OCS : Person Check + App Password #6626
Description
Steps to reproduce
- creating a app password
curl -X POST http://<server>/ocs/v1.php/person/check -H 'OCS-APIREQUEST: true' -d 'login=<LOGIN>&password=<APP-PASS>'
Expected behaviour
I would expect that with the app password i could check that my app can connect to my Nextcloud services.
Is that behavior for security reason ?
This is the result with the main account password:
?xml version="1.0"?>
ocs>
meta>
status>ok
statuscode>100
message>OK
totalitems>
itemsperpage>
/meta>
data>
person>
personid>tato
/person>
/data>
/ocs>
Actual behaviour
The result with the app password.
?xml version="1.0"?>
ocs>
meta>
status>failure
statuscode>102
message/>
totalitems>
itemsperpage>
/meta>
data/>
/ocs>
Server configuration
Operating system: ubuntu 16.04 + Snap for the 11.
Web server: apache 2.4.18 + stable snap
Database: mysql 14.14 + stable snap
PHP version: 7.0.22 + stable snap
Nextcloud version: 12.0.3 & 11.0.4
Updated from an older Nextcloud/ownCloud or fresh install: older for the 12 & snap install for the 11.
Where did you install Nextcloud from:
Signing status:
Signing status
No errors have been found.
List of activated apps:
App list
Enabled:
- activity: 2.5.2
- admin_audit: 1.2.0
- audioplayer: 2.1.0
- bookmarks: 0.10.1
- bruteforcesettings: 1.0.2
- calendar: 1.5.5
- comments: 1.2.0
- contacts: 1.5.3
- dav: 1.3.0
- deck: 0.2.2
- external: 2.0.3
- federatedfilesharing: 1.2.0
- federation: 1.2.0
- files: 1.7.2
- files_accesscontrol: 1.2.4
- files_automatedtagging: 1.2.2
- files_downloadactivity: 1.1.1
- files_external: 1.3.0
- files_pdfviewer: 1.1.1
- files_retention: 1.1.2
- files_sharing: 1.4.0
- files_texteditor: 2.4.1
- files_trashbin: 1.2.0
- files_versions: 1.5.0
- files_videoplayer: 1.1.0
- firstrunwizard: 2.1
- gallery: 17.0.0
- gpxpod: 2.2.0
- groupfolders: 1.1.0
- logreader: 2.0.0
- lookup_server_connector: 1.0.0
- nextcloud_announcements: 1.1
- notes: 2.3.1
- notifications: 2.0.0
- oauth2: 1.0.5
- passman: 2.1.4
- password_policy: 1.2.2
- previewgenerator: 1.0.6
- provisioning_api: 1.2.0
- ransomware_protection: 1.0.4
- richdocuments: 1.12.34
- serverinfo: 1.2.0
- sharebymail: 1.2.0
- socialsharing_email: 1.0.1
- spreed: 2.0.1
- survey_client: 1.0.0
- systemtags: 1.2.0
- telephoneprovider: 1.0.0
- theming: 1.3.0
- twofactor_backupcodes: 1.1.1
- twofactor_totp: 1.3.1
- updatenotification: 1.2.0
- workflowengine: 1.2.0
Disabled:
- direct_menu
- encryption
- news
- ownnote
- passwords
- spreedme
- tasks
- twofactor_u2f
- user_external
- user_ldap
Nextcloud configuration:
Config report
{
"system": {
"instanceid": "oc86df260ed9",
"passwordsalt": "*REMOVED SENSITIVE VALUE*",
"trusted_domains": [
"192.168.1.10", ],
"datadirectory": "\/media\/Stockage\/data",
"dbtype": "mysql",
"version": "12.0.3.3",
"dbname": "owncloud",
"dbhost": "localhost",
"dbtableprefix": "oc_",
"dbuser": "*REMOVED SENSITIVE VALUE*",
"dbpassword": "*REMOVED SENSITIVE VALUE*",
"installed": true,
"forcessl": true,
"logtimezone": "America\/Bogota",
"logfile": "\/media\/Stockage\/data\/owncloud.log",
"loglevel": 0,
"log_authfailip": true,
"preview_max_scale_factor": 1,
"enabledPreviewProviders": [
"OC\\Preview\\Image",
"OC\\Preview\\Illustrator",
"OC\\Preview\\Postscript",
"OC\\Preview\\Photoshop",
"OC\\Preview\\TIFF",
"OC\\Preview\\CR2"
],
"theme": "",
"mail_smtpmode": "smtp",
"mail_smtpname": "*REMOVED SENSITIVE VALUE*",
"mail_smtppassword": "*REMOVED SENSITIVE VALUE*",
"mail_from_address": "*REMOVED SENSITIVE VALUE*",
"mail_domain": "*REMOVED SENSITIVE VALUE*",
"mail_smtpauthtype": "LOGIN",
"mail_smtpauth": true,
"mail_smtphost": "smtp.gmail.com",
"mail_smtpport": "465",
"mail_smtpsecure": "ssl",
"maintenance": false,
"secret": "*REMOVED SENSITIVE VALUE*",
"appstore.experimental.enabled": true,
"filelocking.enabled": "true",
"trashbin_retention_obligation": "auto",
"htaccess.RewriteBase": "\/",
"check_for_working_wellknown_setup": true,
"check_for_working_webdav": true,
"check_for_working_htaccess": true,
"overwrite.cli.url": "*REMOVED SENSITIVE VALUE*",
"updater.release.channel": "stable",
"overwriteprotocol": "https"
}
}
Are you using external storage, if yes which one: No
Are you using encryption: no
Are you using an external user-backend, if yes which one: Webdav
Client configuration
Browser: Curl
Nextcloud log (data/nextcloud.log)
Nextcloud log
{"reqId":"+ShhDQ1DiGXBhxK2","remoteAddr":"192.168.1.1))","app":"core","message":"Login failed: 'toto' (Remote IP: '192.168.1.1')","level":2,"time":"2017-09-23T20:52:51+00:00","method":"POST","url":"\/ocs\/v1.php\/person\/check","user":"--","version":"11.0.4.1"}