Always need to re-login on sync clients

tuaris · October 1, 2023, 6:34pm

Nextcloud version (eg, 20.0.5): 27.0.0
Operating system and version (eg, Ubuntu 20.04): 13.2-RELEASE-p3
Apache or nginx version (eg, Apache 2.4.25): 2.4.57
PHP version (eg, 7.4): 8.1.20

The issue you are facing:

I am being signed out of Nextcloud automatically approximately every 12 - 48 hours. I have been unable to determine what is causing that.

On my Windows desktop, I noticed the icon change, then I have to manually log in again. The session appears to be cached since I am not prompted for a password.

On my Android device, I need to re-enter the URL, and re-enter my username and password.

The only recent change was upgrading to version 27.0.0

Is this the first time you’ve seen this error? (Y/N): Y

Steps to replicate it:

Update to 27.0.0
Log into devices
Wait a day or two, notice you have been logged out

Logs shows a lot of failed logins coming from my devices. It’s almost as if the clients themselves are “forgetting” the credentials.

The output of your Nextcloud log in Admin > Logging:

Info	no app in context	IP address throttled because it reached the attempts limit in the last 30 minutes [action: login, delay: 200, ip: 192.168.0.85]	
2023-10-01T13:19:44-0400
Info	core	Bruteforce attempt from "192.168.0.85" detected for action "login".	
2023-10-01T13:19:43-0400
Warning	core	Login failed: 'daniel' (Remote IP: '192.168.0.85')	
2023-10-01T13:19:43-0400

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

<?php
$CONFIG = array (
  'instanceid' => 'xxxxxxxxxxxxxxxxxxxx',
  'passwordsalt' => 'xxxxxxxxxxxxxxxxxx',
  'datadirectory' => '/media/cloud/data',
  'dbtype' => 'mysql',
  'version' => '27.0.0.8',
  'dbname' => 'nextcloud',
  'dbhost' => 'mysql.xxxxxxxxxxxxx.tld',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'nextcloud',
  'dbpassword' => 'xxxxxxxxxxxxxxxxxxxxx',
  'installed' => true,
  'forcessl' => true,
  'theme' => '',
  'maintenance' => false,
  'trusted_domains' => 
  array (
    0 => 'cloud.xxxxxxxxxxxxxxx.tld',
  ),
  'secret' => 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxx',
  'forceSSLforSubdomains' => false,
  'loglevel' => 0,
  'trashbin_retention_obligation' => 'auto',
  'overwrite.cli.url' => 'https://cloud.xxxxxxx.tld/',
  'htaccess.RewriteBase' => '/',
  'apps_paths' => 
  array (
    0 => 
    array (
      'path' => '/usr/local/www/nextcloud/apps',
      'url' => '/apps',
      'writable' => true,
    ),
    1 => 
    array (
      'path' => '/usr/local/www/nextcloud/apps-pkg',
      'url' => '/apps-pkg',
      'writable' => false,
    ),
  ),
  'logfile' => '/media/cloud/data/nextcloud.log',
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'memcache.distributed' => '\\OC\\Memcache\\Memcached',
  'memcached_servers' => 
  array (
    0 => 
    array (
      0 => 'memcache.xxxxxxxxxx.tld',
      1 => 11211,
    ),
  ),
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'redis' => 
  array (
    'host' => 'redis.xxxxxxxxxxx.tld',
    'port' => 6379,
  ),
  'app_install_overwrite' => 
  array (
    0 => 'user_pwauth',
  ),
);

The output of your Apache/nginx/system log in /var/log/____:

192.168.0.85 - daniel [01/Oct/2023:12:17:11 -0400] "HEAD /remote.php/dav/files/daniel/InstantUpload/20230922_152149.jpg HTTP/1.1" 401 -
192.168.0.85 - daniel [01/Oct/2023:12:17:11 -0400] "MKCOL /remote.php/dav/uploads/daniel/bd28e244b453264fdf8f80177c0dd841 HTTP/1.1" 401 415
192.168.0.85 - daniel [01/Oct/2023:12:17:12 -0400] "PROPFIND /remote.php/dav/uploads/daniel/bd28e244b453264fdf8f80177c0dd841 HTTP/1.1" 401 415
192.168.0.85 - daniel [01/Oct/2023:12:17:12 -0400] "HEAD /remote.php/dav/files/daniel/InstantUpload/20230922_152151.jpg HTTP/1.1" 401 -
192.168.0.85 - daniel [01/Oct/2023:12:17:12 -0400] "MKCOL /remote.php/dav/uploads/daniel/b40eba491d7b9e353f3d4cce9c95ba0e HTTP/1.1" 401 415
192.168.0.85 - daniel [01/Oct/2023:12:17:12 -0400] "PROPFIND /remote.php/dav/uploads/daniel/b40eba491d7b9e353f3d4cce9c95ba0e HTTP/1.1" 401 415
192.168.0.85 - daniel [01/Oct/2023:12:17:12 -0400] "HEAD /remote.php/dav/files/daniel/InstantUpload/20230922_152152.jpg HTTP/1.1" 401 -
192.168.0.85 - daniel [01/Oct/2023:12:17:13 -0400] "MKCOL /remote.php/dav/uploads/daniel/dca39db776b3a557314a6e7453b6e120 HTTP/1.1" 401 415
192.168.0.85 - daniel [01/Oct/2023:12:17:13 -0400] "PROPFIND /remote.php/dav/uploads/daniel/dca39db776b3a557314a6e7453b6e120 HTTP/1.1" 401 415
192.168.0.85 - daniel [01/Oct/2023:12:17:13 -0400] "HEAD /remote.php/dav/files/daniel/InstantUpload/20230922_152144.jpg HTTP/1.1" 401 -

The nextcloud.log

{"reqId":"yr7x26pYORud9vUhVpvp","level":0,"time":"2023-10-01T00:45:03+00:00","remoteAddr":"192.168.0.85","user":"--","app":"webdav","method":"MKCOL","url":"/remote.php/dav/uploads/daniel/a146bc92b8bc6173dd6be2a5d0115817","message":"No public access to this resource., Username or password was incorrect, No 'Authorization: Bearer' header found. Either the client didn't send one, or the server is mis-configured, Username or password was incorrect","userAgent":"Mozilla/5.0 (Android) Nextcloud-android/3.25.0","version":"27.0.0.8","exception":{"Exception":"Sabre\\DAV\\Exception\\NotAuthenticated","Message":"No public access to this resource., Username or password was incorrect, No 'Authorization: Bearer' header found. Either the client didn't send one, or the server is mis-configured, Username or password was incorrect","Code":0,"Trace":[{"file":"/usr/local/www/nextcloud/3rdparty/sabre/event/lib/WildcardEmitterTrait.php","line":89,"function":"beforeMethod","class":"Sabre\\DAV\\Auth\\Plugin","type":"->"},{"file":"/usr/local/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":456,"function":"emit","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/usr/local/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":253,"function":"invokeMethod","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/usr/local/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":321,"function":"start","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/usr/local/www/nextcloud/apps-pkg/dav/lib/Server.php","line":364,"function":"exec","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/usr/local/www/nextcloud/apps-pkg/dav/appinfo/v2/remote.php","line":35,"function":"exec","class":"OCA\\DAV\\Server","type":"->"},{"file":"/usr/local/www/nextcloud/remote.php","line":172,"args":["/usr/local/www/nextcloud/apps-pkg/dav/appinfo/v2/remote.php"],"function":"require_once"}],"File":"/usr/local/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Auth/Plugin.php","Line":152,"message":"No public access to this resource., Username or password was incorrect, No 'Authorization: Bearer' header found. Either the client didn't send one, or the server is mis-configured, Username or password was incorrect","exception":{},"CustomMessage":"No public access to this resource., Username or password was incorrect, No 'Authorization: Bearer' header found. Either the client didn't send one, or the server is mis-configured, Username or password was incorrect"}}

just · October 1, 2023, 7:46pm

tuaris:

Info	no app in context	IP address throttled because it reached the attempts limit in the last 30 minutes [action: login, delay: 200, ip: 192.168.0.85]	
2023-10-01T13:19:44-0400
Info	core	Bruteforce attempt from "192.168.0.85" detected for action "login".	
2023-10-01T13:19:43-0400
Warning	core	Login failed: 'daniel' (Remote IP: '192.168.0.85')	
2023-10-01T13:19:43-0400

Says you’ve been bruteforced. You’ll probably want to adjust this or trying disabling that app.

It is also likely that the problem stems from your actual browser based on how you’ve set it up. Or, could be how your device handles account credentials is what is giving it amnesia. Looks like a client side problem, but I’m not sure.

tuaris · October 21, 2023, 11:17pm

First I tried adding my local LAN subnet to the whitelist, no luck. Then I disabled the brute force app just last night and still getting kicked off the clients. Desktop and Mobile. It’s really odd.

just · October 21, 2023, 11:33pm

Disabling the app does not mean you are not still throttled. You’ll need to analyze your logs and such. Read the brute force documentation and github. Report the issue there if it helps once you analyze things more.

tuaris · November 22, 2023, 9:01pm

I just wonder what changed between 26.x and 27.x that would cause the issue to start all of a sudden.

All I notice in the logs is that this message appears right before the client gets logged out and starts to log the throttling messages:

{"reqId":"PCRntgMgK2ndQCQGJEHQ","level":0,"time":"2023-11-22T20:34:44+00:00","remoteAddr":"204.147.185.230","user":"--","app":"webdav","method":"PROPFIND","url":"/remote.php/dav/files/person/","message":"No public access to this resource., No 'Authorization: Basic' header found. Either the client didn't send one, or the server is misconfigured, No 'Authorization: Bearer' header found. Either the client didn't send one, or the server is mis-configured, No 'Authorization: Basic' header found. Either the client didn't send one, or the server is misconfigured","userAgent":"Mozilla/5.0 (Windows) mirall/3.10.1stable-Win64 (build 20231025) (Nextcloud, windows-10.0.17763 ClientArchitecture: x86_64 OsArchitecture: x86_64)","version":"27.1.0.7","exception":{"Exception":"Sabre\\DAV\\Exception\\NotAuthenticated","Message":"No public access to this resource., No 'Authorization: Basic' header found. Either the client didn't send one, or the server is misconfigured, No 'Authorization: Bearer' header found. Either the client didn't send one, or the server is mis-configured, No 'Authorization: Basic' header found. Either the client didn't send one, or the server is misconfigured","Code":0,"Trace":[{"file":"/usr/local/www/nextcloud/3rdparty/sabre/event/lib/WildcardEmitterTrait.php","line":89,"function":"beforeMethod","class":"Sabre\\DAV\\Auth\\Plugin","type":"->"},{"file":"/usr/local/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":456,"function":"emit","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/usr/local/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":253,"function":"invokeMethod","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/usr/local/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":321,"function":"start","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/usr/local/www/nextcloud/apps-pkg/dav/lib/Server.php","line":365,"function":"exec","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/usr/local/www/nextcloud/apps-pkg/dav/appinfo/v2/remote.php","line":35,"function":"exec","class":"OCA\\DAV\\Server","type":"->"},{"file":"/usr/local/www/nextcloud/remote.php","line":172,"args":["/usr/local/www/nextcloud/apps-pkg/dav/appinfo/v2/remote.php"],"function":"require_once"}],"File":"/usr/local/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Auth/Plugin.php","Line":152,"message":"No public access to this resource., No 'Authorization: Basic' header found. Either the client didn't send one, or the server is misconfigured, No 'Authorization: Bearer' header found. Either the client didn't send one, or the server is mis-configured, No 'Authorization: Basic' header found. Either the client didn't send one, or the server is misconfigured","exception":{},"CustomMessage":"No public access to this resource., No 'Authorization: Basic' header found. Either the client didn't send one, or the server is misconfigured, No 'Authorization: Bearer' header found. Either the client didn't send one, or the server is mis-configured, No 'Authorization: Basic' header found. Either the client didn't send one, or the server is misconfigured"}}

It’s almost as if the server is giving the clients a token that expires before the client knows to renew it? Maybe a theory? I did check the time on the server and the clients, it’s all in sync.