[BUG]: Repeated "API Session Token expired" modal when attempting to view Passwords app #705
Comments
|
I can currently not reproduce this at all. It reminds me of an issue we had earlier last year. Can you ensure that there is no app related Javascript etc. cached anywhere in your browser or the server? |
|
I have the same issue since upgrade to 30.0.6 (30.0.5 was ok, wish I could downgrade)... It occurs on several browsers (firefox, chrome, opera), and also the Firefox plugin. After googling the issue, I came accross this one, dunno if it's related : nextcloud/server#50619 |
|
Thank you very much for your response, @marius-wieschollek! I don't have any cache getting in the way, and can reproduce this issue after clicking the "Clear cookies and site data..." option under the "lock" in the URL bar in Firefox. @adrienjacob, wow, I'm very thankful that I'm not alone! I hope that we figure this one out. Being locked out of your passwords is not fun. I should also add that I use the Passwords app here, and the app itself said something about credentials not being valid (I don't fully remember; it appeared and went away), then it also logged out client-side. |
|
I wonder if this is somehow related? nextcloud/server#50917 |
|
It appears that the only place the "CORS requires basic auth" error message comes from in /**
* This is being run in normal order before the controller is being
* called which allows several modifications and checks
*
* @param Controller $controller the controller that is being called
* @param string $methodName the name of the method that will be called on
* the controller
* @throws SecurityException
* @since 6.0.0
*/
public function beforeController($controller, $methodName) {
$reflectionMethod = new ReflectionMethod($controller, $methodName);
// ensure that @CORS annotated API routes are not used in conjunction
// with session authentication since this enables CSRF attack vectors
if ($this->hasAnnotationOrAttribute($reflectionMethod, 'CORS', CORS::class) &&
(!$this->hasAnnotationOrAttribute($reflectionMethod, 'PublicPage', PublicPage::class) || $this->session->isLoggedIn())) {
$user = array_key_exists('PHP_AUTH_USER', $this->request->server) ? $this->request->server['PHP_AUTH_USER'] : null;
$pass = array_key_exists('PHP_AUTH_PW', $this->request->server) ? $this->request->server['PHP_AUTH_PW'] : null;
// Allow to use the current session if a CSRF token is provided
if ($this->request->passesCSRFCheck()) {
return;
}
// Skip CORS check for requests with AppAPI auth.
if ($this->session->getSession() instanceof ISession && $this->session->getSession()->get('app_api') === true) {
return;
}
$this->session->logout();
try {
if ($user === null || $pass === null || !$this->session->logClientIn($user, $pass, $this->request, $this->throttler)) {
throw new SecurityException('CORS requires basic auth', Http::STATUS_UNAUTHORIZED);
}
} catch (PasswordLoginForbiddenException $ex) {
throw new SecurityException('Password login forbidden, use token instead', Http::STATUS_UNAUTHORIZED);
}
}
}What I find kind of weird is how CORS detection is being triggered. I'm running Passwords on my Nextcloud instance in the typical way, and there should not be any CORS requests being made. |
|
Unfortunately, I am also affected by this bug. However, I run several installations, but only have this error with one hoster on shared webspace: IONOS. Two independent installations are affected here. I have not yet been able to find out what is different with this hoster than with the others. Debug information: Error log:
|
|
Indeed, I happen to be on Ionos too... this may be the culprit. |
|
Interesting detail. What I also tested: However, synthead's configuration does not look as if he is also an IONOS customer (as he uses PostgreSQL). Not to forget that the bug did not exist with 30.0.5, a strange behavior… |
|
@SkyBlueHH @adrienjacob, thank you for your sharing! I don't use IONOS; I run Nextcloud and the Passwords app on Arch Linux, host it with uWSGI, and proxy it with Nginx. I use PostgreSQL as the database. As mentioned before, I have been running the same deployment for years without issues, and a a recent upgrade seemed to trigger this bug. I am curious how IONOS runs their hosted Nextcloud instances. This guide seems to hint that they favor Nginx and Nextcloud in Docker containers: |
|
Just sent this email to [email protected]!
|
|
I got this response:
|
|
Hi synthead, what did you expect when you wrote a support request as a non-customer? However, customer support is rarely very helpful there, especially as the error seems to be very specific. |
and others
Server Information
{ "version": { "server": "30.0.6.2", "app": "2024.12.21", "lsr": false, "php": "8.2.27", "cronPhp": "8.3.15" }, "environment": { "os": "Linux", "architecture": "x86_64", "bits": 64, "database": "pgsql", "cron": "cron", "proxy": false, "sslProxy": false, "subdirectory": false }, "services": { "images": "imagick", "favicons": "default", "previews": "default", "security": "hibp", "words": "auto", "previewApi": false, "faviconApi": false }, "status": { "autoBackupRestored": false }, "settings": { "channel": "stable", "nightlies": false, "handbook": false, "performance": 5 }, "encryption": { "sse": { "SSEv1r1": false, "SSEv1r2": true, "SSEv2r1": false, "SSEv3r1": false, "none": false, "default": "SSEv1r2" }, "cse": { "CSEv1r1": false, "none": true, "default": "none" } } }Client Information
Browser and Version: Firefox 135.0
Client OS and Version: Arch Linux (rolling release, no version)
Bug description
After upgrading Nextcloud 30.0.5 to 30.0.6, I am not able to use the Passwords app. I am seeing this modal in the browser:
When the "X" is clicked, the error is revealed under the model for a second before the browser refreshes:
When the refresh occurs, the model in the first screenshot is displayed, and it continues in an interactive, infinite loop.
In the network inspector, I can observe that this reqest:
...returns 401 with the body:
In addition, in
nextcloud.log, when loading the Passwords app, I am able to observe this entry:{ "reqId": "<censored>", "level": 0, "time": "2025-02-17T20:48:35+00:00", "remoteAddr": "10.1.0.1", "user": "--", "app": "core", "method": "GET", "url": "/index.php/apps/passwords/api/1.0/session/request", "message": "could not get login credentials because the token is invalid: Token does not exist: token does not exist", "userAgent": "Mozilla/5.0 (X11; Linux x86_64; rv:135.0) Gecko/20100101 Firefox/135.0", "version": "30.0.6.2", "data": { "app": "core" } }I should mention that Nextcloud and the Passwords app has been working fine for years. This problem seems to have been triggered after the update to Nextcloud 30.0.6.
Steps to reproduce
There's probably something I'm missing, but I am reproducing this via:
Expected behavior
Nextcloud Logs
{ "reqId": "<censored>", "level": 0, "time": "2025-02-17T20:48:35+00:00", "remoteAddr": "10.1.0.1", "user": "--", "app": "core", "method": "GET", "url": "/index.php/apps/passwords/api/1.0/session/request", "message": "could not get login credentials because the token is invalid: Token does not exist: token does not exist", "userAgent": "Mozilla/5.0 (X11; Linux x86_64; rv:135.0) Gecko/20100101 Firefox/135.0", "version": "30.0.6.2", "data": { "app": "core" } }Browser Logs
The text was updated successfully, but these errors were encountered: