App Passwords disappear in personal settings and are revoked shortly after (11.0.1/2/3)

[eggithub]

Steps to reproduce

1. Upgrade nextcloud
2. Create App Password
3. Browser Refresh personal settings page
4. App password has disappeared
5. App password is revoked shortly after (but can be used for a short period of time)

Note: also session log shows 1000 entries in personal settings dating back from 6 to 9 months ago

Expected behaviour

App Password entriy should be listed

Actual behaviour

Instead App Password has disappeared

Server configuration

Operating system:
Linux 3.16.0-4-amd64 #1 SMP Debian 3.16.39-1+deb8u2 (2017-03-07) x86_64 GNU/Linux

Web server:
Server version: Apache/2.4.23 (Debian)
Server built: 2016-11-19T23:33:13

Database:
Server version 5.5.54-0+deb8u1-log

PHP version:
PHP 5.6.30-0+deb8u1 (cli) (built: Feb 8 2017 08:50:21)

Nextcloud version: (see Nextcloud admin page)
11.01/2/3

Updated from an older Nextcloud/ownCloud or fresh install:
Update from nextcloud and owncloud

Where did you install Nextcloud from:
installed from downloaded archive from nextcloud downloads

Signing status:

Signing status

No errors have been found.

List of activated apps:

App list

Enabled:
  - activity: 2.4.1
  - bookmarks: 0.9.1
  - calendar: 1.5.2
  - comments: 1.1.0
  - contacts: 1.5.3
  - dav: 1.1.1
  - external: true
  - federatedfilesharing: 1.1.1
  - federation: 1.1.1
  - files: 1.6.1
  - files_external: 1.1.2
  - files_markdown: 1.0.1
  - files_pdfviewer: 1.0.1
  - files_sharing: 1.1.1
  - files_texteditor: 2.2
  - files_trashbin: 1.1.0
  - files_versions: 1.4.0
  - files_videoplayer: 1.0.0
  - firstrunwizard: 2.0
  - gallery: 16.0.0
  - logreader: 2.0.0
  - lookup_server_connector: 1.0.0
  - mail: 0.6.3
  - news: 10.2.0
  - nextcloud_announcements: 1.0
  - notifications: 1.0.1
  - password_policy: 1.1.0
  - provisioning_api: 1.1.0
  - serverinfo: 1.1.1
  - sharebymail: 1.0.1
  - survey_client: 0.1.5
  - systemtags: 1.1.3
  - tasks: 0.9.5
  - templateeditor: 0.2
  - theming: 1.1.1
  - twofactor_backupcodes: 1.0.0
  - twofactor_totp: 1.1.0
  - updatenotification: 1.1.1
  - workflowengine: 1.1.1
Disabled:
  - admin_audit
  - encryption
  - files_accesscontrol
  - files_automatedtagging
  - files_retention
  - user_external
  - user_ldap
  - user_saml

Nextcloud configuration:

Config report

{
    "system": {
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "datadirectory": "\/backup\/cloud\/data",
        "dbtype": "mysql",
        "version": "11.0.3.2",
        "dbname": "owncloud",
        "dbhost": "***REMOVED SENSITIVE VALUE**",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "instanceid": "***REMOVED SENSITIVE VALUE**",
        "loglevel": 3,
        "logtimezone": "***REMOVED SENSITIVE VALUE**",
        "overwritehost": "",
        "maintenance": false,
        "maxZipInputSize": 838860800,
        "allowZipDownload": true,
        "theme": "",
        "trusted_domains": [
            "***REMOVED SENSITIVE VALUE**"
        ],
        "forcessl": true,
        "secret": "***REMOVED SENSITIVE VALUE***",
        "preview_max_scale_factor": 1,
        "enabledPreviewProviders": [
            "OC\\Preview\\Image",
            "OC\\Preview\\Illustrator",
            "OC\\Preview\\Postscript",
            "OC\\Preview\\Photoshop",
            "OC\\Preview\\TIFF"
        ],
        "trashbin_retention_obligation": "auto",
        "memcache.local": "\\OC\\Memcache\\Redis",
        "filelocking.enabled": "true",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE**",
            "port": ***REMOVED SENSITIVE VALUE**,
            "timeout": 0,
            "password": "***REMOVED SENSITIVE VALUE***"
        },
        "appstore.experimental.enabled": false,
        "updater.secret": "***REMOVED SENSITIVE VALUE***",
        "singleuser": false
    }
}

Are you using external storage, if yes which one: local/smb/sftp/...
LOCAL is configured but not for the user that has this issue

Are you using encryption: yes/no
NO

Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/...
NO

Client configuration

Browser:
Firefox

Operating system:
Windows10/Ubuntu/Debian

Logs

Web server error log

Web server error log

Lots of:
[DATE TIME YEAR] [access_compat:error] [pid xxxxx] [client xxx.xxx.xxx.xxx:xxxxx] AH01797: client denied by server configuration: /var/www/dav
[DATE TIME YEAR] [access_compat:error] [pid xxxxx] [client xxx.xxx.xxx.xxx:xxxxx] AH01797: client denied by server configuration: /var/www/webdav

probably apache binding config issue, no harm here...

Nextcloud log (data/nextcloud.log)

Nextcloud log

N/A

Browser log

Browser log

N/A

[jancborchardt]

cc @ChristophWurst

[willianm]

This issue is also happening with me when I change the Ldap password. Is it expected to disappear when I change the password in Ldap?

Edit: Nevermind, I found issue #2581. Thanks!

[ChristophWurst]

This issue is also happening with me when I change the Ldap password. Is it expected to disappear when I change the password in Ldap?

Yes 😉

[jk111]

While upgrading from 11.0.2 to 11.0.3, my users' app passwords all vanished as well. Using LDAP backend.

[ChristophWurst]

While upgrading from 11.0.2 to 11.0.3, my users' app passwords all vanished as well. Using LDAP backend.

May I assume that while you did the update, clients (mobile, desktop) were connected? We've fixed this scenario, see #4289

This patch was also backported to 11.0.3: #4290

[ChristophWurst]

@eggithub did the passwords vanish when your instance was either updated or in maintenance mode?

[eggithub]

@ChristophWurst, no, they just disappear outside update and/or maintenance mode. I create an app password with some name, click copy, fill in in the designated app, click done, refresh personal page and app password is gone.

[ChristophWurst]

@ChristophWurst, no, they just disappear outside update and/or maintenance mode. I create an app password with some name, click copy, fill in in the designated app, click done, refresh personal page and app password is gone.

Okay. So you had not even used the password right? This is a different issue ofc.

[eggithub]

Okay. So you had not even used the password right? This is a different issue ofc.

Yes, that is correct

[jk111]

Before updating I used a .htaccess file to disconnect all clients by denying them. However, upon updating I forgot to move the .htaccess to the new web server root, so it's very possible clients reconnected, causing it.

I will keep my eye on future updates and let you know if the issue re-appears.