Fix password confirmation #1061

julien-nc · 2025-02-18T11:53:25Z

Replicate what's done in user_saml's user backend with the session: Set last-password-confirm in the session everytime the user ID is obtained in OCA\UserOIDC\User\Backend::getCurrentUserId()
Adjust auth token scope in login controller. Inspired by https://github.com/nextcloud/server/pull/43942/files#diff-b30a8c4cef5da5cede4d9038c16ede43e1746f85270e4249598fd305b0fa77deR173-R176
Bump min NC version to 28 to make sure we have OCP\Authentication\Token\IToken
Only do 2. if IToken::SCOPE_SKIP_PASSWORD_VALIDATION is defined (it was introduced in 30)

Maybe 1. is not necessary. Wdyt?

…whenever the user ID is obtained from the user backend Signed-off-by: Julien Veyssier <julien-nc@posteo.net>

…TION to true to prevent password validation Signed-off-by: Julien Veyssier <julien-nc@posteo.net>

waza-ari · 2025-02-18T11:59:06Z

Just for confirmation, SCOPE_SKIP_PASSWORD_VALIDATION is just a constant, nothing that needs to be changed from a user perspective, correct?

julien-nc · 2025-02-18T12:00:07Z

@waza-ari It is internal to the server. Nothing that the users or the admins should be aware of.

run cs:fix Signed-off-by: Julien Veyssier <julien-nc@posteo.net>

blizzz

One thing to double check

blizzz · 2025-02-20T19:26:46Z

lib/Controller/LoginController.php

+			// prevent password confirmation
+			if (defined(IToken::class . '::SCOPE_SKIP_PASSWORD_VALIDATION')) {
+				$token = $this->authTokenProvider->getToken($this->session->getId());
+				$token->setScope([IToken::SCOPE_SKIP_PASSWORD_VALIDATION => true]);


IIRC, if another scope was set, it needs to be taken over, this would replace it.

julien-nc added 2 commits February 18, 2025 12:19

fix(password-confirmation): set last-password-confirm in the session …

e252fda

…whenever the user ID is obtained from the user backend Signed-off-by: Julien Veyssier <julien-nc@posteo.net>

fix(password-confirmation): set auth token SCOPE_SKIP_PASSWORD_VALIDA…

ba3e137

…TION to true to prevent password validation Signed-off-by: Julien Veyssier <julien-nc@posteo.net>

julien-nc added bug Something isn't working 3. to review labels Feb 18, 2025

julien-nc requested review from blizzz and juliusknorr February 18, 2025 11:53

julien-nc mentioned this pull request Feb 18, 2025

[Bug]: Can not confirm my password for administrative actions when logged in via LDAP / SAML nextcloud/server#43612

Closed

8 tasks

julien-nc force-pushed the fix/noid/password-confirm branch from 34615e6 to b0b5588 Compare February 18, 2025 12:15

adjust test matrices, bump nextcloud/ocp to stable28, adjust stubs,

f1f7992

run cs:fix Signed-off-by: Julien Veyssier <julien-nc@posteo.net>

julien-nc force-pushed the fix/noid/password-confirm branch from b0b5588 to f1f7992 Compare February 18, 2025 12:19

blizzz reviewed Feb 20, 2025

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fix password confirmation #1061

Fix password confirmation #1061

julien-nc commented Feb 18, 2025

waza-ari commented Feb 18, 2025

julien-nc commented Feb 18, 2025

blizzz left a comment

blizzz Feb 20, 2025

Fix password confirmation #1061

Are you sure you want to change the base?

Fix password confirmation #1061

Conversation

julien-nc commented Feb 18, 2025

waza-ari commented Feb 18, 2025

julien-nc commented Feb 18, 2025

blizzz left a comment

Choose a reason for hiding this comment

blizzz Feb 20, 2025

Choose a reason for hiding this comment