Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

checkToken verification fails when IMAP is used as backend. #70

Open
ediazcomellas opened this issue Apr 25, 2019 · 8 comments
Open

checkToken verification fails when IMAP is used as backend. #70

ediazcomellas opened this issue Apr 25, 2019 · 8 comments
Labels
0. Needs triage bug Something isn't working

Comments

@ediazcomellas
Copy link

Steps to reproduce

  1. Configure IMAP backend for authentication, with SSL

Expected behaviour

User should be able to maintain the session open more than 5 minutes

Actual behaviour

Sessions are closed after 5 minutes

Affected Authentication backend

IMAP (at least)

Server configuration

0.6.1
Ubuntu 18.04
Apache
Mariadb
7.0.33
Nextcloud 15.0.7
Updated from previous version

@ediazcomellas ediazcomellas added 0. Needs triage bug Something isn't working labels Apr 25, 2019
@ediazcomellas
Copy link
Author

I previously updated a core issue:

https://github.com/nextcloud/server/issues/11120

I will reproduce the key findings here:

So after several sessions of debug, we found lib/private/User/Session.php, line 680: function checkToken:

680 private function checkTokenCredentials(IToken $dbToken, $token) {
681 // Check whether login credentials are still valid and the user was not disabled
682 // This check is performed each 5 minutes
683 $lastCheck = $dbToken->getLastCheck() ? : 0;
684 $now = $this->timeFactory->getTime();
685 if ($lastCheck > ($now - 60 * 5)) {
686 // Checked performed recently, nothing to do now
687 return true;
688 }
689
690 try {
691 $pwd = $this->tokenProvider->getPassword($dbToken, $token);
692 } catch (InvalidTokenException $ex) {
693 // An invalid token password was used -> log user out
694 return false;
695 } catch (PasswordlessTokenException $ex) {
696 // Token has no password
697
698 if (!is_null($this->activeUser) && !$this->activeUser->isEnabled()) {
699 $this->tokenProvider->invalidateToken($token);
700 return false;
701 }
702
703 $dbToken->setLastCheck($now);
704 return true;
705 }

Nextcloud is checking the password again after 5 minutes. Unfortunately, external_user must be missing something here, and the test always fails. As a result, the token is invalidated and the session must start again.

As a mitigation (in order to avoid user's rage) we have changed the time to 5000 minutes:

685 if ($lastCheck > ($now - 60 * 5000)) {

This is something we would rather don't do, as it opens the door to unsynced password problems.

@violoncelloCH
Copy link
Member

hmm, do you have the users only registered over user_external and not on an other user backend as well?

@ultreiac
Copy link

ultreiac commented May 3, 2019

Yes, we only use IMAP as backend, should we use more than one?

@violoncelloCH
Copy link
Member

violoncelloCH commented May 8, 2019

no you explicitly should not have more than one backend which authenticates the same username... this issue reminds me of #3 which is caused by the admin having multiple backends (nextclouds own and user_external IMAP) for the same usernames... that's why I'm asking...

@ChristophWurst do you have an idea what could be causing this?

@ediazcomellas
Copy link
Author

Then this issue is a real bug of user_external, and not a misconfiguration.

@violoncelloCH
Copy link
Member

@ediazcomellas considering that user_external only does the authentication itself and not the session management, it could also be an issue in the core of nextcloud...
anyway, as long as this is not reliably reproducible (seems still to depend on some other unknown factor(s), because it's still working for most users (inkluding me) with the IMAP backend) it's quite hard to discover what's going wrong...
If you have an idea how to fix it, you're more than welcome to provide a PR...

@Mannshoch

This comment has been minimized.

@Mannshoch

This comment has been minimized.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
0. Needs triage bug Something isn't working
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants