NextCloud 14.0 Upgrade to Beta Account Lockout

[goldstar611]

Steps to reproduce

1. Install and set up Nextcloud 13 series using a *weak password that is less than 8 characters long
2. Change update settings to Beta so NextCloud 14.0.0 can be received
3. Update to 14.0.0
4. Try to change some setting that requires your password (like adding a new app)
5. Notice that your password is not accepted with no indication as to what is wrong
6. Log out
7. Try to log in with the weak password and receive error message that password must be at least 8 characters long
8. Send me a T-Shirt! :)

Expected behaviour

NextCloud 14.0 should refuse to install if any account with weak password is found
OR
NextCloud 14.0 should adapt it's password restriction if updating to allow weak passwords
OR
NextCloud should somehow allow the user to update their password upon next login if the following conditions are met

• NextCloud 14.0 was installed via upgrade
• User already had weak password
• Current password is weak

Actual behaviour

Account is locked out with no way to fix the issue except log onto server and use occ (Even the admin account gets locked out)

Server configuration

Operating system:
Ubuntu 18.0.4

Web server:
Apache2

Database:
SQLite3

PHP version:
7.2

Nextcloud version: (see Nextcloud admin page)
14.0

Updated from an older Nextcloud/ownCloud or fresh install:
Update

Where did you install Nextcloud from:
Built in settings page

Signing status:

Signing status

Login as admin user into your Nextcloud and access 
http://example.com/index.php/settings/integrity/failed 
paste the results here.

List of activated apps:

App list

Enabled:
  - accessibility: 1.0.1
  - activity: 2.7.0
  - cloud_federation_api: 0.0.1
  - comments: 1.4.0
  - dav: 1.6.0
  - federatedfilesharing: 1.4.0
  - federation: 1.4.0
  - files: 1.9.0
  - files_pdfviewer: 1.3.2
  - files_sharing: 1.6.2
  - files_texteditor: 2.6.0
  - files_trashbin: 1.4.1
  - files_versions: 1.7.1
  - files_videoplayer: 1.3.0
  - firstrunwizard: 2.3.0
  - gallery: 18.1.0
  - logreader: 2.0.0
  - lookup_server_connector: 1.2.0
  - nextcloud_announcements: 1.3.0
  - notifications: 2.2.1
  - oauth2: 1.2.1
  - password_policy: 1.4.0
  - provisioning_api: 1.4.0
  - serverinfo: 1.4.0
  - sharebymail: 1.4.0
  - support: 1.0.0
  - survey_client: 1.2.0
  - systemtags: 1.4.0
  - theming: 1.5.0
  - twofactor_backupcodes: 1.3.1
  - updatenotification: 1.4.1
  - workflowengine: 1.4.0
Disabled:
  - admin_audit
  - encryption
  - files_external
  - user_external
  - user_ldap

Nextcloud configuration:

Config report

{
    "system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "localhost"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "overwrite.cli.url": "http:\/\/localhost\/nextcloud",
        "dbtype": "sqlite3",
        "version": "14.0.0.19",
        "installed": true,
        "updater.secret": "***REMOVED SENSITIVE VALUE***",
        "maintenance": false,
        "theme": "",
        "loglevel": 2,
        "updater.release.channel": "beta"
    }
}

Are you using external storage, if yes which one: local/smb/sftp/...
No

Are you using encryption: yes/no
No

Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/...
No

Client configuration

Browser:
Firefox

Operating system:
Ubuntu 18.04

Logs

ncupgrade.txt

[goldstar611]

I reset my password to something that is 8 characters using occ and checked the integrity status:

No errors have been found.

[nextcloud-bot]

GitMate.io thinks possibly related issues are #5599 (Contacts duplicate after upgrade to Nextcloud 12.0), #5597 (Nextcloud gets very slow since upgrade to 12.0.0), #9911 (Nextcloud upgrade to 13.0.4 Failed), #4908 (Problem upgrading NextCloud), and #11199 (Nextcloud 14 Upgrade exception).

[MorrisJobke]

Notice that your password is not accepted with no indication as to what is wrong

mmmmh. I should only check on setting the password - not during verifying of an existing password. The described scenario works over here 🙈

[ChristophWurst]

I actually ran into this once when I tried to reproduce #11114 on one of the different setup, but I can't recall which one it was.
On my dev setup, I almost always use simple, weak password and I've never seen that.

[ChristophWurst]

I should have tried to debug the problem right away …

Anyway, reverse engineering the problem is also not really giving any more clue. The app apparently listens to this event: https://github.com/nextcloud/password_policy/blob/61480a93245b538ed029571a3330f69176966392/lib/AppInfo/Application.php#L45

But the server doesn't really emit that on login according to https://github.com/nextcloud/server/search?q=OCP%5CPasswordPolicy%3A%3Avalidate&unscoped_q=OCP%5CPasswordPolicy%3A%3Avalidate.

[ChristophWurst]

password_policy

Does disabling the app solve the problem? Do you have access to the command line to run occ app:disable password_policy?

[kesselb]

Looks similar to: #11097 - maybe there are more information for debugging.

[ChristophWurst]

Yes, @danielkesselberg, this is indeed a duplicate then. Thanks!

Let's continue there.