LoginProcess doesn't work with a password of length greater than 1183 characters in length

[akhil1508]

Describe the bug

• I'm working on the OIDC login implementation for snappymail along with changes to https://github.com/pulsejet/nextcloud-oidc-login also

• I hope to get PRs accepted soon at both places and make this work correctly so people can use SSO with this amazing webmail and nextcloud :)

• Now problem is that an access token from SSO service(keycloak in my case) is 1630 or so characters long

• When I pass it to LoginProcess using uncommented code from https://github.com/the-djmaze/snappymail/blob/cc360837b1df0382065ed78e2fb10335def2161c/integrations/nextcloud/snappymail/lib/Util/SnappyMailHelper.php#L151

  • I see an error in logs like:

    ...
    [2024-04-29 20:11:35.142][544d0f0c] PLUGIN[INFO]: Hook: imap.before-login
    [2024-04-29 20:11:35.143][544d0f0c] IMAP[INFO]: > TAG2 CAPABILITY\r\n
    [2024-04-29 20:11:35.143][544d0f0c] IMAP[INFO]: < * CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ AUTH=PLAIN AUTH=LOGIN AUTH=OAUTHBEARER\r\n
    [2024-04-29 20:11:35.143][544d0f0c] IMAP[INFO]: < TAG2 OK Pre-login capabilities listed, post-login capabilities have more.\r\n
    [2024-04-29 20:11:35.145][544d0f0c] IMAP[INFO]: > TAG3 AUTHENTICATE OAUTHBEARER\r\n
    [2024-04-29 20:11:35.146][544d0f0c] IMAP[INFO]: < + \r\n
    [2024-04-29 20:11:35.147][544d0f0c] IMAP[INFO]: > *******\r\n
    [2024-04-29 20:11:35.180][544d0f0c] IMAP[INFO]: < TAG3 OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS BINARY MOVE SNIPPET=FUZZY PREVIEW=FUZZY PREVIEW STATUS=SIZE SAVEDATE LITERAL+ NOTIFY SPECIAL-USE COMPRESS=DEFLATE QUOTA] Logged in\r\n
    [2024-04-29 20:11:35.181][544d0f0c] TOKENS[DEBUG]: New SESSION_TOKEN
    [2024-04-29 20:11:35.181][544d0f0c] COOKIE[DEBUG]: set smsession
    [2024-04-29 20:11:35.181][544d0f0c] COOKIE[DEBUG]: set smctoken
    [2024-04-29 20:11:35.182][544d0f0c] COOKIE[DEBUG]: set smaccount
    [2024-04-29 20:11:35.182][544d0f0c] COOKIE[DEBUG]: set smremember
    [2024-04-29 20:11:35.183][544d0f0c] PLUGIN[INFO]: Hook: filter.language
    [2024-04-29 20:11:35.192][544d0f0c] [INFO]: Caught SIGCHLD
    [2024-04-29 20:11:35.227][544d0f0c] [INFO]: Memory peak usage: 8MB
    [2024-04-29 20:11:35.227][544d0f0c] [INFO]: Time delta: 0.20614504814148
    [2024-04-29 20:11:35.227][544d0f0c] IMAP[INFO]: > TAG4 LOGOUT\r\n
    [2024-04-29 20:11:35.230][544d0f0c] IMAP[INFO]: < * BYE Logging out\r\n
    [2024-04-29 20:11:35.230][544d0f0c] IMAP[INFO]: < TAG4 OK Logout completed (0.001 + 0.000 secs).\r\n
    [2024-04-29 20:11:35.231][544d0f0c] IMAP[INFO]: Disconnected from "[REDACTED]" (success)
    ...

• Along with a 502 bad gateway on screen

• Now if I pass 1234 as the hard-coded string password, I can get it to work by adding access token via the imap.before-login filter as in https://github.com/the-djmaze/snappymail/blob/4b63adb0d56080fd51c1006faa23fa0efc8d91c7/plugins/nextcloud/index.php#L99

  • Login works this way and I am able to see my emails and send emails too
  • However, this is a hacky approach that I'd like to avoid -After some trial and error by generating random strings I found out that the string length that is allowed for the password in LoginProcess is 1183 characters
  • I generated random strings using bin2hex(random_bytes($len)); to get a string of size 2*$len

• I am completely out of my depth here in terms of why there is a SIGCHLD and would appreciate some help so I can progress on and complete development of this feature :) @the-djmaze

[the-djmaze]

SIGCHLD is an async report handler, although it seems to happen after PLUGIN[INFO]: Hook: filter.language this could be not true. So it would be hard to find where the SIGCHLD is coming from.

I made a small change to also write the siginfo_t structure to the log, it might help.

[akhil1508]

@the-djmaze thanks, i will retest after your change and check logs. But yes, it's not a filter.language issue, I did comment that out to rule out.

I shall also check with PLAIN login whether the issue is about string length entirely, that should confirm it.

[akhil1508]

• Update: The SIGCHLD is unrelated; it happens on both succesful and unsuccessful logins
• I am still unable to fully figure out why the length of the password string in LoginProcess matters but it seems to me like an issue with nextcloud integration in PageController and not really a core snappymail issue as the login process code concludes successfully as tested by logging

@the-djmaze My plan is to just proceed with $pwd = new SensitiveString(''); and LoginProcess($username, $pwd); and then overwrite the passphrase with the access token from session in imap.before-login, smtp.before-login and sieve.before-login filters. Is there any issue you see with this or is it safe to do so?

[the-djmaze]

It's fine to do so. I use the same with GMail OAuth2 https://github.com/the-djmaze/snappymail/blob/master/plugins/login-gmail/index.php