-
-
Notifications
You must be signed in to change notification settings - Fork 4.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Skip session validation during app load (Fixes #20756) #20757
Conversation
Adds parameter to User\Session:getUser() to skip validation, and modifies OC_App::getEnabledApps() to use this parameter to skip session validation when loading apps. Signed-off-by: Scott Shambarger <devel@shambarger.net>
Thank you very much for looking into that issue 👍 Make sense to me. I'm not sure about the patch yet. A flag to skip the session validation at a certain stage seems a workaround. As you already pointed out that's an issue with the app loading order.
That means for loading I think we should introduce a dedicated method to load the authentication apps. Added a small POC but needs more work and testing. POC
|
Aha, so groups don't apply to authentication apps? That's valuable info... does it apply to prelogin apps too? (as that's the stage when users were logged out in this case :) I had considered modifying loadApps() to call getEnabledApps() with $all = true for certain app-types, but I didn't know it would be correct logic... if prelogin and authentication app lists can ignore the user, then this would work and be an easy solution (a simple in_array check). (session apps aren't an issue as the user_id isn't available yet, but I think it'd be harmless to add them to the list) If that's the case, I'd be happy to update the patch... |
server/lib/private/App/AppManager.php Lines 56 to 66 in caff102
Yep.
Let's wait for @rullzer and @ChristophWurst ;) The current patch is a rather small change. It's probably easier to get this in now and still do a bigger refactoring later. I think there is already something planed to improve app loading for Nextcloud 20. |
The updated patch probably wouldn't be very large, a new AppManager method (hasNoProtectedAppTypes?), and use that to set the $all flag to getEnabledApps() |
Out of curiosity: Are you still able to reproduce the issue if you remove |
Sounds fair but the loadApps method is already complex 💩 😃 |
No, the app type isn't the problem (although I agree it's probably unneeded, as it's also an authentication type). The bug is that getUser() is called even before the app-list is fetched in getEnabledApps... and since the DB backend is already loaded, it recognizes the user_id, fails the password check, and invalidates the session. An alternative solution I considered (but seemed much more invasive), was to add the DB user backend in OC_User::setupBackends(), but that means it's added much later than currently, and might break some code that depends on it. |
I was just wondering why user_ldap or user_saml are not affected. Such an interesting problem 🐛 Thanks again for digging 👍 |
Actually, the other apps aren't affected as they use user_id's that are unique, and not likely to be in the database (eg, user_ldap may have a user_id like '3bb4681e-1ed6-103a-9648-7dc9709f72ae', which would be unlikely to overlap with a db user like 'admin'). user_external uses user_id's that match the supplied login, which is likely to overlap with database users... I suppose it could updated to use a "unique" user_id, but it'd create a tricky migration and would likely break a lot of installs. Still, the underlying logic problem would still exist in the app loading code, where user sessions are validated long before the apps are setup to correctly handle it. |
If the user backend is not loaded yet
Yep (but only for apps using a "outdated" way to register their backend). |
Well that is then the issue. If you have users that are also in the main backend then it should log them out. Or you delete them form the main DB auth. But this not validating seems dangerous. I really don't wanna mess with the session handling so close to a release. |
Logging people out when they have a valid login just leads to people thinking nextcloud is broken... and a since there's no logging of why, much confusion (it's not easy to track this problem down, believe me :) Validating still always happens, just not as early (before supporting apps are loaded)... getUser called everywhere except during the app loading will force a validation (which only happens every 5 mins anyway), and is called many times on any page load. |
Would you suggest deleting the admin user? Seems like a very dangerous thing to do... |
Actually, I just gave it a try on my test system.. deleting admin from the database works, and I can still login as admin via user_external. So perhaps that's the workaround for the user_external app until app loading can work without early session invalidation... of course, there's no "backup" login if user_external is every disabled... hmm... I still like the idea of having getEnableApps() only use getUser() when there's a non-protected app type being loaded... that seems right logically. |
I would even argue that maybe admin is not the best to have as an username ;) Don't get me wrong we should fix this probably at some point. But just right now I don't wanna touch this so close to 19. |
I don't know how your release process works, so I 'm not qualified to comment on this. But please be aware that #20756 is extremely annoying to big user bases authenticated via IMAP. |
Sounds good, if the release is imminent I can understand not wanting to risk any regressions :) Unless you think it's a terrible idea, I'll update the patch to create a new "all protected app-types" test to determine if getEnableApps should get the $all=true parameter -- that should always be correct, fixes the problem, and also eliminates any change in user validation. It might even be more efficient. |
) Adds a new AppManager method which identifies when all app types are protected, loads all apps (without checking user filters). This has the intended benefit of avoiding calls to User\Session:getUser() for these app types, and likely invalidating the session before user backends are loaded. Signed-off-by: Scott Shambarger <devel@shambarger.net>
OK, I've reverted the session invalidation deferral patch, and replaced it with code to request getEnableApps load all apps when only protected app types are being loaded. This has the intended benefit of avoiding calls to User\Session:getUser() for these app types. Patch is an alternative, and just as effective, fix to 20756. Please let me know if you'd like me to squish the original patch (I figured for now I'd leave it for reference). |
Don't check if the app is enabled for a user for protected apps 👍 But I still think the user_external app should also be fixed:
After that we should deprecate usage of |
This comment has been minimized.
This comment has been minimized.
I agree that user_external should be fixed. I suggested using unique userids in user_external to prevent db users from failing validation duing prelogin... but that fix would involve a significant migration step. Wouldn't overlapping userids still be an issue even if the external_user_backends change was made? Of course, redesigning user_external registration is really a topic that should be discussed with the user_external maintainer (which I'm not :), I was just suggesting a fix to the nextcloud app-reg-flow that would affect any authentication app that had overlapping userids with db users. |
Hey @sshambar It seems you're right, the approach was interesting, but ultimately we need a wider refactor of the user_external registration. Closing then, I hope we can tackle this in a different way in a near future 💪 Thanks for the PR and the discussions @sshambar |
Adds parameter to User\Session:getUser() to skip validation, and
modifies OC_App::getEnabledApps() to use this parameter to skip
session validation when loading apps.
see #20756 for a detailed explanation
Signed-off-by: Scott Shambarger devel@shambarger.net
fixes #20756
fixes nextcloud/user_external#101
fixes nextcloud/user_external#70
fixes nextcloud/user_external#3