[QA] misleading message sent to client, when token_auth_enforced is true

[jnweiger]

Seen with core 10.14.0 and destop client 5.3.1

Pre-submission Checks

• [X] I checked for similar issues, but could not find any. I also checked the closed issues. I could not contribute additional information to any existing issue.
• [X] I will take the time to fill in all the required fields. I know that the bug report may be dismissed otherwise due to lack of information.

Describe the QA issue

Basic auth can be prevented by occ config:system:set token_auth_enforced --type boolean --value true

• This does not stop existing client connections, they happily refresh tokens, etc - Okayish...
• This causes fresh client login via basic auth to fail. OK.
• But the error messages are misleading:

Client log says

24-06-26 17:15:13:577 [ info sync.httplogger ]: "ec8ea10b-0fb0-4bd6-b897-31ff1de1391e: Response: GET 302 (49ms) https://ocXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.owncloud.works/.well-known/webfinger?resource=https://ocXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.owncloud.works Header: { Date: Wed, 26 Jun 2024 15:15:13 GMT, Server: Apache/2.4.41 (Ubuntu), Strict-Transport-Security: max-age=15552000; includeSubDomains, X-Content-Type-Options: nosniff, X-XSS-Protection: 0, X-Robots-Tag: none, X-Frame-Options: SAMEORIGIN, X-Download-Options: noopen, X-Permitted-Cross-Domain-Policies: none, Expires: Thu, 19 Nov 1981 08:52:00 GMT, Cache-Control: no-store, no-cache, must-revalidate, Pragma: no-cache, Set-Cookie: oct9gfiu0zch=eletXXXXXXXXXXXXXXXXXXXXvo; path=/; secure; HttpOnly\noc_sessionPassphrase=CzXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXxyANur8pN7cGbevGRs; expires=Wed, 26-Jun-2024 15:35:13 GMT; Max-Age=1200; path=/; secure; HttpOnly; SameSite=Strict, Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *, Location: https://ocXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.owncloud.works/login, Content-Length: 0, Keep-Alive: timeout=5, max=100, Connection: Keep-Alive, Content-Type: text/html; charset=UTF-8, } Data: []"
24-06-26 17:15:13:577 [ warning gui.jobs.discoverwebfinger ]:   server sent invalid content type: "text/html; charset=UTF-8"
24-06-26 17:15:13:579 [ info sync.httplogger ]: "ecfa62c0-6b00-4645-8afe-471412caf67a: Request: GET https://ocXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.owncloud.works/status.php Header: { User-Agent: Mozilla/5.0 (Linux) mirall/5.3.1.14019 (testpilotcloud, linuxmint-5.4.0-177-generic ClientArchitecture: x86_64 OsArchitecture: x86_64), Accept: */*, Accept-Language: en_US, X-Request-ID: ecfa62c0-6b00-4645-8afe-471412caf67a, Original-Request-ID: ecfa62c0-6b00-4645-8afe-471412caf67a, Cookie: oct9gfiu0zch=eletXXXXXXXXXXXXXXXXXXXXvo; oc_sessionPassphrase=CzXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXxyANur8pN7cGbevGRs, } Data: []"
24-06-26 17:15:13:598 [ info sync.httplogger ]: "ecfa62c0-6b00-4645-8afe-471412caf67a: Response: GET 200 (19ms) https://ocXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.owncloud.works/status.php Header: { Date: Wed, 26 Jun 2024 15:15:13 GMT, Server: Apache/2.4.41 (Ubuntu), Strict-Transport-Security: max-age=15552000; includeSubDomains, X-Content-Type-Options: nosniff, X-XSS-Protection: 0, X-Robots-Tag: none, X-Frame-Options: SAMEORIGIN, X-Download-Options: noopen, X-Permitted-Cross-Domain-Policies: none, Expires: Thu, 19 Nov 1981 08:52:00 GMT, Cache-Control: no-store, no-cache, must-revalidate, Pragma: no-cache, Set-Cookie: oc_sessionPassphrase=CzXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXxyANur8pN7cGbevGRs; expires=Wed, 26-Jun-2024 15:35:13 GMT; Max-Age=1200; path=/; secure; HttpOnly; SameSite=Strict, Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *, Access-Control-Allow-Origin: *, Content-Length: 177, Keep-Alive: timeout=5, max=99, Connection: Keep-Alive, Content-Type: application/json, } Data: [{\"installed\":true,\"maintenance\":false,\"needsDbUpgrade\":false,\"version\":\"10.14.0.3\",\"versionstring\":\"10.14.0\",\"edition\":\"Community\",\"productname\":\"ownCloud\",\"product\":\"ownCloud\"}]"
24-06-26 17:15:13:598 [ info gui.wizard.resolveurl ]:   QUrl("https://ocXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.owncloud.works") was redirected to QUrl("https://ocXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.owncloud.works/")
24-06-26 17:15:13:598 [ info gui.wizard.resolveurl ]:   redirect accepted automatically
24-06-26 17:15:13:599 [ info sync.httplogger ]: "a3c5097d-b2e0-4b93-a45a-99c9cf7caddb: Request: PROPFIND https://ocXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.owncloud.works/remote.php/webdav/ Header: { User-Agent: Mozilla/5.0 (Linux) mirall/5.3.1.14019 (testpilotcloud, linuxmint-5.4.0-177-generic ClientArchitecture: x86_64 OsArchitecture: x86_64), Accept: */*, Accept-Language: en_US, Content-Type: text/xml; charset=utf-8, X-Request-ID: a3c5097d-b2e0-4b93-a45a-99c9cf7caddb, Original-Request-ID: a3c5097d-b2e0-4b93-a45a-99c9cf7caddb, Cookie: oct9gfiu0zch=eletXXXXXXXXXXXXXXXXXXXXvo; oc_sessionPassphrase=CzXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXxyANur8pN7cGbevGRs, } Data: []"
24-06-26 17:15:13:621 [ info sync.httplogger ]: "a3c5097d-b2e0-4b93-a45a-99c9cf7caddb: Response: PROPFIND 401 (Error: Host requires authentication,21ms) https://ocXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.owncloud.works/remote.php/webdav/ Header: { Date: Wed, 26 Jun 2024 15:15:13 GMT, Server: Apache/2.4.41 (Ubuntu), Strict-Transport-Security: max-age=15552000; includeSubDomains, X-Content-Type-Options: nosniff, X-XSS-Protection: 0, X-Robots-Tag: none, X-Frame-Options: SAMEORIGIN, X-Download-Options: noopen, X-Permitted-Cross-Domain-Policies: none, Expires: Thu, 19 Nov 1981 08:52:00 GMT, Cache-Control: no-store, no-cache, must-revalidate, Pragma: no-cache, Set-Cookie: oc_sessionPassphrase=CzXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXxyANur8pN7cGbevGRs; expires=Wed, 26-Jun-2024 15:35:13 GMT; Max-Age=1200; path=/; secure; HttpOnly; SameSite=Strict, Content-Security-Policy: default-src 'none';, WWW-Authenticate: Basic realm=\"ownCloud\", charset=\"UTF-8\", Content-Length: 412, Keep-Alive: timeout=5, max=98, Connection: Keep-Alive, Content-Type: application/xml; charset=utf-8, } Data: [<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<d:error xmlns:d=\"DAV:\" xmlns:s=\"http://sabredav.org/ns\">\n  <s:exception>Sabre\\DAV\\Exception\\NotAuthenticated</s:exception>\n  <s:message>No 'Authorization: Basic' header found. Either the client didn't send one, or the server is misconfigured, No 'Authorization: Basic' header found. Either the client didn't send one, or the server is misconfigured</s:message>\n</d:error>\n]"
24-06-26 17:15:13:621 [ info sync.networkjob.determineauthtype2 ]:      Auth type for QUrl("https://ocXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.owncloud.works/remote.php/webdav/") is OCC::DetermineAuthTypeJob::AuthType::Basic
24-06-26 17:15:13:627 [ debug gui.setupwizard.controller ]      [ OCC::Wizard::SetupWizardController::changeStateTo ]:  Current wizard state: OCC::Wizard::SetupWizardState::CredentialsState
24-06-26 17:15:19:334 [ debug gui.setupwizard.controller ]      [ OCC::Wizard::SetupWizardController::SetupWizardController(OCC::SettingsDialog*)::<lambda ]:   next button clicked, current state OCC::Wizard::BasicCredentialsSetupWizardState(0x26469d0)
24-06-26 17:15:19:362 [ info sync.httplogger ]: "cb3333e3-61ed-4832-816f-a5c0df450b55: Request: GET https://ocXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.owncloud.works/ocs/v2.php/cloud/user?format=json Header: { Authorization: Basic [redacted], OCS-APIREQUEST: true, User-Agent: Mozilla/5.0 (Linux) mirall/5.3.1.14019 (testpilotcloud, linuxmint-5.4.0-177-generic ClientArchitecture: x86_64 OsArchitecture: x86_64), Accept: */*, Accept-Language: en_US, X-Request-ID: cb3333e3-61ed-4832-816f-a5c0df450b55, Original-Request-ID: cb3333e3-61ed-4832-816f-a5c0df450b55, Cookie: oct9gfiu0zch=eletXXXXXXXXXXXXXXXXXXXXvo; oc_sessionPassphrase=CzXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXxyANur8pN7cGbevGRs, } Data: []"
24-06-26 17:15:19:410 [ info sync.httplogger ]: "cb3333e3-61ed-4832-816f-a5c0df450b55: Response: GET 401 (Error: Host requires authentication,47ms) https://ocXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.owncloud.works/ocs/v2.php/cloud/user?format=json Header: { Date: Wed, 26 Jun 2024 15:15:19 GMT, Server: Apache/2.4.41 (Ubuntu), Strict-Transport-Security: max-age=15552000; includeSubDomains, X-Content-Type-Options: nosniff, X-XSS-Protection: 0, X-Robots-Tag: none, X-Frame-Options: SAMEORIGIN, X-Download-Options: noopen, X-Permitted-Cross-Domain-Policies: none, Expires: Thu, 19 Nov 1981 08:52:00 GMT, Cache-Control: no-cache, no-store, must-revalidate, Pragma: no-cache, Set-Cookie: oc_sessionPassphrase=CzXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXxyANur8pN7cGbevGRs; expires=Wed, 26-Jun-2024 15:35:19 GMT; Max-Age=1200; path=/; secure; HttpOnly; SameSite=Strict, Content-Security-Policy: default-src 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self', Content-Length: 123, Keep-Alive: timeout=5, max=100, Connection: Keep-Alive, Content-Type: application/json; charset=utf-8, } Data: [{\"ocs\":{\"meta\":{\"status\":\"failure\",\"statuscode\":997,\"message\":\"Unauthorised\",\"totalitems\":\"\",\"itemsperpage\":\"\"},\"data\":[]}}]"

Expected behaviour:

• User can understand, that Password Login is banned, and he needs to create an appToken
• A better Error message could be: "Client password authentication is disabled. Please use an app token"
• Even a less telling error message would be better in this context: "Login failed". (It does not give misleading clues, so that a user keeps typing in the same password again and again, or would assume somebody changed their password at the server)

Steps to reproduce the issue

.

Screenshots

.

Expected behavior

No response

Actual behavior

No response

[TheOneRing]

Hmm if OAuth is enabled you should not get to that screen. You only get to that screen with basic auth disabled if the system is misconfigured.

[TheOneRing]

24-06-26 17:15:13:621 [ info sync.networkjob.determineauthtype2 ]: Auth type for QUrl("https://ocXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.owncloud.works/remote.php/webdav/") is OCC::DetermineAuthTypeJob::AuthType::Basic

[jnweiger]

Correct. oauth is disabled.

[TheOneRing]

So you are talking about a 100% theoretical and unsupported scenario?

[jnweiger]

Same when user gets disabled via e.g. occ user:disable bob

[jnweiger]

basic auth is unsupported? I still do most QA with basic auth.... :scream:

[TheOneRing]

Why would you get invalid credentials reported if the server and your credentials are correctly setup?

[jnweiger]

That is the question, that I want to address with this ticket. In my understanding, the correct error message should be: "Client password authentication is disabled."

For extra confusion, the server UI and docs mix up: app token, token, auth token, app password, app passcode. It is all the same.

The client seems to display the error message it directly got from the server. Moving this ticket to core.

[DeepDiver1975]

what should happen is documented here: https://doc.owncloud.com/server/next/admin_manual/configuration/server/config_sample_php_parameters.html#enforce-token-only-authentication-for-apps-and-clients-connecting-to-owncloud

Error messages are no nice - agreed. Changing them would be effort which we are not capable to invest at the moment.

Voting for won't fix