Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

User password change leads to logout of all other users #17166

Closed
jbrrrr opened this issue Sep 16, 2019 · 4 comments · Fixed by #17194
Closed

User password change leads to logout of all other users #17166

jbrrrr opened this issue Sep 16, 2019 · 4 comments · Fixed by #17194
Labels
1. to develop Accepted and waiting to be taken care of bug

Comments

@jbrrrr
Copy link

jbrrrr commented Sep 16, 2019

Steps to reproduce

  1. Open two private tabs in your browser
  2. Log into your nextcloud with two different users
  3. Change the password in the settings/security for user A
  4. User B is logged out, user A stays logged in. (Users C, D, etc. are logged out too)

Has been tested and reproduced on different NC instances (15.0.11, 16.0.4).

SQL query that may cause the problem:
DELETE FROM oc_authtoken WHERE (type = '0') AND (id <> '2') AND (version = 2)

Expected behaviour

All users stay logged in, when one user changes his password.

Actual behaviour

When one user changes his password all other users lose their sessions and are logged out.

Server configuration detail

Operating system: Linux 4.15.0-47-generic #50-Ubuntu SMP Wed Mar 13 10:44:52 UTC 2019 x86_64

Webserver: Apache/2.4.29 (Ubuntu) (apache2handler)

Database: mysql 10.3.18

PHP version:

7.2.19-0ubuntu0.18.04.2
Modules loaded: Core, date, libxml, openssl, pcre, zlib, filter, hash, Reflection, SPL, sodium, session, standard, apache2handler, mysqlnd, PDO, xml, calendar, ctype, curl, dom, mbstring, fileinfo, ftp, gd, gettext, iconv, json, exif, mysqli, pdo_mysql, Phar, posix, readline, shmop, SimpleXML, sockets, sysvmsg, sysvsem, sysvshm, tokenizer, wddx, xmlreader, xmlwriter, xsl, zip, Zend OPcache

Nextcloud version: 16.0.4 - 16.0.4.1

Updated from an older Nextcloud/ownCloud or fresh install: fresh install

Where did you install Nextcloud from: nextcloud

Signing status

Array
(
)

List of activated apps 
Enabled:
 - accessibility: 1.2.0
 - activity: 2.9.1
 - bruteforcesettings: 1.4.0
 - cloud_federation_api: 0.2.0
 - comments: 1.6.0
 - dav: 1.9.2
 - federatedfilesharing: 1.6.0
 - federation: 1.6.0
 - files: 1.11.0
 - files_pdfviewer: 1.5.0
 - files_rightclick: 0.13.0
 - files_sharing: 1.8.0
 - files_texteditor: 2.8.0
 - files_trashbin: 1.6.0
 - files_versions: 1.9.0
 - files_videoplayer: 1.5.0
 - firstrunwizard: 2.5.0
 - gallery: 18.3.0
 - issuetemplate: 0.5.0
 - logreader: 2.1.0
 - lookup_server_connector: 1.4.0
 - nextcloud_announcements: 1.5.0
 - oauth2: 1.4.2
 - password_policy: 1.6.0
 - privacy: 1.0.0
 - provisioning_api: 1.6.0
 - recommendations: 0.4.0
 - serverinfo: 1.6.0
 - sharebymail: 1.6.0
 - support: 1.0.0
 - survey_client: 1.4.0
 - systemtags: 1.6.0
 - theming: 1.7.0
 - twofactor_backupcodes: 1.5.0
 - updatenotification: 1.6.0
 - viewer: 1.1.0
 - workflowengine: 1.6.0
Disabled:
 - admin_audit
 - encryption
 - files_external
 - notifications
 - user_ldap
Configuration (config/config.php) 
{
    "instanceid": "***REMOVED SENSITIVE VALUE***",
    "passwordsalt": "***REMOVED SENSITIVE VALUE***",
    "secret": "***REMOVED SENSITIVE VALUE***",
    "trusted_domains": [
        "10.0.59.241"
    ],
    "datadirectory": "***REMOVED SENSITIVE VALUE***",
    "dbtype": "mysql",
    "version": "16.0.4.1",
    "overwrite.cli.url": "http:\/\/10.0.59.241\/nextcloud",
    "dbname": "***REMOVED SENSITIVE VALUE***",
    "dbhost": "***REMOVED SENSITIVE VALUE***",
    "dbport": "",
    "dbtableprefix": "oc_",
    "mysql.utf8mb4": true,
    "dbuser": "***REMOVED SENSITIVE VALUE***",
    "dbpassword": "***REMOVED SENSITIVE VALUE***",
    "installed": true
}

Are you using external storage, if yes which one: No

Are you using encryption:

Are you using an external user-backend, if yes which one: No

Client configuration

Browser: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:70.0) Gecko/20100101 Firefox/70.0

Operating system: macOS 10.14.6
@jbrrrr jbrrrr added 0. Needs triage Pending check for reproducibility or if it fits our roadmap bug labels Sep 16, 2019
@kesselb
Copy link
Contributor

kesselb commented Sep 16, 2019

Another report here: #17035

@kesselb
Copy link
Contributor

kesselb commented Sep 16, 2019

I can confirm this issue.

server/lib/private/Authentication/Token/PublicKeyTokenProvider.php

Line 206 in 608f4d3

$this->mapper->deleteTempToken($token);

After a password change all temporary tokens except the current one are deleted. Not sure why this popups now because the code is there for a long time.

Index: lib/private/Authentication/Token/PublicKeyTokenMapper.php
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
--- lib/private/Authentication/Token/PublicKeyTokenMapper.php	(revision 9629015b4bef62898e38f34b5951407f941827cf)
+++ lib/private/Authentication/Token/PublicKeyTokenMapper.php	(date 1568667048882)
@@ -163,7 +163,8 @@
 		$qb = $this->db->getQueryBuilder();
 
 		$qb->delete('authtoken')
-			->where($qb->expr()->eq('type', $qb->createNamedParameter(IToken::TEMPORARY_TOKEN)))
+			->where($qb->expr()->eq('uid', $qb->createNamedParameter($except->getUID())))
+			->andWhere($qb->expr()->eq('type', $qb->createNamedParameter(IToken::TEMPORARY_TOKEN)))
 			->andWhere($qb->expr()->neq('id', $qb->createNamedParameter($except->getId())))
 			->andWhere($qb->expr()->eq('version', $qb->createNamedParameter(PublicKeyToken::VERSION, IQueryBuilder::PARAM_INT)));

Adding the uid to the query deletes the tokens only for the current user.

cc @rullzer 🤷‍♂️ 😕

@kesselb kesselb added 1. to develop Accepted and waiting to be taken care of and removed 0. Needs triage Pending check for reproducibility or if it fits our roadmap labels Sep 16, 2019
@jbrrrr
Copy link
Author

jbrrrr commented Sep 17, 2019

Many thanks to @kesselb for your fast response! That solves our problem which was really tricky to isolate and was a real pain in the ass... 🙏

@Toasterson
Copy link

Toasterson commented Sep 18, 2019
edited
Loading

I can confirm that we have suffered from the same Issue. Applying the Patch fixed it for us aswell.

Server configuration detail

Operating system: Linux 3.10.0-1062.1.1.el7.x86_64 #1 SMP Fri Sep 13 22:55:44 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

Webserver: httpd.x86_64 2.4.6-90.el7.centos base

Database: mariadb-server.x86_64 1:5.5.64-1.el7 base

PHP version:
php-fpm.x86_64 7.1.32-1.el7.remi remi-php71
php-cli.x86_64 7.1.32-1.el7.remi remi-php71
Modules loaded: apcu, bz2, calendar, Core, ctype, curl, date, dom, exif, fileinfo, filter, ftp, gd, gettext, hash, iconv, intl, json, libxml, mbstring, mcrypt, mysqli, mysqlnd, openssl, pcntl, pcre, PDO, pdo_mysql, pdo_sqlite, Phar, posix, readline, Reflection, session, shmop, SimpleXML, sockets, SPL, sqlite3, standard, sysvmsg, sysvsem, sysvshm, tokenizer, wddx, xml, xmlreader, xmlwriter, xsl, Zend OPcache, zip, zlib, Zend OPcache

Nextcloud version: 16.0.3

Updated from an older Nextcloud/ownCloud or fresh install: fresh install

Where did you install Nextcloud from: nextcloud

Are you using external storage, if yes which one: No

Are you using encryption: No

Are you using an external user-backend, if yes which one: No

@kesselb kesselb mentioned this issue Sep 18, 2019
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
1. to develop Accepted and waiting to be taken care of bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add uid to delete temp token query nextcloud/server
3 participants
@Toasterson @kesselb @jbrrrr