-
-
Notifications
You must be signed in to change notification settings - Fork 4.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Stop adding passwords to passwordless authtokens during updatePasswords()
#30895
Conversation
…rds()` Fixes nextcloud#30894 (at least, it is supposed to). Signed-off-by: Matt Marjanovic <maddog@mir.com>
64af3e2
to
1758dc3
Compare
I'm not entirely sure if we want passwordless tokens to remain passwordless. IIRC the idea once was that by injecting a password from another login these token upgrade to a full-fledged token that also works with external storage and friends. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fix some bugs
/backport to stable24 |
/backport to stable23 |
/backport to stable22 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually, @ChristophWurst is right, this might cause some issues in case some user is using the clients to access external resources
@mdoggydog Could you test if this PR also solves your issue? #33110 you will need to set the 'auth.storeCryptedPassword' option in your config.php to false
Yes, I see that now. Originally I was only considering that captured passwords were used for access to email services --- and did not see any reason for an authtoken for an app to need to facilitate email access. I didn't consider external storage.
I'm not sure that this will help, because this would prevent all authtokens from storing captured passwords ...which would prevent capturing passwords needed for access to external email accounts, right? As @ChristophWurst alluded to in #30894 (comment), the real problem here is likely other bugs in the authtoken managment; this PR and #33110 provide detours around those bugs, but don't actually fix them. (I still need to respond to his comments there.) For what it's worth, I do think being able to turn off password capture altogether is great. It is good to be able to ensure that capture will never happen unintentionally (if one knows the password-capture mechanism should never be needed on a particular NC instance). I will try to try out #33110 later this week; I need to think about a way to experiment without invalidating everyone's authtokens (which is incredibly annoying to everyone). |
Any news? :) If not, as there is no feedback since a while, I will close this ticket:see_no_evil: Thanks for the interest in Nextcloud and the effort put into this! 🙇 |
Closing this pull request due to lack of recent activity and updates. We appreciate your contribution and encourage you to reopen or provide further updates if necessary. |
Fixes #30894 (at least, it is supposed to).
Signed-off-by: Matt Marjanovic maddog@mir.com