Skip to content

Comments

Fix session token creation "remember" parameter#51

Merged
julien-nc merged 1 commit intomasterfrom
fix/noid/slave-login-remember-session-token
Nov 29, 2021
Merged

Fix session token creation "remember" parameter#51
julien-nc merged 1 commit intomasterfrom
fix/noid/slave-login-remember-session-token

Conversation

@julien-nc
Copy link
Member

@julien-nc julien-nc commented Nov 15, 2021

When the slave controller creates the session token on login, the remember parameter is set to IToken::DO_NOT_REMEMBER.

This has a visible negative side effect: It is impossible to create an app password (in the web UI) after having logged in via GSS because OC\User\Session because app_password is set in the session in this case.

https://github.com/nextcloud/server/blob/582234322a59e32fd0d220023a260b66a9b205f2/lib/private/User/Session.php#L850-L854

As it is expected to prevent app password creation when authenticated with an app password, I think it should be possible when logging in via GSS.

I don't know if this is an acceptable fix and if it has bad side effects but it solves the app password generation issue.

remember session token to avoid having it considered as an app_passwo…
54ef7c0 
…rd by the Session class

Signed-off-by: Julien Veyssier <[email protected]>
juliusknorr
juliusknorr approved these changes Nov 15, 2021
View reviewed changes
Copy link
Member

@juliusknorr juliusknorr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense

@ChristophWurst
Copy link
Member

ChristophWurst commented Nov 15, 2021

https://github.com/nextcloud/server/blob/582234322a59e32fd0d220023a260b66a9b205f2/lib/private/User/Session.php#L850-L854

Maybe I'm confused. But we have two different flags for tokens. Temporary/permanent and remember-me. Temporary/permanent lets us distinguish between browser sessions (temporary token that expires) and app passwords (they don't expire). The remember/do-not-remember flag is only used for session tokens. We default to true (there used to be a checkbox on the login page).

So I'm wondering if nextcloud/server#24552 was possibly wrong. I think we should set the app_password session var when \OC\Authentication\Token\DefaultToken::getType equals \OC\Authentication\Token\IToken::PERMANENT_TOKEN 🤔

(there is no getType on IToken right now)

@juliusknorr
Copy link
Member

juliusknorr commented Nov 15, 2021

So I'm wondering if nextcloud/server#24552 was possibly wrong. I think we should set the app_password session var when \OC\Authentication\Token\DefaultToken::getType equals \OC\Authentication\Token\IToken::PERMANENT_TOKEN 🤔

(there is no getType on IToken right now)

Sounds right to only set the session value when using a permanent token. Tough I'd still think that using a remember me token might be expected behaviour (as with a regular login) also when logging in through the global site selector.

@julien-nc julien-nc mentioned this pull request Nov 16, 2021
Closed
@julien-nc
Copy link
Member Author

julien-nc commented Nov 16, 2021

@ChristophWurst Do you agree with @juliushaertl 's comment? I mean, does it still make sense to create a remember_me token when logging in via the GSS even if we fix Session::tryTokenLogin()?

Here is a PR for what you suggested: nextcloud/server#29729

@julien-nc julien-nc merged commit 40a64b5 into master Nov 29, 2021
@delete-merged-branch delete-merged-branch bot deleted the fix/noid/slave-login-remember-session-token branch November 29, 2021 10:25
mickenordin added a commit to SUNET/nextcloud-custom that referenced this pull request Dec 3, 2021
@mickenordin
This release will make it possible to:
84aa909 
* Create app passwords: [Ticket#9623982] nextcloud/globalsiteselector#51
* Create email templates using variables set in config.php:  https://github.com/SUNET/drive-email-template
* Add custom button on direct login page:  https://github.com/SUNET/loginpagebutton/
@juliusknorr
Copy link
Member

juliusknorr commented Jan 12, 2022

/backport to stable1

@backportbot-nextcloud backportbot-nextcloud bot mentioned this pull request Jan 12, 2022
Merged
@ChristophWurst ChristophWurst mentioned this pull request Apr 3, 2025
Merged
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ChristophWurst ChristophWurst ChristophWurst approved these changes

@juliusknorr juliusknorr juliusknorr approved these changes

@ArtificialOwl ArtificialOwl Awaiting requested review from ArtificialOwl

@schiessle schiessle Awaiting requested review from schiessle

@blizzz blizzz Awaiting requested review from blizzz

Assignees

No one assigned

Labels

3. to review bug security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@julien-nc @ChristophWurst @juliusknorr