server icon indicating copy to clipboard operation
server copied to clipboard

Published 20 hours ago verified publisher icon nextcloud

Notify clients their app password is OK but password is outdated

Open rullzer opened this issue 7 years ago • 6 comments

With https://github.com/nextcloud/server/issues/11390 merged we should think of a way to notify clients so they can act accordingly if their apppassword is still valid but the password that stores is not.

CC: @ChristophWurst

rullzer avatar Oct 02 '18 19:10 rullzer

GitMate.io thinks possibly related issues are https://github.com/nextcloud/server/issues/7619 (Notify when password isn't complex enough), https://github.com/nextcloud/server/issues/8117 (No password confirmation for clients (and bearer?)), https://github.com/nextcloud/server/issues/9774 (Changing master password invalidates all client passwords: Add hint), https://github.com/nextcloud/server/issues/8785 (Password expiration), and https://github.com/nextcloud/server/issues/5032 (Changelog outdated).

nextcloud-bot avatar Oct 02 '18 19:10 nextcloud-bot

May I ask, why you want to do that? The token is still valid, so the application will still work. The user should know that the password has been changed. Either they changed it themselves (locally or externally (LDAP) or it got changed by an admin. Either way they will run into a login issue when accessing a system that authenticates with username and password.

What advantage does a notification have for a user?

Other than the notification itself, I mean. The user can't act on it anyway. Either the user knows the new password or not.

Or am I missing something?

tessus avatar Oct 02 '18 20:10 tessus

@tessus it is not a bout a Nextcloud notification. But more about sending a special header with the 403. So that clients know they are locked out because the password that is held by their apptoken is outdated.

rullzer avatar Oct 03 '18 08:10 rullzer

@rullzer I don't understand. if a client uses a token, it can still connect and should work as normal. this was the entire point of keeping tokens valid when changing the passsword, was it not? So why would they be locked out?

tessus avatar Oct 03 '18 08:10 tessus

Because their password changed. If you use LDAP this does :boom: because we do not get notified of the password changed.

And we need to have a proper password due to all the integrations we offer.

rullzer avatar Oct 03 '18 16:10 rullzer

I am closing this due to inactivity and just one upvote. Please reopen if it should still be valid.

szaimen avatar May 20 '21 09:05 szaimen