search

the-djmaze / snappymail

Simple, modern & fast web-based email client
https://snappymail.eu
GNU Affero General Public License v3.0
933 stars 111 forks source link

Comprehensive Account Access Issues Post-Password Reset for Main and Additional Accounts #1551

Closed bv-voyager closed 2 months ago

bv-voyager commented 3 months ago

Describe the bug After initiating a password reset via KeyCloak due to forgetting the old password, I encountered a persistent issue in SnappyMail where the system continuously prompts for the old login password to decrypt data. This occurs despite the fact that the password reset was initiated because the old password was forgotten. Attempts to remove and re-add the account in SnappyMail do not resolve the issue, as the system still requires the old password for decryption, effectively locking users out who cannot recall their old password. This problem extends to additional accounts within SnappyMail, where access is lost post-password reset, and the system's prompts for the old password block re-addition or access to these accounts.

To Reproduce Steps to reproduce the behavior:

  1. Initiate a password reset due to forgetting the old password via KeyCloak.
  2. Reset the password following KeyCloak's provided procedure.
  3. Attempt to access encrypted data or functionalities that require decryption in SnappyMail (e.g., switching to an additional account).
  4. The system prompts for the old password to decrypt data, despite it being reset.
  5. Remove the account in an attempt to bypass the decryption request within SnappyMail.
  6. Try to re-add the account with the new password in SnappyMail.
  7. The system again asks for the old password for decryption, blocking the process.

Expected behavior After a password reset via KeyCloak, SnappyMail should not request the old password for decrypting data, especially since the reset implies the old password is unknown. Users should be able to remove their old account and re-add their account with the new password without encountering decryption barriers related to the old password. An alternative mechanism should be in place for handling encrypted data when the old password is no longer known, ensuring seamless access to both main and additional accounts.

Screenshots N/A

Please complete the following information:

Debug/logging information N/A

Additional context This issue significantly impacts user experience, particularly for those who have legitimately forgotten their old password and have gone through the legitimate process of resetting it via KeyCloak. The challenge extends to additional accounts within SnappyMail, where the same decryption barriers post-password reset lead to access issues. Insights into whether specific configurations could mitigate this issue would be highly valuable. Any clarification on the ideal setup or adjustments needed to prevent such access issues would greatly help ensure a smooth user experience in NextCloud-integrated environments.

Somewhat related to https://github.com/the-djmaze/snappymail/issues/1543. Although I'm not deeply familiar with the internals, I'm willing to assist in testing or providing further information as needed.

the-djmaze commented 3 months ago

Your issue is a duplicate of #1543

I could have released the fix, but there's another login conflict between IMAP and SMTP that i'm trying to solve.