Nextcloud Login not possible if app token username contains uppercase letter

Question

Nextcloud Login not possible if app token username contains uppercase letter

Closed this issue 4 months ago · 8 comments

Before submitting an issue, please check the following

I have searched for similar issues (both open and closed) and cannot find a duplicate
I agree to follow the Code of Conduct

Describe the bug

Just tried to connect to my private NC instance but the login just shows "Log in failed, please check your details and network connection".
Checking Nextcloud logs i noticed following entry:

{
  "reqId": "REDACTED",
  "level": 3,
  "time": "2024-03-28T18:07:27+00:00",
  "remoteAddr": REDACTED,
  "user": "--",
  "app": "core",
  "method": "MKCOL",
  "url": "/remote.php/webdav/Saber",
  "message": "App token login name does not match",
  "userAgent": "Dart/3.3 (dart:io)",
  "version": "28.0.3.2",
  "data": {
    "tokenLoginName": "Jannik",
    "sessionLoginName": "jannik",
    "app": "core",
    "user": "jannik"
  },
  "id": "REDACTED"
}

Apparently nextcloud uses case sensitive App Token Login Names...
It seems like dart converts the username to lowercase on login.

To be sure, I created a new user with only lowercase characters and there the login worked flawlessly.
I also created another user with a lowercase username but a identical display name, where the first letter is uppercase.
This causes the app token generation for this user to use the display name and leads to a uppercase letter in the credential.

Nonetheless it is possible to user uppercase letters in usernames as well so those users also generate uppercase app token login names naturally.
So I would suggest to somehow avoid lowercase conversion of the username or ask the user if he is using a app token as this problem seems to only appear on app token based logins.

To reproduce

create a NC-User with a uppercase letter
create a App token for this user
try to login in app with app token

Expected behavior

I should be able to login.

Saber version

0.21.2 GooglePlay (21020)

Device

Device: ONYX BOOX Tab Ultra
OS: Android

Anything else?

No response

Answer 1 · 2024-03-30T04:22:10.000Z

Thank you for the investigation. I don't see anything in Saber that could cause this.
@provokateurin Are you able to find anything?

Answer 2 · 2024-03-30T20:05:15.000Z

I am able to login to my own nextcloud server with username "SaberTest" and App token.

Answer 3 · 2024-03-30T21:56:37.000Z

Hmmm, weird... What information would be useful to triangulate this further? Are you aware of a setting / flag in nextcloud to handle case sensitivity that might be relevant to this? I haven't been successful on finding anything in that matter on my end.

I am able to login to my own nextcloud server with username "SaberTest" and App token.

Once I am back at home (presumably Monday) I will cross test this on my NC, although important to note: other apps have been able to use the same credentials (App token username and App token) without issue. 🤔

Answer 4 · 2024-04-01T13:34:04.000Z

@adil192 from the top of my head I don't know any place that would convert the login name in some way. It is passed directly to the authentication. ~~I'd suggest you try to reproduce this problem and set a breakpoint or a print where the login name is passed to the client to check if Saber or the client is the problem.~~

Edit: I didn't read all the comments and overlooked that you already tried to reproduce it and it didn't work.

Answer 5 · 2024-04-01T13:42:07.000Z

I got some info that i will post here in a moment. I need to clean up first ;)

Answer 6 · 2024-04-01T14:12:30.000Z

Alright... I have finally got it to work for me but I wanted to analyze it further:

Here is a table of what combinations of Usernames, Displaynames and App tokens I have tried and how they behaved:

It seems, that the culprit in my case was a combination of how the App token is generated and how the login process initiates the user context. In detail:

the native nextcloud login accepts any case variation of the username and maps it to an existing user, but retains the username used to login in a case sensitive state
when generating a app token, it will create "new" credentials based on the login username and the generated password
as far as I can see, during the login process with an app token, the login session itself identifies as the username as it is recorded in the nextcloud user db, not the app token name

Again, I have no idea if this is a problem within the dart implementation of the nextcloud client or if it is a serverside "unexpected behaviour". I am still able to use those "invalid credentials" to login to my WebDAV. It may also be the case that there are different login flows when using the native or WebDAV authentication. 🤔

Answer 7 · 2024-04-01T14:15:00.000Z

That really sounds like a bug in the server code and nothing the client is doing wrong. Could you report it in the server please?

Answer 8 · 2024-04-01T14:19:21.000Z

Alright, I will cross-post it in nextcloud/server✌️