, "timeout": 0, "password": "***REMOVED SENSITIVE VALUE***" }, "appstore.experimental.enabled": false, "updater.secret": "***REMOVED SENSITIVE VALUE***", "singleuser": false } } ```

**Are you using external storage, if yes which one:** local/smb/sftp/... LOCAL is configured but not for the user that has this issue **Are you using encryption:** yes/no NO **Are you using an external user-backend, if yes which one:** LDAP/ActiveDirectory/Webdav/... NO ### Client configuration **Browser:** Firefox **Operating system:** Windows10/Ubuntu/Debian ### Logs #### Web server error log

Web server error log

``` Lots of: [DATE TIME YEAR] [access_compat:error] [pid xxxxx] [client xxx.xxx.xxx.xxx:xxxxx] AH01797: client denied by server configuration: /var/www/dav [DATE TIME YEAR] [access_compat:error] [pid xxxxx] [client xxx.xxx.xxx.xxx:xxxxx] AH01797: client denied by server configuration: /var/www/webdav probably apache binding config issue, no harm here... ```

#### Nextcloud log (data/nextcloud.log)

Nextcloud log

``` N/A ```

#### Browser log

Browser log

``` N/A ```

[jancborchardt]

cc @ChristophWurst

[willianm]

This issue is also happening with me when I change the Ldap password. Is it expected to disappear when I change the password in Ldap?

Edit: Nevermind, I found issue #2581. Thanks!

[ChristophWurst]

This issue is also happening with me when I change the Ldap password. Is it expected to disappear when I change the password in Ldap?

Yes 😉

[jk111]

While upgrading from 11.0.2 to 11.0.3, my users' app passwords all vanished as well. Using LDAP backend.

[ChristophWurst]

While upgrading from 11.0.2 to 11.0.3, my users' app passwords all vanished as well. Using LDAP backend.

May I assume that while you did the update, clients (mobile, desktop) were connected? We've fixed this scenario, see https://github.com/nextcloud/server/pull/4289

This patch was also backported to 11.0.3: https://github.com/nextcloud/server/pull/4290

[ChristophWurst]

@eggithub did the passwords vanish when your instance was either updated or in maintenance mode?

[eggithub]

@ChristophWurst, no, they just disappear outside update and/or maintenance mode. I create an app password with some name, click copy, fill in in the designated app, click done, refresh personal page and app password is gone.

[ChristophWurst]

@ChristophWurst, no, they just disappear outside update and/or maintenance mode. I create an app password with some name, click copy, fill in in the designated app, click done, refresh personal page and app password is gone.

Okay. So you had not even used the password right? This is a different issue ofc.

[eggithub]

Okay. So you had not even used the password right? This is a different issue ofc.

Yes, that is correct

[jk111]

Before updating I used a .htaccess file to disconnect all clients by denying them. However, upon updating I forgot to move the .htaccess to the new web server root, so it's very possible clients reconnected, causing it.

I will keep my eye on future updates and let you know if the issue re-appears.

[MorrisJobke]

This is not a blocker for 12. - removing milestone

[eggithub]

issue still persists in version 12.0.0

[sumnerboy12]

Hi - I am seeing this on a recent upgrade from ownCloud -> NextCloud v12. I have enabled TOTP 2FA and added a number of app passwords, which are all still working (for the last 24 hours). As soon as I refresh the /settings/personal page however, the list of app passwords is empty. Therefore I am unable to revoke. I am hoping this is just a UI/display issue as I have just updated about 6 users/devices to 2FA.

[eggithub]

I'm still having this issue and I was wondering what I could do to help. My instance has been upgraded over the years from very old owncloud to inventually nextcloud 12. Could this issue be database related? What could I check/do to speed up the process of resolving this issue? For me the feature is very imported...

cheers!

[eggithub]

Since the whole Security/AppPassword structure also changed, I'm closing this issue!

[segdy]

I am facing the exactly same problem: Huge activity list (back to one year+); when creating an app password and either hitting "Erledigt" (="done") button or refreshing the page the passwords are gone!

Latest nextCloud 12. Also LDAP auth.

Why is this issue marked as Closed?

[ChristophWurst]

Why is this issue marked as Closed?

https://github.com/nextcloud/server/issues/4535#issuecomment-323699747

Please file a new ticket. Thank you.