[Bug]: Can't login except on web interface Password is expired, please use forgot password method to reset it

[ghost]

⚠️ This issue respects the following points: ⚠️

• This is a bug, not a question or a configuration/webserver/proxy issue.
• This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
• Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
• I agree to follow Nextcloud's Code of Conduct.

Bug description

It's impossible to login on Nextcloud except from the web interface.

Steps to reproduce

1. Install some official client (Desktop, Android, iOS...)
2. Follow the login process with success
3. Get the following error

Expected behavior

People should be able to use the Nextcloud official clients, not only the web interface. Especially when their credentials are valid and not expired. The error message should also be more informative.

Installation method

Community Manual installation with Archive

Nextcloud Server version

27

Operating system

Debian/Ubuntu

PHP engine version

PHP 8.2

Web server

Nginx

Database engine version

PostgreSQL

Is this bug present after an update or on a fresh install?

Updated from a MINOR version (ex. 22.1 to 22.2)

Are you using the Nextcloud Server Encryption module?

Encryption is Disabled

What user-backends are you using?

• Default user-backend (database)
• LDAP/ Active Directory
• SSO - SAML
• Other

Configuration report

$ php8.2 --define apc.enable_cli=1 occ config:list system
{
    "system": {
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "***REMOVED SENSITIVE VALUE***"
        ],
        "dbtype": "pgsql",
        "version": "27.1.3.2",
        "overwrite.cli.url": "***REMOVED SENSITIVE VALUE***",
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "5432",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpsecure": "ssl",
        "mail_smtpauth": 1,
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpmode": "smtp",
        "mail_smtpport": "465",
        "mail_sendmailmode": "smtp",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "memcache.local": "\\OC\\Memcache\\APCu",
        "maintenance": false,
        "updater.release.channel": "stable",
        "theme": "",
        "loglevel": 2,
        "enable_previews": false,
        "default_phone_region": "FR",
        "mail_smtpauthtype": "LOGIN"
    }
}

List of activated Apps

$ php8.2 --define apc.enable_cli=1 occ app:list
Enabled:
  - activity: 2.19.0
  - bruteforcesettings: 2.7.0
  - calendar: 4.5.2
  - circles: 27.0.1
  - cloud_federation_api: 1.10.0
  - comments: 1.17.0
  - contactsinteraction: 1.8.0
  - dav: 1.27.0
  - deck: 1.11.0
  - federatedfilesharing: 1.17.0
  - federation: 1.17.0
  - files: 1.22.0
  - files_pdfviewer: 2.8.0
  - files_reminders: 1.0.0
  - files_rightclick: 1.6.0
  - files_sharing: 1.19.0
  - files_trashbin: 1.17.0
  - files_versions: 1.20.0
  - firstrunwizard: 2.16.0
  - forms: 3.3.1
  - logreader: 2.12.0
  - lookup_server_connector: 1.15.0
  - nextcloud_announcements: 1.16.0
  - notifications: 2.15.0
  - oauth2: 1.15.1
  - password_policy: 1.17.0
  - privacy: 1.11.0
  - provisioning_api: 1.17.0
  - related_resources: 1.2.0
  - richdocuments: 8.2.2
  - settings: 1.9.0
  - sharebymail: 1.17.0
  - suspicious_login: 5.0.0
  - systemtags: 1.17.0
  - text: 3.8.0
  - theming: 2.2.0
  - twofactor_backupcodes: 1.16.0
  - updatenotification: 1.17.0
  - user_migration: 4.0.1
  - user_status: 1.7.0
  - viewer: 2.1.0
  - weather_status: 1.7.0
  - workflowengine: 2.9.0
Disabled:
  - admin_audit: 1.17.0
  - dashboard: 7.7.0 (installed 7.0.0)
  - encryption: 2.15.0
  - files_external: 1.19.0
  - photos: 2.3.0 (installed 1.0.0)
  - recommendations: 1.6.0 (installed 0.5.0)
  - serverinfo: 1.17.0 (installed 1.16.0)
  - support: 1.10.0 (installed 1.0.0)
  - survey_client: 1.15.0 (installed 1.4.0)
  - twofactor_totp: 9.0.0
  - user_ldap: 1.17.0

Nextcloud Signing status

No errors have been found.

Nextcloud Logs

{"reqId":"HBlMrQUT9ogeEweWeG7i","level":3,"time":"2023-11-07T08:56:43+00:00","remoteAddr":"REDACTED","user":"--","app":"webdav","method":"PROPFIND","url":"/remote.php/dav/files/REDACTED/","message":"OC\\User\\LoginException: The password has expired, please use the lost password function to reset it","userAgent":"Mozilla/5.0 (Windows) mirall/3.4.2stable-Win64 (build 20220127) (Nextcloud, windows-10.0.22621 ClientArchitecture: x86_64 OsArchitecture: x86_64)","version":"27.1.3.2","exception":{"Exception":"Sabre\\DAV\\Exception\\ServiceUnavailable","Message":"OC\\User\\LoginException: The password has expired, please use the lost password function to reset it","Code":0,"Trace":[{"file":"/home/REDACTED/REDACTED/nextcloud/3rdparty/sabre/dav/lib/DAV/Auth/Plugin.php","line":179,"function":"check","class":"OCA\\DAV\\Connector\\Sabre\\Auth","type":"->"},{"file":"/home/REDACTED/REDACTED/nextcloud/3rdparty/sabre/dav/lib/DAV/Auth/Plugin.php","line":135,"function":"check","class":"Sabre\\DAV\\Auth\\Plugin","type":"->"},{"file":"/home/REDACTED/REDACTED/nextcloud/3rdparty/sabre/event/lib/WildcardEmitterTrait.php","line":89,"function":"beforeMethod","class":"Sabre\\DAV\\Auth\\Plugin","type":"->"},{"file":"/home/REDACTED/REDACTED/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":456,"function":"emit","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/home/REDACTED/REDACTED/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":253,"function":"invokeMethod","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/home/REDACTED/REDACTED/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":321,"function":"start","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/home/REDACTED/REDACTED/nextcloud/apps/dav/lib/Server.php","line":365,"function":"exec","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/home/REDACTED/REDACTED/nextcloud/apps/dav/appinfo/v2/remote.php","line":35,"function":"exec","class":"OCA\\DAV\\Server","type":"->"},{"file":"/home/REDACTED/REDACTED/nextcloud/remote.php","line":172,"args":["/home/REDACTED/REDACTED/nextcloud/apps/dav/appinfo/v2/remote.php"],"function":"require_once"}],"File":"/home/REDACTED/REDACTED/nextcloud/apps/dav/lib/Connector/Sabre/Auth.php","Line":146,"message":"OC\\User\\LoginException: The password has expired, please use the lost password function to reset it","exception":{},"CustomMessage":"OC\\User\\LoginException: The password has expired, please use the lost password function to reset it"}}

Additional info

Everything was working since Nextcloud 21, doing upgrades carefully and updating the Nginx example configuration file each time. I'm not sure if it's a desktop (nextcloud/desktop#6204) or a server bug in the end...

$ sudo nginx -v
nginx version: nginx/1.25.3

$ sudo php8.2 -v
PHP 8.2.12 (cli) (built: Oct 27 2023 13:01:32) (NTS)
Copyright (c) The PHP Group
Zend Engine v4.2.12, Copyright (c) Zend Technologies
    with Zend OPcache v8.2.12, Copyright (c), by Zend Technologies

$ dpkg -l | grep postgresql
rc  postgresql-14                  14.7-1.pgdg110+1                                   amd64        The World's Most Advanced Open Source Relational Database
ii  postgresql-15                  15.4-2.pgdg110+1                                   amd64        The World's Most Advanced Open Source Relational Database
ii  postgresql-client-15           15.4-2.pgdg110+1                                   amd64        front-end programs for PostgreSQL 15

[joshtrichards]

This is coming from the password_policy app but it's barely changed lately (managed via Admin settings->Security):

password_policy/lib/Compliance/Expiration.php

Line 92 in 8e31a74

$message = 'Password is expired, please use forgot password method to reset';

For completeness can you provide the output of:

occ config:list password_policy

(Or equivalent)

It's notable it is only impacting your client app connections and not web.

Everything was working since Nextcloud 21

What version of NC, specifically, were you using immediately before this behavior started / before this most recent upgrade?

[ghost]

Hello,

Thank you very much for your answer. Please find my responses below:

For completeness can you provide the output of:

occ config:list password_policy

(Or equivalent)

$ php8.2 --define apc.enable_cli=1 occ config:list password_policy
{
    "apps": {
        "password_policy": {
            "enabled": "yes",
            "types": "authentication",
            "enforceUpperLowerCase": "1",
            "enforceSpecialCharacters": "1",
            "historySize": "10",
            "enforceNumericCharacters": "1",
            "minLength": "8",
            "installed_version": "1.17.0",
            "expiration": "365"
        }
    }
}

It's notable it is only impacting your client app connections and not web.

I'm sorry, I'm not sure I understand what you mean by that. Is it the expected behaviour that client application connections are causing issues but not the web?

Everything was working since Nextcloud 21

What version of NC, specifically, were you using immediately before this behavior started / before this most recent upgrade?

We were using v27.1.2.1.

Thanks again!

[joshtrichards]

        "expiration": "365"

Are you sure the password isn't just expired?

Are there many users on this server? Can you provide the output of ./occ user:setting <username> password_policy for one of your users?

Redact anything you consider confidential.

I'm not sure I understand what you mean by that. Is it the expected behaviour that client application connections are causing issues but not the web?

Not expected. A clue maybe.

[ghost]

Hello!

Are you sure the password isn't just expired?

Why would it have expired if all accounts are still able to login to the web interface?

Are there many users on this server? Can you provide the output of ./occ user:setting <username> password_policy for one of your users?

There are a little over 100 users on the server, none can connect with a client which isn't the web interface.

See the output of the command below:

$ php8.2 --define apc.enable_cli=1 occ user:setting REDACTED password_policy
  - password_policy:
    - failedLoginAttempts: 0
    - pwd_last_updated: 1667198578
  - settings:
    - display_name: REDACTED

Considering the UNIX timestamp value printed here, the password seemed to indeed have expired on Mon Oct 31 2022 07:42:58 GMT+0100 (Central European Standard Time). However, that doesn't explain why everyone is still able to login on the web interface. Looks like a bug?

I'm not sure I understand what you mean by that. Is it the expected behaviour that client application connections are causing issues but not the web?

Not expected. A clue maybe.

Okay, thanks again for your help!

[joshtrichards]

However, that doesn't explain why everyone is still able to login on the web interface. Looks like a bug?

Might be a bug indeed. And the timing may just be a coincidence - may have nothing to do with v27.1.2->v27.1.3.

My best guess is a difference between:

• Logins via Cookie
• Session renewal
• Something with app passwords

We'll have to look closer.

[ghost]

For your information it's still happening. The "Forgot my password" to rotate the password works as expected but this still looks like a serious security issue if you can still login in the web UI while your password has expired.

[joshtrichards]

Did you mean to close your report? I reopened it since it seems like something that still needs to be addressed.

[susnux]

However, that doesn't explain why everyone is still able to login on the web interface.

Are you trying to log in via E-Mail instead of username? Than this could be related to #528