nextcloud
[Bug]: preLogin hook is not called when user uses passwordless login with WebAuthn Device
⚠️ This issue respects the following points: ⚠️
- [X] This is a bug, not a question or a configuration/webserver/proxy issue.
- [X] This issue is not already reported on Github (I've searched it).
- [X] Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
- [X] Nextcloud Server is running on 64bit capable CPU, PHP and OS.
- [X] I agree to follow Nextcloud's Code of Conduct.
Bug description
When the user is logging in without password by using a WebAuthn device, the preLogin Hook is not called circumventing apps that use the hook to react on the Login. I did not test it, but maybe other Login related hooks like postLogin are also not called.
Steps to reproduce
- Register the preLogin Hook and add a logging statement, when it is called.
- Login with password -> You see in the logs, that it is called
- Login without password -> Nothing in the logs
Expected behavior
Independent of the login method the preLogin hook is always called before the login is proceeded.
Installation method
Community Docker image
Operating system
Debian/Ubuntu
PHP engine version
PHP 8.0
Web server
Apache
Database engine version
SQlite
Is this bug present after an update or on a fresh install?
Fresh Nextcloud Server install
Are you using the Nextcloud Server Encryption module?
Encryption is Disabled
What user-backends are you using?
- [X] Default user-backend (database)
- [ ] LDAP/ Active Directory
- [ ] SSO - SAML
- [ ] Other
Configuration report
No response
List of activated Apps
Enabled:
- accessibility: 1.10.0
- activity: 2.16.0
- bruteforcesettings: 2.4.0
- circles: 24.0.1
- cloud_federation_api: 1.7.0
- comments: 1.14.0
- contactsinteraction: 1.5.0
- dashboard: 7.4.0
- dav: 1.22.0
- federatedfilesharing: 1.14.0
- federation: 1.14.0
- files: 1.19.0
- files_pdfviewer: 2.5.0
- files_rightclick: 1.3.0
- files_sharing: 1.16.2
- files_trashbin: 1.14.0
- files_versions: 1.17.0
- files_videoplayer: 1.13.0
- firstrunwizard: 2.13.0
- geoblocker: 0.5.7
- logreader: 2.9.0
- lookup_server_connector: 1.12.0
- nextcloud_announcements: 1.13.0
- notifications: 2.12.1
- oauth2: 1.12.0
- password_policy: 1.14.0
- photos: 1.6.0
- privacy: 1.8.0
- provisioning_api: 1.14.0
- recommendations: 1.3.0
- serverinfo: 1.14.0
- settings: 1.6.0
- sharebymail: 1.14.0
- support: 1.7.0
- survey_client: 1.12.0
- systemtags: 1.14.0
- text: 3.5.1
- theming: 1.15.0
- twofactor_backupcodes: 1.13.0
- updatenotification: 1.14.0
- user_status: 1.4.0
- viewer: 1.8.0
- weather_status: 1.4.0
- workflowengine: 2.6.0
Disabled:
- admin_audit
- encryption
- files_external
- twofactor_webauthn: 0.3.3
- user_ldap
Nextcloud Signing status
No response
Nextcloud Logs
No response
Additional info
No response
I can confirm your finding.
Login chain for username/password: https://github.com/nextcloud/server/blob/master/lib/private/Authentication/Login/Chain.php
Login chain for passwordless: https://github.com/nextcloud/server/blob/master/lib/private/Authentication/Login/WebAuthnChain.php
The PreLoginHookCommand is missing from the passwordless chain, and therefore the hook not emitted.
However, just adding the PreLoginHookCommand is probably not a suitable solution either because the listeners could expect a password which we don't have.
At best, we could emit a typed event here and signal whether that's a passwordless login or not.
I see that it is not perfect, but at least the word "passwordless" would fit to an empty password ;-) On the other hand I also think everybody would expect a "PreLogin" hook to be called always independent of the login method. I guess this interface was designed when there was no passwordless login method. I do not have the overview of the overall design, but keeping this interface and going with an empty password could be a compromise. Otherwise we are talking about a new hook or a breaking change of the "PreLogin" hook?