Malfunction of some apps (in particular calendar, files_pdfviewer) triggered by notifications throwing TokenPasswordExpiredException

[drpetersen]

On two different Nextcloud instances, I experience problems with the notifications app which manifest themselves as problems with other apps which are triggering notifications. I am filing this here because in both cases I observed, the problems go away when the notifications app is disabled (or, in the case of the calendar app malfunctioning, the event_update_notification app).

Problem scenario A (calendar):

Steps to reproduce

0. Obviously, do something wrong with your nextcloud installation, though I haven't figured out what this could be …
1. Activate the calendar, the notifications, and the event_update_notification apps.
2. Share a calendar to some other user.
3. Create an appointment in that calendar and try to save the data.

Expected behaviour

The data entry sidebar should close and the new appointment should be saved in the calendar.

Actual behaviour

The spinner displaying progress spins infinitely in the now empty data entry sidebar. When I refresh the page, the data entry sidebar is still open with the unsaved appointment.

Problem scenario B (files_pdfviewer):

Steps to reproduce

0. Again, do something different wrong with your nextcloud installation, whatever it may be …
1. Activate the files_pdfviewer and the notifications app
2. Share a PDF file via read-only link.
3. Open the link in an anonymous browser window.

Expected behavior

The PDF file should be displayed in the PDF viewer app.

Actual behaviour

The sharing page opens, but the PDF viewer pane remains empty.

I can reproduce the calendar problem reliably on one of the two Nextcloud instances, but not on the other; the files_pdfviewer problem on the other hand happens consistently on the latter instance, but cannot be reproduced on the former. Both instances run on the same server, in the same nginx + php8.2-fpm stack.

A problem similar to scenario A has been reported as an issue against the calendar app:

• saving entries in shared calendar doesn't work anymore calendar#5692

Also, these two issues might be related, as they also involve TokenPasswordExpiredExceptions:

• OC\Authentication\Exceptions\TokenPasswordExpiredException spammed in log as "error" server#41408
• [Bug]: TokenPasswordExpiredException on notification dismiss server#43547

Server configuration (identical for both instances, unless otherwise specified)

Operating system: Linux 6.1.0-18-amd64 x86_64 (Debian trixie/sid)

Web server: nginx 1.24.0-2+b1

Database: mysql 10.11.6

PHP version: 8.2.7

Nextcloud version: Nextcloud Hub 7 (28.0.3 RC1)

Where did you install Nextcloud from: via the built-in updater (originally, from Github, ages ago)

Signing status:

No errors have been found.

List of activated apps:

For the instance from scenario A:

Enabled:
  - activity: 2.20.0
  - analytics: 4.12.0
  - announcementcenter: 6.7.0
  - appointments: 1.15.5
  - approval: 1.2.0
  - bookmarks: 13.1.3
  - bruteforcesettings: 2.8.0
  - calendar: 4.6.5
  - calendar_resource_management: 0.6.0
  - camerarawpreviews: 0.8.4
  - checksum: 1.2.3
  - circles: 28.0.0-dev
  - cloud_federation_api: 1.11.0
  - collectives: 2.9.2
  - comments: 1.18.0
  - contacts: 5.5.2
  - contactsinteraction: 1.9.0
  - cookbook: 0.11.0
  - dashboard: 7.8.0
  - dav: 1.29.1
  - deck: 1.12.2
  - external: 5.3.1
  - federatedfilesharing: 1.18.0
  - federation: 1.18.0
  - files: 2.0.0
  - files_3dmodelviewer: 0.0.12
  - files_accesscontrol: 1.18.0
  - files_automatedtagging: 1.18.0
  - files_external: 1.20.0
  - files_fulltextsearch: 28.0.0
  - files_pdfviewer: 2.9.0
  - files_reminders: 1.1.0
  - files_retention: 1.17.0
  - files_sharing: 1.20.0
  - files_trashbin: 1.18.0
  - files_versions: 1.21.0
  - files_zip: 1.5.0
  - firstrunwizard: 2.17.0
  - flow_notifications: 1.8.0
  - forms: 4.1.1
  - fulltextsearch: 28.0.0
  - fulltextsearch_elasticsearch: 28.0.0
  - gpxpod: 5.0.15
  - groupfolders: 16.0.3
  - guests: 3.0.1
  - health: 2.2.2
  - impersonate: 1.15.0
  - integration_excalidraw: 2.0.4
  - integration_openai: 1.2.0
  - keeweb: 0.6.17
  - logreader: 2.13.0
  - lookup_server_connector: 1.16.0
  - mail: 3.5.6
  - maps: 1.3.1
  - news: 25.0.0-alpha4
  - nextcloud_announcements: 1.17.0
  - notes: 4.9.2
  - notifications: 2.16.0
  - notify_push: 0.6.9
  - oauth2: 1.16.3
  - password_policy: 1.18.0
  - phonetrack: 0.7.7
  - photos: 2.4.0
  - polls: 6.1.1
  - privacy: 1.12.0
  - provisioning_api: 1.18.0
  - quota_warning: 1.18.0
  - recommendations: 2.0.0
  - related_resources: 1.3.0
  - richdocuments: 8.3.1
  - serverinfo: 1.18.0
  - settings: 1.10.1
  - sharebymail: 1.18.0
  - socialsharing_email: 3.0.1
  - spreed: 18.0.3
  - survey_client: 1.16.0
  - suspicious_login: 6.0.0
  - systemtags: 1.18.0
  - tables: 0.7.0-beta.1
  - tasks: 0.15.0
  - text: 3.9.1
  - text2image_helper: 1.0.2
  - text2image_stablediffusion: 1.0.2
  - theming: 2.3.0
  - twofactor_admin: 4.4.0
  - twofactor_backupcodes: 1.17.0
  - twofactor_nextcloud_notification: 3.8.0
  - twofactor_totp: 10.0.0-beta.2
  - twofactor_webauthn: 1.3.2
  - updatenotification: 1.18.0
  - user_ldap: 1.19.0
  - user_oidc: 1.3.6
  - user_status: 1.8.1
  - viewer: 2.2.0
  - weather_status: 1.8.0
  - welcome: 1.0.10
  - workflow_media_converter: 1.9.3
  - workflow_ocr: 1.28.0
  - workflow_pdf_converter: 1.13.0
  - workflow_script: 1.13.0
  - workflowengine: 2.10.0
Disabled:
  - admin_audit: 1.18.0
  - apporder: 0.15.0 (installed 0.15.0)
  - audioplayer_editor: 0.3.0 (installed 0.3.0)
  - auto_groups: 1.5.2 (installed 1.5.2)
  - breezedark: 27.0.0 (installed 27.0.0)
  - dicomviewer: 1.2.5 (installed 1.2.5)
  - drawio: 3.0.2 (installed 3.0.2)
  - encryption: 2.16.0 (installed 2.4.0)
  - epubviewer: 1.5.3 (installed 1.5.3)
  - event_update_notification: 2.3.0 (installed 2.3.0)      <--- activated to reproduce the error
  - externalportal: 1.2.0 (installed 1.2.0)
  - extract: 1.3.6 (installed 1.3.6)
  - facerecognition: 0.9.31 (installed 0.9.31)
  - files_antivirus: 5.4.2 (installed 5.4.2)
  - files_downloadactivity: 1.16.0 (installed 1.16.0)
  - files_external_onedrive: 1.1.0 (installed 1.1.0)
  - files_fulltextsearch_tesseract: 27.0.0 (installed 27.0.0)
  - files_inotify: 0.2.0 (installed 0.1.15)
  - files_linkeditor: 1.1.16 (installed 1.1.16)
  - files_lock: 28.0.2 (installed 28.0.2)
  - files_markdown: 2.4.1 (installed 2.4.1)
  - files_mindmap: 0.0.30 (installed 0.0.30)
  - files_reader: 1.5.3 (installed 1.5.3)
  - files_readmemd: 2.0.1 (installed 2.0.1)
  - files_rightclick: 0.15.1 (installed 1.6.0)
  - files_texteditor: 2.15.1 (installed 2.15.1)
  - flowupload: 1.1.3 (installed 1.1.3)
  - gpxedit: 0.0.14 (installed 0.0.14)
  - gpxmotion: 0.1.0 (installed 0.1.0)
  - group_default_quota: 0.1.8 (installed 0.1.8)
  - holiday_calendars: 0.3.0 (installed 0.3.0)
  - imageconverter: 1.3.5 (installed 1.3.5)
  - integration_dropbox: 2.1.0 (installed 2.1.0)
  - integration_gitlab: 1.0.18 (installed 1.0.18)
  - integration_homeassistant: 0.0.3 (installed 0.0.3)
  - integration_libretranslate: 1.1.1 (installed 1.1.1)
  - integration_moodle: 1.0.2 (installed 1.0.2)
  - jitsi: 0.18.0 (installed 0.18.0)
  - ldap_contacts_backend: 1.8.0 (installed 1.8.0)
  - metadata: 0.19.0 (installed 0.19.0)
  - music: 1.10.0 (installed 1.10.0)
  - occweb: 0.1.1 (installed 0.1.1)
  - ocdownloader: 1.9.1 (installed 1.9.1)
  - ocr: 6.0.58 (installed 6.0.58)
  - onlyoffice: 9.0.0 (installed 9.0.0)
  - orcid: 1.1.1 (installed 1.1.1)
  - pdfannotate: 0.0.10 (installed 0.0.10)
  - piwik: 0.12.0 (installed 0.12.0)
  - previewgenerator: 5.4.0 (installed 5.4.0)
  - quickaccesssorting: 3.0.0 (installed 3.0.0)
  - radio: 1.0.3 (installed 1.0.3)
  - ransomware_protection: 1.14.0 (installed 1.14.0)
  - recognize: 6.1.0-beta.2 (installed 6.1.0-beta.2)
  - riotchat: 0.16.5 (installed 0.16.5)
  - root_cache_cleaner: 0.1.6 (installed 0.1.6)
  - sharepoint: 1.16.0 (installed 1.16.0)
  - sharerenamer: 3.2.0 (installed 3.2.0)
  - sharingpath: 0.4.4 (installed 0.4.4)
  - snappymail: 2.35.0 (installed 2.35.0)
  - support: 1.11.0 (installed 1.7.0)
  - talk_simple_poll: 1.3.1 (installed 1.3.1)
  - timetracker: 0.0.81 (installed 0.0.80)
  - translate: 2.0.0 (installed 2.0.0)
  - twofactor_gateway: 0.20.0 (installed 0.20.0)
  - twofactor_u2f: 6.3.0 (installed 6.3.0)
  - user_usage_report: 1.12.0 (installed 1.12.0)
  - video_converter: 1.0.6 (installed 1.0.6)
  - weather: 1.7.7 (installed 1.7.7)

For the instance in scenario B:

Enabled:
  - activity: 2.20.0
  - calendar: 4.6.5
  - circles: 28.0.0-dev
  - cloud_federation_api: 1.11.0
  - comments: 1.18.0
  - contacts: 5.5.2
  - dashboard: 7.8.0
  - dav: 1.29.1
  - deck: 1.12.2
  - event_update_notification: 2.3.0
  - external: 5.3.1
  - federatedfilesharing: 1.18.0
  - federation: 1.18.0
  - files: 2.0.0
  - files_automatedtagging: 1.18.0
  - files_external: 1.20.0
  - files_pdfviewer: 2.9.0
  - files_reminders: 1.1.0
  - files_sharing: 1.20.0
  - files_trashbin: 1.18.0
  - files_versions: 1.21.0
  - firstrunwizard: 2.17.0
  - forms: 4.1.1
  - groupfolders: 16.0.3
  - groupquota: 0.1.12
  - guests: 3.0.1
  - impersonate: 1.15.0
  - logreader: 2.13.0
  - lookup_server_connector: 1.16.0
  - mail: 3.5.6
  - nextcloud_announcements: 1.17.0
  - notify_push: 0.6.9
  - oauth2: 1.16.3
  - photos: 2.4.0
  - polls: 6.1.1
  - privacy: 1.12.0
  - provisioning_api: 1.18.0
  - quota_warning: 1.18.0
  - recommendations: 2.0.0
  - related_resources: 1.3.0
  - richdocuments: 8.3.1
  - serverinfo: 1.18.0
  - settings: 1.10.1
  - sharebymail: 1.18.0
  - spreed: 18.0.3
  - support: 1.11.0
  - survey_client: 1.16.0
  - suspicious_login: 6.0.0
  - systemtags: 1.18.0
  - text: 3.9.1
  - theming: 2.3.0
  - twofactor_backupcodes: 1.17.0
  - updatenotification: 1.18.0
  - user_oidc: 1.3.6
  - user_status: 1.8.1
  - viewer: 2.2.0
  - weather_status: 1.8.0
  - workflowengine: 2.10.0
Disabled:
  - admin_audit: 1.18.0
  - announcementcenter: 6.7.0 (installed 6.7.0)
  - appointments: 1.15.5 (installed 1.15.5)
  - bruteforcesettings: 2.8.0 (installed 2.4.0)
  - calendar_resource_management: 0.6.0 (installed 0.6.0)
  - contactsinteraction: 1.9.0 (installed 1.1.0)
  - encryption: 2.16.0
  - extract: 1.3.6 (installed 1.3.6)
  - files_lock: 28.0.2 (installed 28.0.2)
  - files_markdown: 2.4.1 (installed 2.4.1)
  - files_readmemd: 2.0.1 (installed 2.0.1)
  - files_rightclick: 0.15.1 (installed 1.6.0)
  - files_texteditor: 2.15.1 (installed 2.15.1)
  - flow_notifications: 1.8.0 (installed 1.8.0)
  - imageconverter: 1.3.5 (installed 1.3.5)
  - integration_dropbox: 2.1.0 (installed 2.1.0)
  - integration_moodle: 1.0.2 (installed 1.0.2)
  - integration_onedrive: 3.1.0 (installed 3.1.0)
  - integration_openstreetmap: 1.0.11 (installed 1.0.11)
  - jitsi: 0.18.0 (installed 0.18.0)
  - ldap_contacts_backend: 1.8.0 (installed 1.8.0)
  - metadata: 0.19.0 (installed 0.19.0)
  - notifications: 2.16.0 (installed 2.16.0)      <--- activated to reproduce the error
  - onlyoffice: 9.0.0 (installed 9.0.0)
  - password_policy: 1.18.0 (installed 1.18.0)
  - pdfannotate: 0.0.10 (installed 0.0.10)
  - ransomware_protection: 1.14.0 (installed 1.14.0)
  - sharepoint: 1.16.0 (installed 1.16.0)
  - sharerenamer: 3.2.0 (installed 3.2.0)
  - tables: 0.7.0-beta.1 (installed 0.7.0-beta.1)
  - twofactor_admin: 4.4.0 (installed 4.4.0)
  - twofactor_gateway: 0.20.0 (installed 0.20.0)
  - twofactor_nextcloud_notification: 3.8.0 (installed 3.8.0)
  - twofactor_totp: 10.0.0-beta.2 (installed 10.0.0-beta.2)
  - twofactor_u2f: 6.4.0-alpha.1 (installed 6.4.0-alpha.1)
  - user_ldap: 1.19.0 (installed 1.19.0)
  - user_usage_report: 1.12.0 (installed 1.12.0)
  - workflow_ocr: 1.28.0 (installed 1.28.0)
  - workflow_pdf_converter: 1.13.0 (installed 1.13.0)
  - workflow_script: 1.13.0 (installed 1.13.0)

Nextcloud configuration:

Instance from scenario A:

{
    "system": {
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "cloud.**domain1**.de",
            "cloud.**domain1**.eu"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "overwrite.cli.url": "https:\/\/cloud.**domain1**.de",
        "overwriteprotocol": "https",
        "allow_local_remote_servers": true,
        "htaccess.RewriteBase": "\/",
        "htaccess.IgnoreFrontController": true,
        "dbtype": "mysql",
        "version": "28.0.3.0",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "logtimezone": "UTC",
        "installed": true,
        "asset-pipeline.enabled": true,
        "memcache.local": "\\OC\\Memcache\\APCu",
        "mail_smtpmode": "smtp",
        "mail_smtpsecure": "tls",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "587",
        "loglevel": 0,
        "updater.release.channel": "beta",
        "theme": "",
        "filesystem_check_changes": 1,
        "filelocking.enabled": true,
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "memcache.distributed": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 0,
            "dbindex": 10,
            "timeout": 0,
            "password": "***REMOVED SENSITIVE VALUE***"
        },
        "enabledPreviewProviders": [
            "OC\\Preview\\Image",
            "OC\\Preview\\MP3",
            "OC\\Preview\\TXT",
            "OC\\Preview\\MarkDown",
            "OC\\Preview\\Epub",
            "OC\\Preview\\PDF",
            "OC\\Preview\\OpenDocument",
            "OC\\Preview\\StarOffice",
            "OC\\Preview\\MSOfficeDoc",
            "OC\\Preview\\MSOffice2003",
            "OC\\Preview\\MSOffice2007",
            "OC\\Preview\\FB2"
        ],
        "default_language": "de_DE",
        "default_locale": "de_DE",
        "default_phone_region": "DE",
        "maintenance": false,
        "ldapIgnoreNamingRules": false,
        "ldapProviderFactory": "\\OCA\\User_LDAP\\LDAPProviderFactory",
        "mysql.utf8mb4": true,
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "data-fingerprint": "0801ae4b67322cc327ba7d0c2333188e",
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
        "has_rebuilt_cache": true,
        "mail_smtpauthtype": "LOGIN",
        "mail_sendmailmode": "smtp",
        "mail_smtpauth": 1,
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "preview_max_x": "2048",
        "preview_max_y": "2048",
        "maintenance_window_start": 3,
        "hide_login_form": false
    }
}

Instance from scenario B:

{
    "system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "cloud.**domain2**.de"
        ],
        "htaccess.RewriteBase": "\/",
        "htaccess.IgnoreFrontController": true,
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "28.0.3.0",
        "overwrite.cli.url": "https:\/\/cloud.**domain2**.de",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "default_language": "de_DE",
        "default_locale": "de_DE",
        "default_phone_region": "DE",
        "defaultapp": "files",
        "skeletondirectory": "",
        "loglevel": 0,
        "ldapIgnoreNamingRules": false,
        "mail_smtpmode": "smtp",
        "mail_smtpsecure": "tls",
        "mail_sendmailmode": "smtp",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpauthtype": "LOGIN",
        "mail_smtpauth": 1,
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "587",
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "data-fingerprint": "be6f7b1802be5b6648b0469da79fd5f1",
        "maintenance": false,
        "theme": "",
        "updater.release.channel": "beta",
        "memcache.local": "\\OC\\Memcache\\APCu",
        "memcache.distributed": "\\OC\\Memcache\\Redis",
        "filelocking.enabled": true,
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 6379,
            "dbindex": 12,
            "timeout": 0,
            "password": "***REMOVED SENSITIVE VALUE***"
        },
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
        "maintenance_window_start": 3
    }
}

Are you using an external user-backend, if yes which one: user_oidc, and also LDAP in the first instance.

Client configuration

Browser: Any of Firefox (122.0.1), Brave [Version 1.64.74 Chromium: 122.0.6261.43 (Offizieller Build) beta (64-Bit)](https://brave.com/latest/), Chromium Version 121.0.6167.160 (Official Build) built on Debian trixie/sid, running on Debian trixie/sid (64-bit)

Operating system: Linux 6.6.15-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.6.15-2 (2024-02-04) x86_64 GNU/Linux

Logs

Nextcloud log (data/nextcloud.log)

Scenario A:

{
  "reqId": "BiDYQn2fTI1mKFLlkdad",
  "level": 3,
  "time": "2024-02-21T06:54:38+00:00",
  "remoteAddr": "2001:4dd7:****:0:****:****:****:bca4",
  "user": "lars",
  "app": "webdav",
  "method": "PUT",
  "url": "/remote.php/dav/calendars/****/personal/60A6****-****-****-****-********237F.ics",
  "message": "Exception thrown: OC\\Authentication\\Exceptions\\TokenPasswordExpiredException",
  "userAgent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36",
  "version": "28.0.3.0",
  "exception": {
    "Exception": "OC\\Authentication\\Exceptions\\TokenPasswordExpiredException",
    "Message": "",
    "Code": 0,
    "Trace": [
      {
        "file": "/var/www/**domain1**/nextcloud/lib/private/Authentication/Token/Manager.php",
        "line": 154,
        "function": "getTokenById",
        "class": "OC\\Authentication\\Token\\PublicKeyTokenProvider",
        "type": "->",
        "args": [
          "*** sensitive parameters replaced ***"
        ]
      },
      {
        "file": "/var/www/**domain1**/nextcloud/apps/notifications/lib/Push.php",
        "line": 580,
        "function": "getTokenById",
        "class": "OC\\Authentication\\Token\\Manager",
        "type": "->",
        "args": [
          "*** sensitive parameters replaced ***"
        ]
      },
      {
        "file": "/var/www/**domain1**/nextcloud/apps/notifications/lib/Push.php",
        "line": 337,
        "function": "validateToken",
        "class": "OCA\\Notifications\\Push",
        "type": "->",
        "args": [
          "*** sensitive parameters replaced ***"
        ]
      },
      {
        "file": "/var/www/**domain1**/nextcloud/apps/notifications/lib/App.php",
        "line": 58,
        "function": "pushToDevice",
        "class": "OCA\\Notifications\\Push",
        "type": "->",
        "args": [
          "*** sensitive parameters replaced ***"
        ]
      },
      {
        "file": "/var/www/**domain1**/nextcloud/lib/private/Notification/Manager.php",
        "line": 329,
        "function": "notify",
        "class": "OCA\\Notifications\\App",
        "type": "->"
      },
      {
        "file": "/var/www/**domain1**/nextcloud/apps/event_update_notification/lib/EventListener.php",
        "line": 177,
        "function": "notify",
        "class": "OC\\Notification\\Manager",
        "type": "->"
      },
      {
        "file": "/var/www/**domain1**/nextcloud/apps/event_update_notification/lib/EventListener.php",
        "line": 88,
        "function": "onTouchCalendarObject",
        "class": "OCA\\EventUpdateNotification\\EventListener",
        "type": "->"
      },
      {
        "file": "/var/www/**domain1**/nextcloud/lib/private/EventDispatcher/ServiceEventListener.php",
        "line": 86,
        "function": "handle",
        "class": "OCA\\EventUpdateNotification\\EventListener",
        "type": "->"
      },
      {
        "file": "/var/www/**domain1**/nextcloud/3rdparty/symfony/event-dispatcher/EventDispatcher.php",
        "line": 230,
        "function": "__invoke",
        "class": "OC\\EventDispatcher\\ServiceEventListener",
        "type": "->"
      },
      {
        "file": "/var/www/**domain1**/nextcloud/3rdparty/symfony/event-dispatcher/EventDispatcher.php",
        "line": 59,
        "function": "callListeners",
        "class": "Symfony\\Component\\EventDispatcher\\EventDispatcher",
        "type": "->"
      },
      {
        "file": "/var/www/**domain1**/nextcloud/lib/private/EventDispatcher/EventDispatcher.php",
        "line": 94,
        "function": "dispatch",
        "class": "Symfony\\Component\\EventDispatcher\\EventDispatcher",
        "type": "->"
      },
      {
        "file": "/var/www/**domain1**/nextcloud/lib/private/EventDispatcher/EventDispatcher.php",
        "line": 106,
        "function": "dispatch",
        "class": "OC\\EventDispatcher\\EventDispatcher",
        "type": "->"
      },
      {
        "file": "/var/www/**domain1**/nextcloud/apps/dav/lib/CalDAV/CalDavBackend.php",
        "line": 1278,
        "function": "dispatchTyped",
        "class": "OC\\EventDispatcher\\EventDispatcher",
        "type": "->"
      },
      {
        "file": "/var/www/**domain1**/nextcloud/lib/public/AppFramework/Db/TTransactional.php",
        "line": 63,
        "function": "OCA\\DAV\\CalDAV\\{closure}",
        "class": "OCA\\DAV\\CalDAV\\CalDavBackend",
        "type": "->",
        "args": [
          "*** sensitive parameters replaced ***"
        ]
      },
      {
        "file": "/var/www/**domain1**/nextcloud/apps/dav/lib/CalDAV/CalDavBackend.php",
        "line": 1217,
        "function": "atomic",
        "class": "OCA\\DAV\\CalDAV\\CalDavBackend",
        "type": "->"
      },
      {
        "file": "/var/www/**domain1**/nextcloud/3rdparty/sabre/dav/lib/CalDAV/Calendar.php",
        "line": 199,
        "function": "createCalendarObject",
        "class": "OCA\\DAV\\CalDAV\\CalDavBackend",
        "type": "->",
        "args": [
          "*** sensitive parameters replaced ***"
        ]
      },
      {
        "file": "/var/www/**domain1**/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php",
        "line": 1098,
        "function": "createFile",
        "class": "Sabre\\CalDAV\\Calendar",
        "type": "->",
        "args": [
          "*** sensitive parameters replaced ***"
        ]
      },
      {
        "file": "/var/www/**domain1**/nextcloud/3rdparty/sabre/dav/lib/DAV/CorePlugin.php",
        "line": 504,
        "function": "createFile",
        "class": "Sabre\\DAV\\Server",
        "type": "->",
        "args": [
          "*** sensitive parameters replaced ***"
        ]
      },
      {
        "file": "/var/www/**domain1**/nextcloud/3rdparty/sabre/event/lib/WildcardEmitterTrait.php",
        "line": 89,
        "function": "httpPut",
        "class": "Sabre\\DAV\\CorePlugin",
        "type": "->"
      },
      {
        "file": "/var/www/**domain1**/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php",
        "line": 472,
        "function": "emit",
        "class": "Sabre\\DAV\\Server",
        "type": "->"
      },
      {
        "file": "/var/www/**domain1**/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php",
        "line": 253,
        "function": "invokeMethod",
        "class": "Sabre\\DAV\\Server",
        "type": "->"
      },
      {
        "file": "/var/www/**domain1**/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php",
        "line": 321,
        "function": "start",
        "class": "Sabre\\DAV\\Server",
        "type": "->"
      },
      {
        "file": "/var/www/**domain1**/nextcloud/apps/dav/lib/Server.php",
        "line": 370,
        "function": "exec",
        "class": "Sabre\\DAV\\Server",
        "type": "->"
      },
      {
        "file": "/var/www/**domain1**/nextcloud/apps/dav/appinfo/v2/remote.php",
        "line": 35,
        "function": "exec",
        "class": "OCA\\DAV\\Server",
        "type": "->"
      },
      {
        "file": "/var/www/**domain1**/nextcloud/remote.php",
        "line": 172,
        "args": [
          "/var/www/**domain1**/nextcloud/apps/dav/appinfo/v2/remote.php"
        ],
        "function": "require_once"
      }
    ],
    "File": "/var/www/**domain1**/nextcloud/lib/private/Authentication/Token/PublicKeyTokenProvider.php",
    "Line": 216,
    "message": "",
    "exception": [],
    "CustomMessage": "Exception thrown: OC\\Authentication\\Exceptions\\TokenPasswordExpiredException"
  },
  "id": "65d59e31ca073"
}

Scenario B:

{
  "reqId": "XyOPyFQEyALnMykcuUW1",
  "level": 3,
  "time": "2024-02-21T06:38:21+00:00",
  "remoteAddr": "2001:4dd7:****:0:****:****:****:bca4",
  "user": "--",
  "app": "index",
  "method": "GET",
  "url": "/s/3gq*********MW4/download?path=&files=",
  "message": "Exception thrown: OC\\Authentication\\Exceptions\\TokenPasswordExpiredException",
  "userAgent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36",
  "version": "28.0.3.0",
  "exception": {
    "Exception": "OC\\Authentication\\Exceptions\\TokenPasswordExpiredException",
    "Message": "",
    "Code": 0,
    "Trace": [
      {
        "file": "/var/www/**domain2**/nextcloud/lib/private/Authentication/Token/Manager.php",
        "line": 154,
        "function": "getTokenById",
        "class": "OC\\Authentication\\Token\\PublicKeyTokenProvider",
        "type": "->",
        "args": [
          "*** sensitive parameters replaced ***"
        ]
      },
      {
        "file": "/var/www/**domain2**/nextcloud/apps/notifications/lib/Push.php",
        "line": 580,
        "function": "getTokenById",
        "class": "OC\\Authentication\\Token\\Manager",
        "type": "->",
        "args": [
          "*** sensitive parameters replaced ***"
        ]
      },
      {
        "file": "/var/www/**domain2**/nextcloud/apps/notifications/lib/Push.php",
        "line": 337,
        "function": "validateToken",
        "class": "OCA\\Notifications\\Push",
        "type": "->",
        "args": [
          "*** sensitive parameters replaced ***"
        ]
      },
      {
        "file": "/var/www/**domain2**/nextcloud/apps/notifications/lib/App.php",
        "line": 58,
        "function": "pushToDevice",
        "class": "OCA\\Notifications\\Push",
        "type": "->",
        "args": [
          "*** sensitive parameters replaced ***"
        ]
      },
      {
        "file": "/var/www/**domain2**/nextcloud/lib/private/Notification/Manager.php",
        "line": 329,
        "function": "notify",
        "class": "OCA\\Notifications\\App",
        "type": "->"
      },
      {
        "file": "/var/www/**domain2**/nextcloud/apps/activity/lib/NotificationGenerator.php",
        "line": 56,
        "function": "notify",
        "class": "OC\\Notification\\Manager",
        "type": "->"
      },
      {
        "file": "/var/www/**domain2**/nextcloud/apps/activity/lib/Consumer.php",
        "line": 55,
        "function": "sendNotificationForEvent",
        "class": "OCA\\Activity\\NotificationGenerator",
        "type": "->"
      },
      {
        "file": "/var/www/**domain2**/nextcloud/lib/private/Activity/Manager.php",
        "line": 157,
        "function": "receive",
        "class": "OCA\\Activity\\Consumer",
        "type": "->"
      },
      {
        "file": "/var/www/**domain2**/nextcloud/apps/files_sharing/lib/Controller/ShareController.php",
        "line": 582,
        "function": "publish",
        "class": "OC\\Activity\\Manager",
        "type": "->"
      },
      {
        "file": "/var/www/**domain2**/nextcloud/apps/files_sharing/lib/Controller/ShareController.php",
        "line": 554,
        "function": "publishActivity",
        "class": "OCA\\Files_Sharing\\Controller\\ShareController",
        "type": "->"
      },
      {
        "file": "/var/www/**domain2**/nextcloud/apps/files_sharing/lib/Controller/ShareController.php",
        "line": 413,
        "function": "singleFileDownloaded",
        "class": "OCA\\Files_Sharing\\Controller\\ShareController",
        "type": "->"
      },
      {
        "file": "/var/www/**domain2**/nextcloud/lib/private/AppFramework/Http/Dispatcher.php",
        "line": 230,
        "function": "downloadShare",
        "class": "OCA\\Files_Sharing\\Controller\\ShareController",
        "type": "->"
      },
      {
        "file": "/var/www/**domain2**/nextcloud/lib/private/AppFramework/Http/Dispatcher.php",
        "line": 137,
        "function": "executeController",
        "class": "OC\\AppFramework\\Http\\Dispatcher",
        "type": "->"
      },
      {
        "file": "/var/www/**domain2**/nextcloud/lib/private/AppFramework/App.php",
        "line": 184,
        "function": "dispatch",
        "class": "OC\\AppFramework\\Http\\Dispatcher",
        "type": "->"
      },
      {
        "file": "/var/www/**domain2**/nextcloud/lib/private/Route/Router.php",
        "line": 315,
        "function": "main",
        "class": "OC\\AppFramework\\App",
        "type": "::"
      },
      {
        "file": "/var/www/**domain2**/nextcloud/lib/base.php",
        "line": 1069,
        "function": "match",
        "class": "OC\\Route\\Router",
        "type": "->"
      },
      {
        "file": "/var/www/**domain2**/nextcloud/index.php",
        "line": 39,
        "function": "handleRequest",
        "class": "OC",
        "type": "::"
      }
    ],
    "File": "/var/www/**domain2**/nextcloud/lib/private/Authentication/Token/PublicKeyTokenProvider.php",
    "Line": 216,
    "message": "",
    "exception": [],
    "CustomMessage": "Exception thrown: OC\\Authentication\\Exceptions\\TokenPasswordExpiredException"
  },
  "id": "65d59a65bf408"
}

Browser log

Scenario A (browser console log):

index.js:76 WebSocket connection to 'wss://cloud.**domain1**.de/push/ws' failed: 
r @ index.js:76
Show 1 more frame
Show less
talkService.js:72 [DEBUG] calendar: Event's conference/location is from another host {app: 'calendar', uid: 'lars', level: 0}
calendarObjects.js:243 
        
        
       PUT https://cloud.**domain1**.de/remote.php/dav/calendars/lars/personal/4165****-****-****-****-********82F6.ics 500 (Internal Server Error)
(anonymous) @ dist.js:1
u @ dist.js:1
(anonymous) @ dist.js:1
(anonymous) @ dist.js:1
pe @ dist.js:1
o @ dist.js:1
(anonymous) @ dist.js:1
(anonymous) @ dist.js:1
(anonymous) @ dist.js:1
(anonymous) @ dist.js:1
u @ dist.js:1
(anonymous) @ dist.js:1
(anonymous) @ dist.js:1
pe @ dist.js:1
o @ dist.js:1
(anonymous) @ dist.js:1
(anonymous) @ dist.js:1
(anonymous) @ dist.js:1
(anonymous) @ dist.js:1
u @ dist.js:1
(anonymous) @ dist.js:1
(anonymous) @ dist.js:1
Le @ dist.js:1
o @ dist.js:1
(anonymous) @ dist.js:1
(anonymous) @ dist.js:1
(anonymous) @ dist.js:1
(anonymous) @ dist.js:1
u @ dist.js:1
(anonymous) @ dist.js:1
(anonymous) @ dist.js:1
Pt @ dist.js:1
o @ dist.js:1
(anonymous) @ dist.js:1
(anonymous) @ dist.js:1
(anonymous) @ dist.js:1
updateCalendarObject @ calendarObjects.js:243
(anonymous) @ vuex.esm.js:851
p.dispatch @ vuex.esm.js:516
dispatch @ vuex.esm.js:406
saveCalendarObjectInstance @ calendarObjectInstance.js:1671
(anonymous) @ vuex.esm.js:851
p.dispatch @ vuex.esm.js:516
dispatch @ vuex.esm.js:406
save @ EditorMixin.js:486
saveAndLeave @ EditorMixin.js:499
saveEvent @ EditSidebar.vue:619
prepareAccessForAttachments @ EditSidebar.vue:613
save-this-only @ EditSidebar.vue:1
vn @ vue.runtime.esm.js:3017
n @ vue.runtime.esm.js:1815
vn @ vue.runtime.esm.js:3017
e.$emit @ vue.runtime.esm.js:3716
saveThisOnly @ SaveButtons.vue:95
vn @ vue.runtime.esm.js:3017
n @ vue.runtime.esm.js:1815
click @ index.module.js:2
vn @ vue.runtime.esm.js:3017
n @ vue.runtime.esm.js:1815
a._wrapper @ vue.runtime.esm.js:7480
Show 52 more frames
Show less
dist.js:1 Uncaught (in promise) Error
    at n.value.regeneratorRuntime.mark.regeneratorRuntime.wrap.e.abrupt.s.onreadystatechange (dist.js:1:122053)
n.value.regeneratorRuntime.mark.regeneratorRuntime.wrap.e.abrupt.s.onreadystatechange @ dist.js:1
await in n.value.regeneratorRuntime.mark.regeneratorRuntime.wrap.e.abrupt.s.onreadystatechange (async)
saveEvent @ EditSidebar.vue:619
prepareAccessForAttachments @ EditSidebar.vue:613
save-this-only @ EditSidebar.vue:1
vn @ vue.runtime.esm.js:3017
n @ vue.runtime.esm.js:1815
vn @ vue.runtime.esm.js:3017
e.$emit @ vue.runtime.esm.js:3716
saveThisOnly @ SaveButtons.vue:95
vn @ vue.runtime.esm.js:3017
n @ vue.runtime.esm.js:1815
click @ index.module.js:2
vn @ vue.runtime.esm.js:3017
n @ vue.runtime.esm.js:1815
a._wrapper @ vue.runtime.esm.js:7480
Show 11 more frames
Show less
index.js:76 WebSocket connection to 'wss://cloud.**domain1**.de/push/ws' failed: 
r @ index.js:76
Show 1 more frame
Show less

Scenario B (browser console log):

fetch_stream.js:135 
 GET https://cloud.**domain2**.de/s/3gqTqDpjny3BMW4/download?path=&files= 500 (Internal Server Error)
app.js:1249 Unerwartete Antwort des Servers

PDF.js v3.11.174 (build: ce8716743)
Message: Unexpected server response (500) while retrieving PDF "https://cloud.**domain2**.de/s/3gqTqDpjny3BMW4/download?path=&files=".
util.js:466 Uncaught (in promise) 
UnexpectedResponseException {message: 'Unexpected server response (500) while retrieving …haft.de/s/3gqTqDpjny3BMW4/download?path=&files=".', name: 'UnexpectedResponseException', status: 500, stack: 'Error\n    at BaseExceptionClosure (https://cloud.a…iles_pdfviewer/js/pdfjs/build/pdf.js?v=2.9.0:32:3'}

Thank you for looking into this. If it would have been better to file two separate issues, please advise me to do so. Also, if there is anything else I can do to help debug this, let me know.

[nickvergessen]

Do you see the matching user in these logs in the original, or are they censored on the disk already:

      {
        "file": "/var/www/**domain1**/nextcloud/lib/private/Authentication/Token/Manager.php",
        "line": 154,
        "function": "getTokenById",
        "class": "OC\\Authentication\\Token\\PublicKeyTokenProvider",
        "type": "->",
        "args": [
          "*** sensitive parameters replaced ***"
        ]
      },
      {
        "file": "/var/www/**domain1**/nextcloud/apps/notifications/lib/Push.php",
        "line": 580,
        "function": "getTokenById",
        "class": "OC\\Authentication\\Token\\Manager",
        "type": "->",
        "args": [
          "*** sensitive parameters replaced ***"
        ]
      },
      {
        "file": "/var/www/**domain1**/nextcloud/apps/notifications/lib/Push.php",
        "line": 337,
        "function": "validateToken",
        "class": "OCA\\Notifications\\Push",
        "type": "->",
        "args": [
          "*** sensitive parameters replaced ***"
        ]
      },
      {
        "file": "/var/www/**domain1**/nextcloud/apps/notifications/lib/App.php",
        "line": 58,
        "function": "pushToDevice",
        "class": "OCA\\Notifications\\Push",
        "type": "->",
        "args": [
          "*** sensitive parameters replaced ***"
        ]
      },

As far as I understand the password of the access token was marked invalid as it might have changed in the user backend:
https://github.com/nextcloud/server/blob/ffdf49a9c2f90f404628232f8b1756db7fdf4603/lib/private/User/Session.php#L773

It should heal automatically after the user logged in via the web interface using the new password:
https://github.com/nextcloud/server/blob/ffdf49a9c2f90f404628232f8b1756db7fdf4603/lib/private/Authentication/Listeners/UserLoggedInListener.php#L60

It's a bit strange that no one complained about this for such a long time, so I assume some path changed somewhere recently.
However I'm not sure this is really fixable on the notifications side neither on any of the other apps.

The only option I see is: clients need to be able to "get to know" this state and then need to ask the user to perform a login on the web view.

[drpetersen]

Thanks a lot for your reply. The logs were copied from the /settings/admin/logging app, and the *** sensitive parameters replaced *** had already been censored; the **domain1** was replaced manually by me.

EDIT: Oh, and yes, the *** sensitive parameters replaced *** is also what is stored verbatim in the log on disk, just looked that up directly in the log file.

Actually, problem A (the calendar problem) started after I switched to the user_oidc backend on that instance very recently; for problem B, I cannot really tell, because that has gone unnoticed for a long time (like half a year). Might also have been related with the switch to user_oidc, which I made a lot earlier on that instance.

I do not quite understand what you mean by:

It should heal automatically after the user logged in via the web interface using the new password

I tried what I thought you were saying, i.e. logged in via /login?direct=1 once, but this does not help. (Logged in as the user receiving the notifications, i.e. the one to whom the calendar is shared; but just to be safe also logged in once as the calendar owner.) Should I do something else instead?

Is there some other workaround I might try, like manually clearing expired tokens from some database table or cache?

[nickvergessen]

There is a occ notification:test-push command:
https://github.com/nextcloud/notifications/blob/master/lib/Command/TestPush.php#L65

You can run that for all of the users involved in the problem.

I tried what I thought you were saying, i.e. logged in via /login?direct=1 once, but this does not help. (Logged in as the user receiving the notifications, i.e. the one to whom the calendar is shared; but just to be safe also logged in once as the calendar owner.) Should I do something else instead?

The problem is it has to be everyone involved in the action. So if multiple people would receive a notification from the same calendar change, all of them need to be okay (that part should be fixable).

[drpetersen]

Thank you, that is a very helpful hint. Just tried that command with my NC instance A (user1 is me, user2 is the user to whom the calendar is shared):

occ notification:test-push -- **user1**
Trying to push to 5 devices

Language is set to de_DE
Private user key size: 1708
Public user key size: 451
Identified 2 Talk devices and 3 others.  

Device token:13943
Device token "last checked" is older than 60 days: 1561017956

Device token:35934
Device token "last checked" is older than 60 days: 1680682300

Device token:48216
Device token is valid
Device public key size: 451
Data to encrypt is: {"nid":14676,"app":"admin_notifications","subject":"Testing push notifications","type":"admin_notifications","id":"65d6f469"}
Signed encrypted push subject
Push notification sent successfully

So, the first one is from 2019 … small wonder it has expired. Actually, I received the test notification in a browser, and after viewing it, I now get:

occ notification:test-push -- **user1**
Trying to push to 5 devices

Language is set to de_DE
Private user key size: 1708
Public user key size: 451
Identified 2 Talk devices and 3 others.  

Device token:13943

Device token:35934

Device token:48216
Device public key size: 451
Data to encrypt is: {"nid":14681,"app":"admin_notifications","subject":"Testing push notifications","type":"admin_notifications","id":"65d6fa95"}
Signed encrypted push subject
Push notification sent successfully

So somehow, the expired tokens got renewed. How that happened, I have no idea (but you do, I guess …).

Now for the other user:

occ notification:test-push -- **user2**
Trying to push to 3 devices

Language is set to de_DE
Private user key size: 1704
Public user key size: 451
Identified 1 Talk devices and 2 others.  

Device token:15680
Device token "last checked" is older than 60 days: 1561567290

Device token:38119

In PublicKeyTokenProvider.php line 216:
                                                                
  [OC\Authentication\Exceptions\TokenPasswordExpiredException]  
                                                                

notification:test-push [--talk] [--] <user-id>

So, another token dating back to 2019 … If I understand you correctly, that user2 would now have to somehow refresh that token?

I logged in as that user via OIDC – viewed the test notification, tried to dismiss it, got the error message "Notification cannot be dismissed"; then logged out, logged in via /login?direct=1, viewed notifications, tried to dismiss them, same error. Re-run the above occ invocation, with almost the same result:

occ notification:test-push -- **user2**
Trying to push to 3 devices

Language is set to de_DE
Private user key size: 1704
Public user key size: 451
Identified 1 Talk devices and 2 others.

Device token:15680

Device token:38119

In PublicKeyTokenProvider.php line 216:
                                                                
  [OC\Authentication\Exceptions\TokenPasswordExpiredException]  
                                                                

notification:test-push [--talk] [--] <user-id>

So now, the "Device token: 15680" seems to have been renewed, but the command still errors out. Anything I could do to fix that? Is there a way to delete the tokens from the /settings/user/security page of that user? How can I tell which ones, of the dozens listed there? What would be the side-effects? Or is there a better way?

Thanks for your time and help!

[nickvergessen]

Can you run the following query for that user:

SELECT `id`, `password_invalid`, `last_activity`, `last_check`, `type`, `remember`, `name` FROM `oc_authtoken` WHERE `uid` = 'user2';

PS "name" is just to get an indication whether it's from a client or browser. If it contains real names (iPhone of User2) feel free to censor it away.

[nickvergessen]

I found the "problem" why this comes up now

28+

OC\Authentication\Exceptions\TokenPasswordExpiredException extends OC\Authentication\Exceptions\ExpiredTokenException extends
OCP\Authentication\Exceptions\ExpiredTokenException extends
OCP\Authentication\Exceptions\InvalidTokenException extends 🟥
Exception

but we catch
OC\Authentication\Exceptions\InvalidTokenException extends 💥
OCP\Authentication\Exceptions\InvalidTokenException extends 🟥
Exception

So our catch no longer covers TokenPasswordExpiredException which it did before

27 and before

OC\Authentication\Exceptions\TokenPasswordExpiredException extends
OC\Authentication\Exceptions\InvalidTokenException extends 🟦
Exception

and we catched
OC\Authentication\Exceptions\InvalidTokenException extends 🟦
Exception

[drpetersen]

Can you run the following query for that user:

SELECT id, password_invalid, last_activity, last_check, type, remember, name FROM oc_authtoken WHERE uid = 'user2';

Sure! Here is the output:

   Showing rows 0 - 15 (16 total, Query took 0.0004 seconds.)


SELECT `id`, `password_invalid`, `last_activity`, `last_check`, `type`, `remember`, `name` FROM `oc_authtoken` WHERE `uid` = '**user2**';

id	password_invalid	last_activity	last_check	type	remember	name	
15680	0	1561567290	1561567290	1	0	Samsung SM-N910F	
16204	0	1708588523	1708588523	1	0	Samsung SM-N910F (Nextcloud Talk)	
17852	0	1624257933	1624257932	1	0	Samsung SM-N910F	
34279	0	1610270375	1610270299	1	0	Thunderbird FileLink	
36173	0	1640799711	1640799710	1	0	Samsung SM-N910F	
38119	1	1708425985	1708425985	1	0	Samsung SM-A528B	
40816	1	1684999518	1684999302	1	0	petersen (Desktop Client - Linux)	
45661	1	1686933472	1686933202	1	0	petersen (Desktop Client - Linux)	
46060	1	1708380770	1708380501	1	0	petersen (Desktop Client - Linux)	
48239	1	1708507491	1708507222	1	0	petersen (Desktop Client - Linux)	
48241	0	1708512899	1708512899	0	0	DAVx5/4.1-ose (2021/12/29; dav4jvm; okhttp/4.9.1) Android/13	
48244	0	1708552868	1708552743	0	1	Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36	
48246	0	1708556003	1708556003	0	0	DAVx5/4.1-ose (2021/12/29; dav4jvm; okhttp/4.9.1) Android/13	
48249	0	1708588501	1708588501	0	1	Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36	
48250	0	1708588636	1708588636	0	1	Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36	
48251	0	1708600137	1708600137	0	0	DAVx5/4.1-ose (2021/12/29; dav4jvm; okhttp/4.9.1) Android/13	

[drpetersen]

So our catch no longer covers TokenPasswordExpiredException which it did before

Looks like an easy fix then … 😉 Thank you!

[nickvergessen]

That being said, that would explain why some people loss their push hashes... if the password was temporarily invalid, we wiped the push token in 27 and before 🤔

[nickvergessen]

Can you apply the following patch and then retry:

diff --git a/lib/Push.php b/lib/Push.php
index cfbd70c0..43bcea39 100644
--- a/lib/Push.php
+++ b/lib/Push.php
@@ -28,13 +28,13 @@ namespace OCA\Notifications;
 
 use GuzzleHttp\Exception\ClientException;
 use GuzzleHttp\Exception\ServerException;
-use OC\Authentication\Exceptions\InvalidTokenException;
 use OC\Authentication\Token\IProvider;
 use OC\Security\IdentityProof\Key;
 use OC\Security\IdentityProof\Manager;
 use OCA\Notifications\AppInfo\Application;
 use OCP\AppFramework\Http;
 use OCP\AppFramework\Utility\ITimeFactory;
+use OCP\Authentication\Exceptions\InvalidTokenException;
 use OCP\DB\QueryBuilder\IQueryBuilder;
 use OCP\Http\Client\IClientService;
 use OCP\ICache;

[drpetersen]

YES! Both problems fixed. 🎉

[nickvergessen]

• PR in fix(push): Correctly ignore push tokens that are not valid again #1828

As per commit message I'm not sure whether the behaviour is correct, but at least it's the same as on 27 again.
I think this could really explain vanished push tokens we experienced in the past

[drpetersen]

From my point of view, everything looks fine. The affected user can also dismiss notifications again, which failed before.

So, I'm going to close this now, hope that's ok. Again, thank you!

[nickvergessen]

Let's keep it open so it closes when the PR is merged