Logout and no function of the app tokens if 2FA is not completely executed

[weinic]

Steps to reproduce

1. Logging in to Nextcloud
2. You will be prompted for the 2nd factor
3. Cancel login.

If you do this three, four, five times in a row, you will be logged out of all active sessions (kicked out).

But the worse thing is, no app tokens will work then either.
All additional programs that try to access the Nextcloud via App Tokens only return the error "User or password incorrect".

After a certain time (sometimes several hours) everything works again. All programs can access via their App Tokens again.

Expected behaviour

Tell us what should happen

Actual behaviour

Tell us what happens instead

Server configuration

Operating system:
Debian 10 (Openmediavault)
Linux 5.10.0-0.bpo.8-amd64 x86_64

Web server:
Nginx

Database:
MariaDB Version: 10.3.31

PHP version:
Version: 7.3.29

Nextcloud version: (see Nextcloud admin page)
21.0.4

Updated from an older Nextcloud/ownCloud or fresh install:
Version 14 or 15 (I don't remember exactly)

Where did you install Nextcloud from:

Signing status:

Signing status

Login as admin user into your Nextcloud and access 
http://example.com/index.php/settings/integrity/failed 
paste the results here.

No Errors have bean found

List of activated apps:

Enabled:

• accessibility: 1.7.0
• activity: 2.14.3
• announcementcenter: 5.0.1
• appointments: 1.10.2
• apporder: 0.13.0
• bookmarks: 10.0.0
• breezedark: 21.0.10
• bruteforcesettings: 2.2.0
• calendar: 2.3.4
• circles: 0.21.4
• cloud_federation_api: 1.4.0
• collectives: 0.12.21
• comments: 1.11.0
• contacts: 4.0.3
• contactsinteraction: 1.2.0
• cookbook: 0.9.4
• cospend: 1.3.7
• dashboard: 7.1.0
• dav: 1.17.1
• deck: 1.4.5
• documentserver_community: 0.1.11
• emlviewer: 0.0.23
• event_update_notification: 1.3.0
• external: 3.8.2
• extract: 1.3.2
• federatedfilesharing: 1.11.0
• federation: 1.11.0
• files: 1.16.0
• files_accesscontrol: 1.11.0
• files_automatedtagging: 1.11.0
• files_downloadactivity: 1.11.1
• files_external: 1.12.0
• files_linkeditor: 1.1.6
• files_markdown: 2.3.4
• files_pdfviewer: 2.1.0
• files_rightclick: 1.0.0
• files_sharing: 1.13.1
• files_trackdownloads: 1.10.0
• files_trashbin: 1.11.0
• files_versions: 1.14.0
• files_videoplayer: 1.10.0
• firstrunwizard: 2.10.0
• flow_notifications: 1.1.0
• forms: 2.3.0
• groupfolders: 9.0.3
• guests: 2.0.2
• impersonate: 1.8.0
• integration_github: 1.0.0
• keeweb: 0.6.6
• limit_login_to_ip: 3.1.0
• listman: 20.0.7
• login_notes: 0.4.0
• logreader: 2.6.0
• lookup_server_connector: 1.9.0
• maps: 0.1.9
• metadata: 0.14.0
• music: 1.4.0
• news: 16.1.0
• nextcloud_announcements: 1.10.0
• notes: 4.1.1
• notifications: 2.9.0
• notify_push: 0.2.4
• oauth2: 1.9.0
• ocdownloader: 1.7.12
• onlyoffice: 7.1.2
• password_policy: 1.11.0
• passwords: 2021.10.10
• phonetrack: 0.6.9
• photos: 1.3.0
• polls: 3.2.0
• privacy: 1.5.0
• provisioning_api: 1.11.0
• quota_warning: 1.11.0
• recommendations: 1.0.0
• riotchat: 0.9.5
• serverinfo: 1.11.0
• settings: 1.3.0
• sharebymail: 1.11.0
• socialsharing_email: 2.2.0
• souvenirs: 1.2.0
• spreed: 11.3.2
• support: 1.4.0
• survey_client: 1.9.0
• systemtags: 1.11.0
• tasks: 0.14.2
• text: 3.2.0
• theming: 1.12.0
• twofactor_admin: 3.1.0
• twofactor_backupcodes: 1.10.0
• twofactor_gateway: 0.19.0
• twofactor_nextcloud_notification: 3.2.1
• twofactor_totp: 6.1.0
• twofactor_webauthn: 0.2.10
• updatenotification: 1.11.0
• user_status: 1.1.1
• viewer: 1.5.0
• weather_status: 1.1.0
• workflowengine: 2.3.0

Disabled:

• admin_audit
• audioplayer
• checksum
• cms_pico
• customproperties
• dashboardcharts
• data_request
• eidlogin
• encryption
• files_snapshots
• flowupload
• groupquota
• issuetemplate
• quickaccesssorting
• radio
• richdocuments
• richdocumentscode
• sendent
• side_menu
• social
• terms_of_service
• timetracker
• user_ldap

If you have access to your command line run e.g.:
sudo -u www-data php occ app:list
from within your Nextcloud installation folder

Nextcloud configuration:

Config report

If you have access to your command line run e.g.:
sudo -u www-data php occ config:list system
from within your Nextcloud installation folder

{
    "system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "overwriteprotocol": "https",
        "trusted_domains": [
            "192.168.193.10",
            "server",
            "cloud.weinbauer.heim-server.de",
            "localhost",
            "127.0.0.1"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "21.0.4.1",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "maintenance": false,
        "memcache.local": "\\OC\\Memcache\\APCu",
        "filelocking.enabled": "true",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 0,
            "timeout": 0
        },
        "app_install_overwrite": [
            "polls",
            "files_external_dropbox",
            "sharerenamer",
            "files_external_ipfs"
        ],
        "default_language": "de",
        "default_locale": "de_DE",
        "default_phone_region": "DE",
        "skeletondirectory": "\/srv\/dev-disk-by-label-DatenSSDraid1\/nextcloud-dat
a\/first-login-default-folder",
        "mail_smtpmode": "smtp",
        "mail_sendmailmode": "smtp",
        "mail_smtpsecure": "ssl",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "465",
        "mail_smtpauth": 1,
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "preview_max_x": 2160,
        "preview_max_y": 2160,
        "updater.release.channel": "stable",
        "theme": "",
        "logtimezone": "Europe\/Berlin",
        "loglevel": 0,
        "log_rotate_size": 104857600,
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "defaultapp": "apporder",
        "share_folder": "\/empfangene-freigaben",
        "simpleSignUpLink.shown": false,
        "external_storage.auth_availability_delay": 60,
        "data-fingerprint": "a63363a29acd889a8719bb379d8daf96",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpauthtype": "LOGIN",
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
        "overwrite.cli.url": "https:\/\/cloud.weinbauer.heim-server.de",
        "knowledgebaseenabled": false
    }
}

Are you using external storage, if yes which one: local/smb/sftp/...
Local and SMB

Are you using encryption:
no

Are you using an external user-backend, if yes which one:
No

LDAP configuration (delete this part if not used)

LDAP config

With access to your command line run e.g.:
sudo -u www-data php occ ldap:show-config
from within your Nextcloud installation folder

Without access to your command line download the data/owncloud.db to your local
computer or access your SQL server remotely and run the select query:
SELECT * FROM `oc_appconfig` WHERE `appid` = 'user_ldap';


Eventually replace sensitive data as the name/IP-address of your LDAP server or groups.

Client configuration

Browser:

Operating system:

Logs

[core] Warning: Login failed: 'admin' (Remote IP: '84.136.144.184')

GET /apps/logreader/poll?lastReqId=b3xP7uieeO46ZPEoW97J
from 84.136.144.184 by admin at 2021-10-21T22:36:19+02:00

[index] Error: Exception: Argument 1 passed to OC\Core\Controller\WebAuthnController::finishAuthentication() must be of the type string, null given, called in /srv/dev-disk-by-label-DatenSSDraid1/websites/nextcloud/lib/private/AppFramework/Http/Dispatcher.php on line 218 at <<closure>>

0. /srv/dev-disk-by-label-DatenSSDraid1/websites/nextcloud/lib/private/AppFramework/App.php line 157
   OC\AppFramework\Http\Dispatcher->dispatch(OC\Core\Controller\WebAuthnController {}, "finishAuthentication")
1. /srv/dev-disk-by-label-DatenSSDraid1/websites/nextcloud/lib/private/Route/Router.php line 302
   OC\AppFramework\App::main("OC\\Core\\Contr ... r", "finishAuthentication", OC\AppFramework\ ... {}, {_route: "core.W ... "})
2. /srv/dev-disk-by-label-DatenSSDraid1/websites/nextcloud/lib/base.php line 993
   OC\Route\Router->match("/login/webauthn/finish")
3. /srv/dev-disk-by-label-DatenSSDraid1/websites/nextcloud/index.php line 37
   OC::handleRequest()

POST /login/webauthn/finish
from 84.136.144.184 at 2021-10-21T22:33:16+02:00

Web server error log

Web server error log

Insert your webserver log here

Nextcloud log (data/nextcloud.log)

Nextcloud log

Browser log

Browser log

Insert your browser log here, this could for example include:

a) The javascript console log
b) The network log
c) ...

[weinic]

Nextcloud log (data/nextcloud.log)

Nextcloud log

[nextcloud.log.zip](https://github.com/nextcloud/server/files/7393011/nextcloud.log.zip)

[weinic]

@acsfer
Could an error already be found here?
I have since updated to NC 21.0.5

My guess is that this is related to the "Authentication without password (FIDO2)" feature.

[solracsf]

Not sure if this helps here, but can you give it a try?
#29130

[weinic]

How do I test this?
This means a NC update to at least 21.0.6
Is that correct?

[solracsf]

Either you change the code manually on the mentioned files, or you wait for NC21.0.6 :)

[weinic]

Ok Thanks

Change code I rather let ;) I have too little idea for that.

Then I make an update, I have NC 21.0.7 already available

[szaimen]

Hi, please update to 24.0.9 or better 25.0.3 and report back if it fixes the issue. Thank you!

My goal is to add a label like e.g. 25-feedback to this ticket of an up-to-date major Nextcloud version where the bug could be reproduced. However this is not going to work without your help. So thanks for all your effort!

If you don't manage to reproduce the issue in time and the issue gets closed but you can reproduce the issue afterwards, feel free to create a new bug report with up-to-date information by following this link: https://github.com/nextcloud/server/issues/new?assignees=&labels=bug%2C0.+Needs+triage&template=BUG_REPORT.yml&title=%5BBug%5D%3A+