Remember login option disappears with certain apps enabled

[kbabioch]

According to this it is probably intentional, but the way it is implemented right now, it is hard to find out why this function disappears. I'm not sure about the security implications. To me it sounds wrong that installing an application changes / disables authentication, but in any case this should be something the administrator should be warned about.

Steps to reproduce

1. Install and enable the "External storage support" app
2. Log out
3. Look at the login page

Expected behaviour

The Remember login option disappears.

Actual behaviour

Make it known to the administrator that this feature will be disabled when installing this application.

Server configuration

Nextcloud version: 11.0.2 (stable)

[MariusBluem]

It is already documented: https://docs.nextcloud.com/server/12/user_manual/webinterface.html#navigating-the-main-user-interface

I see your point, but can not imagine a good place to place this warning inside of apps management or the app itself 😁 Any ideas?

[kbabioch]

First of all: What exactly are the security implications here? Why is it not possible to remember the login when using external storage? Can this be worked around with two-factor auth and app-specific passwords?

Regarding the warning: How about a warning dialog popup whenever enabling such an app?

[MariusBluem]

First of all: What exactly are the security implications here? Why is it not possible to remember the login when using external storage? Can this be worked around with two-factor auth and app-specific passwords?

files_external may need your credentials for auth against the storages (Google Drive, ...). See owncloud/core#13335

encryption needs your credentials for decrypting the files.

Regarding the warning: How about a warning dialog popup whenever enabling such an app?

Fair enough 😁 What do you think? @nickvergessen @schiessle

[kbabioch]

Ok, thank you for the explanation. As a suggestion (for future versions):

Can't these problems be worked around with some sort of a "credential store"? Credentials could be stored in the database (or wherever) in an encrypted way, with an authorization key in the remember cookie or something like that.

From a system point of view it sounds stupid to me that I have to disable the Remember login options for all users, just because a few of them might use external storage. I think can be designed more flexible without making it less secure.

[MariusBluem]

Can't these problems be worked around with some sort of a "credential store"? Credentials could be stored in the database (or wherever) in an encrypted way, with an authorization key in the remember cookie or something like that.

Already possible.

...but the session-saved credentials are another option (I think we are not planning to remove 😅)

From a system point of view it sounds stupid to me that I have to disable the Remember login options for all users, just because a few of them might use external storage. I think can be designed more flexible without making it less secure.

Problem is, that we can not distinct on the login page already - who is a user of this files_external-functionality. However ... encryption makes it impossible to remember-me I think 😬

[nickvergessen]

I think with #2044 remember me + external storage shouldn't be a problem. But maybe @ChristophWurst knows more.

[ChristophWurst]

@nickvergessen right, this limitation will be gone with NC12 :)