Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade to Nextcloud 15 can lockout user when OTP provider App is disabled #13112

Closed
IteDas opened this issue Dec 17, 2018 · 4 comments
Closed

Upgrade to Nextcloud 15 can lockout user when OTP provider App is disabled #13112

IteDas opened this issue Dec 17, 2018 · 4 comments
Labels
0. Needs triage Pending check for reproducibility or if it fits our roadmap bug

Comments

@IteDas
Copy link

IteDas commented Dec 17, 2018

Steps to reproduce

  1. Use offical 2FA
  2. Upgrade to nextcloud 15
  3. Log-Out
  4. Try to log in

Expected behaviour

2FA should be disabled when app is disabled

Actual behaviour

Message shown stating that 2FA is enforced (it is not) and not 2FA provider can be selected contact admin.

Server configuration

Operating system:
Debian Stretch 9.6

Web server:
Apache 2.4.37

Database:
Maria DB 10.0.1.37

PHP version:
PHP 7.0.33-0+deb9u1

Nextcloud version: (see Nextcloud admin page)
15.0.0

Updated from an older Nextcloud/ownCloud or fresh install:
Update

Where did you install Nextcloud from:
offical rep
@IteDas IteDas added 0. Needs triage Pending check for reproducibility or if it fits our roadmap bug labels Dec 17, 2018
@mnowiasz
Copy link

Yes, ran into this, too.

I was finally able to solve this issue (hadn't any backup codes, so I was unable to login as admin) by:

php occ app:update twofactor_totp
php occ app:update twofactor_u2f
php occ app:enable twofactor_totp
php occ app:enable twofactor_u2f

Good luck to all those poor guys who haven't got shell access to their instance.

This is the second time Nexcloud bit me hard using 2FA (the first time was when changing the password made all application password invalids - no warning at all), so I'm really not amused, to put it mildly.

@rullzer
Copy link
Member

rullzer commented Dec 17, 2018

2FA should be disabled when app is disabled

No it should not. If you enable 2FA on your account it should be enforced for your account.

I was finally able to solve this issue (hadn't any backup codes, so I was unable to login as admin)

Well there is a reason having backup codes is always adviced.

This is the second time Nexcloud bit me hard using 2FA (the first time was when changing the password made all application password invalids - no warning at all), so I'm really not amused, to put it mildly.

That is not related to 2FA. It was a limitation of our earlier apptokens. This should all be solved with NC15.

@timmersr
Copy link

php occ app:update twofactor_totp
php occ app:update twofactor_u2f
php occ app:enable twofactor_totp
php occ app:enable twofactor_u2f

This is the second time Nexcloud bit me hard using 2FA (the first time was when changing the password made all application password invalids - no warning at all), so I'm really not amused, to put it mildly.

Thanks for the work-around! Also #12510

I really like Nextcloud, but it would IMHO greatly benefit by pauzing developing new innovations, and first focussing on solving (all) outstanding bugs.

@ChristophWurst
Copy link
Member

Duplicate of #11102

@ChristophWurst ChristophWurst marked this as a duplicate of #11102 Dec 17, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
0. Needs triage Pending check for reproducibility or if it fits our roadmap bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@rullzer @ChristophWurst @IteDas @timmersr @mnowiasz