Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Item has no Password - Oauth user #4572

Open
hitenmandalia opened this issue Jan 24, 2025 · 18 comments
Open

Item has no Password - Oauth user #4572

hitenmandalia opened this issue Jan 24, 2025 · 18 comments
Labels
Answered

Comments

@hitenmandalia
Copy link

I have just discovered what i think is quite a huge bug.

I have deployed TeamPass 3.1.3.10. This is a FRESH install ( i have another copy of 3.1.3.10 running in production where this bug was discovered so I have also deployed a fresh version to see if this bug was also present in a new install)

I have successfully configured oauth with Azure. Issues are as below:

When logging in as an oauth user, the account always remains in "Account in Construction", however, I am able to use all functions of teampass without any problems it seems.

Using the oauth user, I am able to create items in TeamPass as expected.

However, a major issue i discovered. Any oauth user who is created AFTER the item has been created will always get an "Item has no password" error. This is not true for local users who always seem to be able to retrive the password with the same role.

Image

As a test, i did the following too:

  • Created 2 oauth user accounts in TeamPass. Both oauth users given same role.
    • Logged in using account 1 and created item. (Account in construction always showing)
    • Logged in using account 2 (Account in construction) and ensure that item was visible and password was retrievable.
    • Deleted account 2 and then recreated account 2 using oauth login
      • assigned same role to account 2 using admin account and then logged back in using account 2.
      • I can see the item using account 2, however cannot retrieve password. Error says item has no password.
      • logged back in using account 1 to ensure that the item still has a password.
      • created a second new item using account 1. logged in using account 2. can see item password for new item but still see item has no password for item 1
    • created a new Local TeamPass account with the same role as account 1 and 2.
    • logged in using local teampass account. Able to see passwords to both items as expected.

I created a local teampass user with the same role assigned to the oauth user. The local user account is succesfully created and doesnt show the Account in construction message. The local user is also able to see the password to the item that was created.

No errors or anything obvious show in logs or in the developer console of the browser that would point to anything.

Using Alpine Linux Docker container with AWS RDS MySQL 8.
@hitenmandalia hitenmandalia changed the title Item has not Password - Oauth user Item has no Password - Oauth user Jan 26, 2025
@gastonmurado
Copy link

Estoy teniendo el mismo problema, los nuevos usuarios no pueden ver los elementos creados anteriormente. Estoy 3.1.2.146 con Docker autenticando con Active Directory y con MFA de Google.

Si creo un nuevo elemento todos lo pueden ver.. pero perdí acceso a la mayoría de mis contraseñas, los elementos me aparecen así (aunque de el mayor de los permisos):

Image

Ya probé restaurar la BD, actualice a la ultima versión de Teampass y sigue igual.

@hitenmandalia hitenmandalia mentioned this issue Jan 29, 2025
Open
@nilsteampassnet
Copy link
Owner

nilsteampassnet commented Feb 9, 2025
edited
Loading

thank you @hitenmandalia for the details you provided here.
I could finaly reproduce the issue.
Now time for investigation.

@nilsteampassnet
Copy link
Owner

Please update to 3.1.3.13.
THis will solve the issue where a new oauth2 user has no access to existing passwords, just the ones created after being registered.

@hitenmandalia
Copy link
Author

hi @nilsteampassnet

Updated to 3.1.3.13. but no luck. Now I am not able to even see the items that were previously created. All folders show no items available.

But now it also seems to have broken oauth user creation. As per my previous test, i created a new item and confirmed i was able to see it as myself and as another user. I then deleted one of the user accounts and tried to register again using oauth. However, I am now just getting the following every time i try to register an oauth account:

Image

Because of this, I am unable to test any further.

@nilsteampassnet
Copy link
Owner

Now I am not able to even see the items that were previously created. All folders show no items available.

I don't see how this possible, the change is only on the identification part.

I don't even understand the other issue encountered. The change consists only in typing variables, nothing on the logic.
So I'm more wondering about the configuration.
What php version do you use?

@nilsteampassnet
Copy link
Owner

I'm pretty sure it is related to server configuration.
I should not have used convertion type using this way because it can solve an issue on some configuration but reveal issue on another one.
I need to change and improve this.

@hitenmandalia
Copy link
Author

hitenmandalia commented Feb 10, 2025
edited
Loading

@nilsteampassnet I am using the latest docker image - richarvey/nginx-php-fpm which is using nginx and php version 8.2.

Everything else about my install is standard. Build exactly as per the docker file in the teampass repo.

I will try and do this on a fresh install tomorrow and update you with my findings.

If there is something you would like for me to do / test then let me know.

@nilsteampassnet
Copy link
Owner

Please wait until I provide new fix.
Pretty sure the code can be optimized in order to permit better compliance with server configuration.

@nilsteampassnet
Copy link
Owner

@hitenmandalia
In order to validate my thinking , can you please do the next changes in file sources/identify.php

Find

        // User doesn't exist then return error
        // Except if user creation from LDAP is enabled
        if (DB::count() === 0 && ((bool) $enable_ad_user_auto_creation === false || (bool) $oauth2_enabled === false)) {
            throw new Exception(
                "error" 
            );
        }
        // We cannot create a user with LDAP if the OAuth2 login is ongoing
        $oauth2LoginOngoing = isset($session->get('userOauth2Info')['oauth2LoginOngoing']) ? $session->get('userOauth2Info')['oauth2LoginOngoing'] : false;
        $data['oauth2_login_ongoing'] = (bool) $oauth2LoginOngoing;
        $data['ldap_user_to_be_created'] = (bool) $enable_ad_user_auto_creation === true && DB::count() === 0 && (bool) $oauth2LoginOngoing !== true ? true : false;
        $data['oauth2_user_to_be_created'] = (bool) $oauth2_enabled === true && DB::count() === 0 && (bool) $oauth2LoginOngoing === true ? true : false;

Replace by

        // User doesn't exist then return error
        // Except if user creation from LDAP is enabled
        if (
            DB::count() === 0 &&
            (filter_var($enable_ad_user_auto_creation, FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE) !== true ||
             filter_var($oauth2_enabled, FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE) !== true)
        ) {
            throw new Exception(
                "error" 
            );
        }
        // We cannot create a user with LDAP if the OAuth2 login is ongoing
        $oauth2LoginOngoing = isset($session->get('userOauth2Info')['oauth2LoginOngoing']) ? $session->get('userOauth2Info')['oauth2LoginOngoing'] : false;
        $data['oauth2_login_ongoing'] = filter_var($oauth2LoginOngoing, FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE) ?? false;
        $data['ldap_user_to_be_created'] = (
            filter_var($enable_ad_user_auto_creation, FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE) === true &&
            DB::count() === 0 &&
            filter_var($oauth2LoginOngoing, FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE) !== true
        ) ? true : false;        
        $data['oauth2_user_to_be_created'] = (
            filter_var($oauth2_enabled, FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE) === true &&
            DB::count() === 0 &&
            filter_var($oauth2LoginOngoing, FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE) === true
        ) ? true : false;

Then create new oauth2 user

@hitenmandalia
Copy link
Author

hitenmandalia commented Feb 11, 2025
edited
Loading

hi @nilsteampassnet

Same issue im afraid. nothing in the logs either

Image

happy to do a screen share if that works for you?

@hitenmandalia
Copy link
Author

hitenmandalia commented Feb 11, 2025
edited
Loading

hi @nilsteampassnet

As i had some time to spare, I done a new Fresh install of teampass 3.1.3.13. Still the same issue with Login Credentials do not correspond.

I tried it with the default identify.php and also with the chanes you suggested here:

@hitenmandalia In order to validate my thinking , can you please do the next changes in file sources/identify.php

Find

        // User doesn't exist then return error
        // Except if user creation from LDAP is enabled
        if (DB::count() === 0 && ((bool) $enable_ad_user_auto_creation === false || (bool) $oauth2_enabled === false)) {
            throw new Exception(
                "error" 
            );
        }
        // We cannot create a user with LDAP if the OAuth2 login is ongoing
        $oauth2LoginOngoing = isset($session->get('userOauth2Info')['oauth2LoginOngoing']) ? $session->get('userOauth2Info')['oauth2LoginOngoing'] : false;
        $data['oauth2_login_ongoing'] = (bool) $oauth2LoginOngoing;
        $data['ldap_user_to_be_created'] = (bool) $enable_ad_user_auto_creation === true && DB::count() === 0 && (bool) $oauth2LoginOngoing !== true ? true : false;
        $data['oauth2_user_to_be_created'] = (bool) $oauth2_enabled === true && DB::count() === 0 && (bool) $oauth2LoginOngoing === true ? true : false;

Replace by

        // User doesn't exist then return error
        // Except if user creation from LDAP is enabled
        if (
            DB::count() === 0 &&
            (filter_var($enable_ad_user_auto_creation, FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE) !== true ||
             filter_var($oauth2_enabled, FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE) !== true)
        ) {
            throw new Exception(
                "error" 
            );
        }
        // We cannot create a user with LDAP if the OAuth2 login is ongoing
        $oauth2LoginOngoing = isset($session->get('userOauth2Info')['oauth2LoginOngoing']) ? $session->get('userOauth2Info')['oauth2LoginOngoing'] : false;
        $data['oauth2_login_ongoing'] = filter_var($oauth2LoginOngoing, FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE) ?? false;
        $data['ldap_user_to_be_created'] = (
            filter_var($enable_ad_user_auto_creation, FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE) === true &&
            DB::count() === 0 &&
            filter_var($oauth2LoginOngoing, FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE) !== true
        ) ? true : false;        
        $data['oauth2_user_to_be_created'] = (
            filter_var($oauth2_enabled, FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE) === true &&
            DB::count() === 0 &&
            filter_var($oauth2LoginOngoing, FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE) === true
        ) ? true : false;

Then create new oauth2 user

However, still getting the same Login Crendentials do not Correspond. FYI nginx version 1.24.0 and PHP version 8.2.7

@nilsteampassnet
Copy link
Owner

@hitenmandalia and with 3.1.3.12, it is ok?
I'm really totally lost here and don't understand anything.

@hitenmandalia
Copy link
Author

@nilsteampassnet I will try that out shortly and get back to you. i will do this with my fresh install.

@nilsteampassnet
Copy link
Owner

In file sources/identify.php,
can you replace

    return [
        'error' => false,
        'message' => '',
        'proceedIdentification' => true,
        'user_initial_creation_through_external_ad' => true,
        'id' => $newUserId,
    ];
```
by

return [
    'error' => false,
    'message' => '',
    'proceedIdentification' => true,
    'user_initial_creation_through_external_ad' => true,
    'id' => $newUserId,
    'oauth2_login_ongoing' => true,
];

@hitenmandalia
Copy link
Author

so here are my findings.

commit SHA 6680570 (on 8th Feb) only works when I make the changes as described in this issue: #4440. Once i add the (bool) as below, the user gets created.

$data['oauth2_user_to_be_created'] = (bool)$oauth2_enabled === true && DB::count() === 0 && $oauth2LoginOngoing === true ? true : false;

commit SHA 545597a it does not work.

For the following, do you want me to attempt this for version 3.1.3.13? in the default identify.php? or with the modifications you had me do earlier?

In file sources/identify.php, can you replace

    return [
        'error' => false,
        'message' => '',
        'proceedIdentification' => true,
        'user_initial_creation_through_external_ad' => true,
        'id' => $newUserId,
    ];

by

return [
'error' => false,
'message' => '',
'proceedIdentification' => true,
'user_initial_creation_through_external_ad' => true,
'id' => $newUserId,
'oauth2_login_ongoing' => true,
];

@nilsteampassnet
Copy link
Owner

the last point on latest version

@hitenmandalia
Copy link
Author

ok, trying now

@hitenmandalia
Copy link
Author

@nilsteampassnet still same issue. Login Credentials do not Correspond

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Answered
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@nilsteampassnet @hitenmandalia @gastonmurado