Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Handle LoginException when authenticating with Apache #910

Merged
merged 2 commits into from
Dec 3, 2024
Merged

Handle LoginException when authenticating with Apache #910

merged 2 commits into from
Dec 3, 2024

Conversation

danxuliu
Copy link
Member

#549 might be fixed by this, although I am not sure if the problem can happen too when using SAML 2.0 or only when authenticating via environment variable (this pull request only fixes it when authenticating via environment variable).

handleApacheAuth() can throw a LoginException when trying to authenticate as a disabled user (and it has done it since Nextcloud 23.0.0, 22.2.1, 21.0.6 and 20.0.14). This needs to be explicitly handled to redirect to an error page, as otherwise the login page will try to be loaded which, in turn, will try to authenticate again and cause an endless loop.

How to test

  • Setup authentication via environment variable
  • In a private browser window, login with a user (to ensure that it will appear in Nextcloud user list)
  • Close the private window
  • Disable the user that just logged in
  • In another private browser window, login again as the disabled user

Result with this pull request

An error page with Account disabled is shown

Result without this pull request

Infinite loop of redirections

@danxuliu
Handle LoginException when authenticating with Apache
9dedd93 
"handleApacheAuth()" can throw a LoginException when trying to
authenticate as a disabled user. This needs to be explicitly handled to
redirect to an error page, as otherwise the login page will try to be
loaded which, in turn, will try to authenticate again and cause an
endless loop.

Signed-off-by: Daniel Calviño Sánchez <[email protected]>
@danxuliu danxuliu requested a review from blizzz November 26, 2024 19:36
blizzz
blizzz reviewed Nov 27, 2024
View reviewed changes
appinfo/app.php
@@ -4,6 +4,7 @@
* SPDX-License-Identifier: AGPL-3.0-or-later
*/

use OC\User\LoginException;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think there should be a fitting Exception or interface in the OCP space, no?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The exception thrown is OC\User\LoginException, which directly inherits from \Exception, and is not wrapped and converted to any other exception in handleApacheAuth() 🤷

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sheesh 😨

@blizzz blizzz merged commit f59e79c into master Dec 3, 2024
48 checks passed
@blizzz blizzz deleted the handle-loginexception-when-authenticating-with-apache branch December 3, 2024 19:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@blizzz blizzz blizzz approved these changes

Assignees
No one assigned
Labels
2. developing bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@danxuliu @blizzz