[stable10] Missing oc_authtoken (session) for native clients #28879
Conversation
|
@phisch / @DeepDiver1975: Is it possible to move that session check to somwhere else? Was suprised when I saw session handling code in a method called "loadApps" ;-))) |
|
@IljaN cool, now I'm getting all the sessions logged back in the webUI 🎉 Revoking though, (using the 'Delete' button next to them) is still not working (i.e. clients using basic auth are still able to sync and keep their session - it spawns in the table on next client request). So #27845 might be deeper. Also I've noticed after removing a browser session (from a different one) and hitting: Server replies with 503. The rest of the endpoints is fine. No exception is raised in the logs. |
|
Described that one issue in #28881 as this one was only for the regression display. |
|
From my understanding from last time I looked at similar code, it seemed that there was a difference between basic auth and DAV authentication (still not sure where this is happening). If we consider that both are two different things, then the old commit from @DeepDiver1975 was correct as it was only validating the session if we're NOT dealing with DAV authentication, so The original issue though was that sessions did not appear in the list. Is there some piece of code inside of Now the other question would be whether it's really that bad to validate here additionally ? Another concern: since you reversed the condition, it is likely that now basic auth is not getting validated any more. Maybe the |
|
In my tests $davUser was always set using the sync client so go figure... Web interface does not go trough this codepath at all. I also had the idea to pull the token update out but the code is buried in a private tokenProvider object inside session... Yeah it would probably be the safest bet to always validate, basically reverting @DeepDiver1975 `s change. |
|
Oh look what i found: core/lib/private/User/Session.php Lines 438 to 448 in f8e2940 |
|
It is possible that "DAV auth" means "basic auth done on a Webdav endpoint" |
14af487 to
a0330c7
Compare
| $user = $this->userManager->get($this->uid); | ||
| $currentToken = $this->tokenProvider->getToken($this->session->getId()); | ||
|
|
||
| if ($currentToken->getId() == $id) { |
There was a problem hiding this comment.
|
If validating in all cases isn't causing any other side effects, then I'm fine with this. Needs to be retested at best will most authentication schemes:
|
|
Will figure out how to test most of these, not sure: @phisch, can you help? |
|
@IljaN get help from QA or @SamuAlfageme for testing these cases |
|
Some results after some quick checks:
About Shib, I'm not sure if the sessions ever appeared in this section (or they have a separate pane somewhere; kind of like it happens with OAuth) Here ya go with a normal SAML request if that can help out determining if something is missing: SAML-Authenticated
|
|
@SamuAlfageme for shib, try with shib and the latest OC version before the regression to find out whether it ever worked before. |
8f39c1d to
ed85adc
Compare
|
lots of failing integration tests, like "auth.access files app with basic auth" |
99d1df6 to
6ea527b
Compare
|
All tests should pass now 🤞 |
|
@SamuAlfageme All tests are green now, please retest. |
|
@davitol I can confirm that cadavre session is not displayed... investigating |
1967464 to
ac7057d
Compare
|
@davitol We figured out that cadaver does not support cookies thus doing basic auth on every request. This is why nothing is displayed in the sessions view because there is technically no session established. This would explain why Cyberduck is displayed (it probably supports cookies) After discussing with @DeepDiver1975 the expected behavior is that nothing is displayed for clients which do not support cookies. If we would "fix" that, we would have a entry for every request made by cadaver. As for the iOS issue I need to find someone with a iPhone to be able to debug this... PS: I will try to replicate the issue with Android |
@IljaN With Android it went fine for me
|
|
@IljaN the point is the way the iOS client is handling with the cookies. Some request are including authorization basic header but no cookies, therefore the server answers with a new cookie, and i guess that in this case a new row is included there. We will take care |
|
@jesmrec so can we merge this or will this require modifications of the PR code ? |
|
@PVince81 you can merge |
|
@jesmrec thanks. Now for a last CI battle then we can merge. |
Current token must be not null Generate auth token for http_basic_auth logins Cleanup
ac7057d to
de3597a
Compare
|
Rebased for CI, hopefully for higher timeout values |
|
codecov errors about the legacy app code, passing on this one 🙈 |
|
@IljaN please forward port to master |
|
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
Description
oc_authtoken was not created for clients which use basic auth. (Probably everything, except browser and some dav-clients)
Related Issue
fixes #27845
fixes #28553
fixes #28881
Motivation and Context
This bug was introduced with commit f1dc2d9 - "Validate session only if we are not in a basic auth request".
Looking at the commit message the intent is not quite clear to me because the dektop client and all the mobile clients use basic auth at the moment. As the issue is relatively old I assume that some technical circumstances changed or that the validateSesion method is badly named because basic auth is technically not a persistent session trough requests. With this assumption the intent of the commit makes sense.
How Has This Been Tested?
Manually
Types of changes
Checklist: