Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(session): Do not update authtoken last_check for passwordless #44670

Merged
merged 1 commit into from
Apr 26, 2024
Merged

fix(session): Do not update authtoken last_check for passwordless #44670

merged 1 commit into from
Apr 26, 2024

Conversation

ChristophWurst
Copy link
Member

@ChristophWurst ChristophWurst commented Apr 5, 2024
edited
Loading

Summary

The column oc_authtoken.last_check is used to debounce the password checks of the login password encoded in app passwords. If instances have set auth.storeCryptedPassword to false, the password column stays NULL and there is no password check. In that case we keep the last_check column updated without any actual check performed. This is superfluous.

How to test

  1. Set auth.storeCryptedPassword => false, in config/config.php
  2. Open the user security settings and generate an app password
  3. Open the oc_authtoken table, find the last row and set last_check to 0
  4. Run curl -u "USER:APPPASSWORD" https://localhost/apps/files
  5. Look at the updated row in oc_authtoken

Master: last_check is set to the current timestamp. This indicates that there was an UPDATE query.
Here: last_check remains 0.

Note: in reality last_check will stay at the time of token creation. You can skip setting last_check to 0 but then you have to wait more than five minutes between creating and using the token.

Checklist

@ChristophWurst ChristophWurst added the 2. developing Work in progress label Apr 5, 2024
@ChristophWurst ChristophWurst self-assigned this Apr 5, 2024
@ChristophWurst ChristophWurst mentioned this pull request Apr 5, 2024
Open
2 tasks
@ChristophWurst ChristophWurst marked this pull request as ready for review April 8, 2024 08:19
@ChristophWurst
Copy link
Member Author

/backport to stable28

@ChristophWurst
Copy link
Member Author

/backport to stable27

@nickvergessen
Copy link
Member

Does this reintroduce #29678 ?

@ChristophWurst
Copy link
Member Author

Does this reintroduce #29678 ?

Good catch but I don't think so. The old issue was that we missed to updated last_check when we actually did check the password. Here we skip the update intentionally because no checks are performed.

For the path of password checks the token update is still in place:

server/lib/private/User/Session.php

Line 787 in cc42b2e

$this->tokenProvider->updateToken($dbToken);

The unit test added covers an assertion for the token update.

@susnux susnux added this to the Nextcloud 30 milestone Apr 18, 2024
@ChristophWurst
Copy link
Member Author

Does this reintroduce #29678 ?

Good catch but I don't think so.

Tested by setting the last_activity to 0 and the timestamp is updated. :shipit:

@ChristophWurst ChristophWurst force-pushed the fix/session/no-authtoken-password-no-check branch from cc42b2e to 21ee7f5 Compare April 26, 2024 14:05
@ChristophWurst ChristophWurst added 4. to release Ready to be released and/or waiting for tests to finish and removed 3. to review Waiting for reviews labels Apr 26, 2024
@ChristophWurst ChristophWurst merged commit acf8ea1 into master Apr 26, 2024
157 checks passed
@ChristophWurst ChristophWurst deleted the fix/session/no-authtoken-password-no-check branch April 26, 2024 15:13
This was referenced Apr 26, 2024
Merged
Merged
@kesselb
Copy link
Contributor

kesselb commented May 29, 2024

/backport to stable26

@backportbot backportbot bot mentioned this pull request May 29, 2024
Closed
2 tasks
@kesselb
Copy link
Contributor

kesselb commented May 31, 2024

/backport to stable29

@backportbot backportbot bot mentioned this pull request May 31, 2024
Merged
@blizzz blizzz mentioned this pull request Jul 24, 2024
Merged
@WeberSamuel WeberSamuel mentioned this pull request Jan 22, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Altahrim Altahrim Altahrim approved these changes

@juliusknorr juliusknorr juliusknorr approved these changes

@nickvergessen nickvergessen Awaiting requested review from nickvergessen

Assignees

@ChristophWurst ChristophWurst

Labels
4. to release Ready to be released and/or waiting for tests to finish bug feature: authentication performance 🚀
Projects
💌 📅 👥 Groupware team
Archived in project
Milestone
Nextcloud 30
Development

Successfully merging this pull request may close these issues.
6 participants
@ChristophWurst @nickvergessen @kesselb @Altahrim @juliusknorr @susnux