Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Clear pending two factor tokens also from configuration #48933

Draft
wants to merge 2 commits into
base: master
Choose a base branch
from

Conversation

danxuliu
Copy link
Member

Clearing pending two factor tokens removed them from the database, but not from the configuration. Due to that, if the password was reset again, the pending tokens were got again from the configuration and tried to be cleared again from the database, which caused an exception to be thrown.

The fix is split in two commits. The first one removes the token from the configuration as well as from the database, and the second commits handles the exception thrown if a token was already removed from the database but not from the configuration, as it could be the case on an existing instance.

Note that invalidateTokenById does not declare any exception to be thrown, and the DoesNotExistException comes from the PublicKeyTokenMapper. Therefore rather than catching the exception in clearTwoFactorPending it might be better to catch it in invalidateTokenById (or to transform it into another exception, as right now a database exception is being exposed to the upper layers). However I am not familiar at all with this code and any possible side effect of doing that, so I just went the safe route (specially given that this should be backported) and caught it in clearTwoFactorPending.

How to test:

  • Install and enable twofactor_nextcloud_notification (any two factor authentication app would be probably enough, but this is a convenient one)
  • Log errors when reseting the password adding the following to LostController::setException:
$this->logger->error('Password could not be reset', ['app' => 'core', 'exception' => $e]);
  • In a private window, log in as a user
  • Open the settings
  • Set an e-mail address
  • Open security section
  • Enable two factor authentication with notifications
  • Log out
  • Log in again
  • When the two factor authentication challenge appears, close the private window
  • Open a private window again
  • Open Nextcloud login page
  • Request a lost password
  • Open the link sent by e-mail
  • Set the new password
  • Instead of login, open Nextcloud login page again
  • Request a lost password
  • Open the link sent by e-mail
  • Set the new password

Result with this pull request:

The password is reset and the login page is shown again

Result without this pull request:

token does not exist is shown below the request password form. However, if the login page is open and the new password is used it works. In the logs it can be seen that the exception was thrown by PublicKeyTokenMapper::getTokenById, which was called by TwoFactorAuth\Manager::clearTwoFactorPending, so at that point the password was already changed.

Otherwise as the tokens were removed from the database but not from the
configuration the next time that the tokens were cleared the previous
tokens were still got from the configuration, and trying to remove them
again from the database ended in a DoesNotExistException being thrown.

Signed-off-by: Daniel Calviño Sánchez <[email protected]>
If a token was already removed from the database but not from the
configuration clearing the tokens will try to remove it again from the
database, which caused a DoesNotExistException to be thrown.

Signed-off-by: Daniel Calviño Sánchez <[email protected]>
@danxuliu
Copy link
Member Author

/backport to stable30

@danxuliu
Copy link
Member Author

/backport to stable29

@danxuliu
Copy link
Member Author

/backport to stable28

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant