Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade to Nextcloud 15 can lockout user when OTP provider App is disabled #13112

Closed
IteDas opened this issue Dec 17, 2018 · 4 comments

Comments

Projects
None yet
5 participants
@IteDas
Copy link

commented Dec 17, 2018

Steps to reproduce

  1. Use offical 2FA
  2. Upgrade to nextcloud 15
  3. Log-Out
  4. Try to log in

Expected behaviour

2FA should be disabled when app is disabled

Actual behaviour

Message shown stating that 2FA is enforced (it is not) and not 2FA provider can be selected contact admin.

Server configuration

Operating system:
Debian Stretch 9.6

Web server:
Apache 2.4.37

Database:
Maria DB 10.0.1.37

PHP version:
PHP 7.0.33-0+deb9u1

Nextcloud version: (see Nextcloud admin page)
15.0.0

Updated from an older Nextcloud/ownCloud or fresh install:
Update

Where did you install Nextcloud from:
offical rep

@mnowiasz

This comment has been minimized.

Copy link

commented Dec 17, 2018

Yes, ran into this, too.

I was finally able to solve this issue (hadn't any backup codes, so I was unable to login as admin) by:

php occ app:update twofactor_totp
php occ app:update twofactor_u2f
php occ app:enable twofactor_totp
php occ app:enable twofactor_u2f

Good luck to all those poor guys who haven't got shell access to their instance.

This is the second time Nexcloud bit me hard using 2FA (the first time was when changing the password made all application password invalids - no warning at all), so I'm really not amused, to put it mildly.

@rullzer

This comment has been minimized.

Copy link
Member

commented Dec 17, 2018

2FA should be disabled when app is disabled

No it should not. If you enable 2FA on your account it should be enforced for your account.

I was finally able to solve this issue (hadn't any backup codes, so I was unable to login as admin)

Well there is a reason having backup codes is always adviced.

This is the second time Nexcloud bit me hard using 2FA (the first time was when changing the password made all application password invalids - no warning at all), so I'm really not amused, to put it mildly.

That is not related to 2FA. It was a limitation of our earlier apptokens. This should all be solved with NC15.

@timmersr

This comment has been minimized.

Copy link

commented Dec 17, 2018

php occ app:update twofactor_totp
php occ app:update twofactor_u2f
php occ app:enable twofactor_totp
php occ app:enable twofactor_u2f

This is the second time Nexcloud bit me hard using 2FA (the first time was when changing the password made all application password invalids - no warning at all), so I'm really not amused, to put it mildly.

Thanks for the work-around! Also #12510

I really like Nextcloud, but it would IMHO greatly benefit by pauzing developing new innovations, and first focussing on solving (all) outstanding bugs.

@ChristophWurst

This comment has been minimized.

Copy link
Member

commented Dec 17, 2018

Duplicate of #11102

@ChristophWurst ChristophWurst marked this as a duplicate of #11102 Dec 17, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.