App password invalidated if IMAP auth server not accessible

[internethering]

the automatic closed issue: #8958 is unsolved. pls reopen

[nextcloud-bot]

GitMate.io thinks possibly related issues are #8958 (App password invalidated if IMAP auth server not accessible), #7861 (imap), #9599 ([IMAP auth] App password get Invalid from time to time), #2581 (App password/tokens must not be invalidated on password change), and #2431 (App passwords vanish).

[ChristophWurst]

@rullzer is this covered by #9485 (or a similar 9enhancement)?

[duritong]

@ChristophWurst I still see this problem on a nextcloud 14.0.4 installation.

Everytime there seems to be a hickup with the imap server all the app passwords are lost.

This is especially bad, as the nexctloud client retries to auth with the lost app password, where nextcloud then tries to re-auth at the imap server, which might get you eventually locked, because of too many wrong login attempts.

[ChristophWurst]

On a second thought I'm wondering if it shouldn't be the IMAP user back-end that can store known users and handle these cases properly with an exception that makes the instance inaccessible in general as long as the user back-end is unavailable.

If the user back-end tells Nextcloud "this password is wrong" then Nextcloud will do its "wrong password" procedure.

@duritong could you open a ticket for this in the IMAP user back-end repo? Thanks ✌️

[duritong]

Did so in https://github.com/nextcloud/apps/issues/71

[ChristophWurst]

Thank you!

[duritong]

@ChristophWurst but for me the question remains: Why are app-passwords failing if the auth backend is failing? And why are they lost?

From what I understand from the previous issues and the changes that were now done to NC 14 (e.g. #9485) is that they should not be directly connected anymore.

Maybe I misunderstand app passwords, but for me these are just like API tokens, so that I don't need to put real credentials into my client, as NC won't need to auth at the backend to validate the session for the client using such an app password.

[ChristophWurst]

Maybe I misunderstand app passwords, but for me these are just like API tokens, so that I don't need to put real credentials into my client, as NC won't need to auth at the backend to validate the session for the client using such an app password.

The problem is that many integration of Nextcloud assume to have access to the login password (e.g. extern storage, automatic email account setup) and therefor we encrypt it in the app password for later use. To verify that it's still valid, regular password checks against the user back-end are performed.

[ChristophWurst]

I just checked with @rullzer and for with 14 we added public key tokens. This means on password change, other tokens are updated automatically and you don't have to re-generate tokens.

For 15 the possibility for app tokens to be marked as invalid (password check failed) was added, making it possible to keep the tokens alive until the next web login which eventually sets the new password. This should fix the issue for you.

Could you please retry with Nextcloud 15?

Sorry for the confusion.