Android Talk users cannot login

expert-geeks · June 9, 2022, 9:54am

I recently updated my server from 20.9 to NC 23.5 and also setup the coturn backend. All seemed to be working, testing using my own devices works. I have 2 people reporting that they are not now able to login to NC Talk, where they had done so previously.

Nextcloud version (eg, 20.0.5): 23.0.5
Operating system and version (eg, Ubuntu 20.04): Debian Buster
Apache or nginx version (eg, Apache 2.4.25): nginx/1.14.2
PHP version (eg, 7.4): 7.4

The issue you are facing:
Talk isn’t working for all Android users after upgrading to NC 23.5. Talk is working in the browser for the same users. This doesn’t seem to affect iOS devices, the browser or my (slightly older) Android devices (<= Android 10) as these can remove/create accounts and access the server without issue - including accounts belonging to the users that can’t now access Talk. Testing with turnutils_uclient works & indicates that the server & coturn is configured correctly.

Is this the first time you’ve seen this error? (Y/N): Y

Steps to replicate it:

Upgrade NC from 20.9 to 23.5 (stepwise).
Setup Coturn backend.

The output of your Nextcloud log in Admin > Logging:

{"reqId":"kDthKi6pD7oNREh4Gnuh","level":2,"time":"2022-06-09T08:49:48+01:00","remoteAddr":"XXXXXXXX","user":"--","app":"no app in context","method":"POST","url":"/login","message":"Login failed: XXXXXXXXXX (Remote IP: XXXXXXXXXXX)","userAgent":"Samsung SM-A105FN (Nextcloud Talk)","version":"23.0.5.1","id":"62a1a688b30cb"}

{"reqId":"kDthKi6pD7oNREh4Gnuh","level":1,"time":"2022-06-09T08:49:48+01:00","remoteAddr":"XXXXXXXXXX","user":"--","app":"core","method":"POST","url":"/login","message":"Bruteforce attempt from \"XXXXXXXXXXX\" detected for action \"login\".","userAgent":"Samsung SM-A105FN (Nextcloud Talk)","version":"23.0.5.1","id":"62a1a8a34c58d"}

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

<?php
$CONFIG = array (
  'debug' => false,
  'loglevel' => 1,
  'instanceid' => 'XXXXXXXX',
  'passwordsalt' => 'XXXXXXXXXXXXXX',
  'secret' => 'XXXXXXXXXXXXXXXX',
  'default_phone_region' => 'GB',
  'allow_local_remote_servers' => true,
  'trusted_domains' =>
  array (
    0 => 'XXXXXXXXXX',
    1 => 'XXXXXXX',
    2 => 'XXXXXXXX',
  ),
  'datadirectory' => '/media/storage/nc_data',
  'dbtype' => 'mysql',
  'version' => '23.0.5.1',
  'overwrite.cli.url' => 'XXXXXXXXXXXXXXX',
  'dbname' => 'nextcloud',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'XXXXXXX',
  'dbpassword' => 'XXXXXXXX',
  'installed' => true,
  'activity_expire_days' => 14,
  'auth.bruteforce.protection.enabled' => true,
  'blacklisted_files' =>
  array (
    0 => '.htaccess',
    1 => 'Thumbs.db',
    2 => 'thumbs.db',
  ),
  'cron_log' => true,
  'enable_previews' => true,
  'preview_max_x' => '1080',
  'preview_max_y' => '1920',
  'preview_libreoffice_path' => '/usr/bin/libreoffice',
  'enabledPreviewProviders' =>
  array (
    0 => 'OC\\Preview\\PNG',
    1 => 'OC\\Preview\\JPEG',
    2 => 'OC\\Preview\\GIF',
    3 => 'OC\\Preview\\BMP',
    4 => 'OC\\Preview\\XBitmap',
    5 => 'OC\\Preview\\Movie',
    6 => 'OC\\Preview\\PDF',
    7 => 'OC\\Preview\\MP3',
    8 => 'OC\\Preview\\TXT',
    9 => 'OC\\Preview\\MarkDown',
  ),
  'filesystem_check_changes' => 0,
  'filelocking.enabled' => 'true',
  'htaccess.RewriteBase' => '/',
  'integrity.check.disabled' => false,
  'knowledgebaseenabled' => false,
  'logfile' => '/var/log/nextcloud/nextcloud.log',
  'logtimezone' => 'Europe/London',
  'log_rotate_size' => 104857600,
  'maintenance' => false,
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'memcache.distributed' => '\\OC\\Memcache\\Redis',
  'overwriteprotocol' => 'https',
  'preview_max_scale_factor' => 1,
  'redis' =>
  array (
    'host' => '/var/run/redis/redis-server.sock',
    'port' => 0,
    'timeout' => 0.0,
  ),
  'quota_include_external_storage' => false,
  'share_folder' => '/Shares',
  'defaultapp' => 'files',
  'skeletondirectory' => '',
  'theme' => '',
  'trashbin_retention_obligation' => 'auto, 7',
  'updater.release.channel' => 'stable',
  'default_locale' => 'en_GB',
  'app.mail.transport' => 'php-mail',
  'mail_smtpmode' => 'smtp',
  'mail_smtpsecure' => 'ssl',
  'mail_sendmailmode' => 'smtp',
  'mail_smtpauthtype' => 'LOGIN',
  'mail_smtpauth' => 1,
  'mail_from_address' => 'XXXXXX',
  'mail_domain' => 'XXXXXXXXXX',
  'mail_smtphost' => 'XXXXXXXXXX',
  'mail_smtpport' => '465',
  'mail_smtpname' => 'XXXXXXXXXXXX',
  'mail_smtppassword' => 'XXXXXXXXX',
  'app_install_overwrite' =>
  array (
    0 => 'files_external_ipfs',
  ),
  'lost_password_link' => 'disabled',
  'jpeg_quality' => '60',
  'trusted_proxies' =>
  array (
    0 => '127.0.0.1',
    1 => '::1',
  ),
);

The output of your Apache/nginx/system log in /var/log/____:

XXXXXXXXXX - - [09/Jun/2022:08:49:48 +0100] "POST /login HTTP/2.0" 303 0 "-" "Samsung SM-A105FN (Nextcloud Talk)"
XXXXXXXXXX - - [09/Jun/2022:08:49:48 +0100] "GET /login?redirect_url=/login/flow/grant?clientIdentifier%3D%26direct%3D0%26stateToken%3D5GasagxNZO6J2OMFFUI0xIVjqGf0EAmGzREIon5JLJnMZg3Y22WXWB8XwGQliJnj&user=XXXXXXXXXXX&direct=1 HTTP/2.0" 200 5712 "-" "Samsung SM-A105FN (Nextcloud Talk)"

nginx nextcloud config;

server {
server_name XXXXXXXXXX;
listen 80 default_server;
listen [::]:80 default_server;
location ^~ /.well-known/acme-challenge {
proxy_pass http://127.0.0.1:81;
proxy_set_header Host $host;
}
#location ^~ /.well-known/acme-challenge/ {
#  alias /var/www/acme-challenge/;
#}
location ^~ /.well-known/acme-challenge/ {
  alias /var/www/letsencrypt/;
}
location / {
return 301 https://$host$request_uri;
}
}

server {
server_name XXXXXXXXX;
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
root /var/www/nextcloud/;

location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location = /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
}
location = /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
}
        location = /.well-known/webfinger   { return 301 $scheme://$host/index.php$uri; }
        location = /.well-known/nodeinfo   { return 301 $scheme://$host/index.php$uri; }
        # anything else is dynamically handled by Nextcloud
        location ^~ /.well-known          { return 301 $scheme://$host/index.php$uri; }
                try_files $uri $uri/ =404;

## New Collabora
   location ^~ /browser {
        proxy_pass https://127.0.0.1:9980;
        proxy_set_header Host $http_host;
    }

# WOPI discovery URL

 location ^~ /hosting/discovery {
   proxy_pass https://127.0.0.1:9980;
   proxy_set_header Host $http_host;
 }

# Capabilities

 location ^~ /hosting/capabilities {
   proxy_pass https://127.0.0.1:9980;
   proxy_set_header Host $http_host;
 }

   # main websocket
   location ~ ^/cool/(.*)/ws$ {
       proxy_pass https://127.0.0.1:9980;
       proxy_set_header Upgrade $http_upgrade;
       proxy_set_header Connection "Upgrade";
       proxy_set_header Host $http_host;
       proxy_read_timeout 36000s;
   }

   # download, presentation and image upload
   location ~ ^/(c|l)ool {
       proxy_pass https://127.0.0.1:9980;
       proxy_set_header Host $http_host;
   }

   # Admin Console websocket
   location ^~ /cool/adminws {
       proxy_pass https://127.0.0.1:9980;
       proxy_set_header Upgrade $http_upgrade;
       proxy_set_header Connection "Upgrade";
       proxy_set_header Host $http_host;
       proxy_read_timeout 36000s;
   }

### End Collabora Online ###

location ^~ /push/ {
        proxy_pass http://127.0.0.1:7867/;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
}


client_max_body_size 10240M;
location / {
rewrite ^ /index.php;
}
### netdata
location /netdata {
 return 301 /netdata/;
 }
 location ~ /netdata/(?<ndpath>.*) {
 auth_basic "Restricted Area";
 auth_basic_user_file /etc/nginx/netdata-access;
 proxy_http_version 1.1;
 proxy_pass_request_headers on;
 proxy_set_header Connection "keep-alive";
 proxy_store off;
 proxy_pass http://netdata/$ndpath$is_args$args;
 gzip on;
 gzip_proxied any;
 gzip_types *;
 }

location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
deny all;
}
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
deny all;
}
location ^~ /apps/rainloop/app/data {
deny all;
}
location ~ \.(?:flv|mp4|mov|m4a)$ {
mp4;
mp4_buffer_size 100M;
mp4_max_buffer_size 1024M;
fastcgi_split_path_info ^(.+?.php)(\/.*|)$;
include fastcgi_params; include php_optimization.conf;
fastcgi_pass php-handler; fastcgi_param HTTPS on;
}
location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provide$
fastcgi_split_path_info ^(.+?.php)(\/.*|)$;
try_files $fastcgi_script_name =404;
include fastcgi_params;
include php_optimization.conf;
fastcgi_pass php-handler;
fastcgi_param HTTPS on;
fastcgi_buffers 64 64k;
fastcgi_buffer_size 64k;
proxy_buffer_size 8k;
}
location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
try_files $uri/ =404;
index index.php;
}
location ~ .(?:css|js|woff2?|svg|gif|map|png|html|ttf|ico|jpg|jpeg)$ {
try_files $uri /index.php$request_uri;
access_log off;
expires 360d;
}
}

turnutils_uclient test;

turnutils_uclient -p 3478 -W b3e5152a4933e1fcad524b5a5542567eb36de00f63bd1776d5a582d1159c6529 -v -y XXXXXXXXXX
0: IPv4. Connected from: XXXXXXX:61049
0: IPv4. Connected to: XXXXXXXX:3478
0: allocate sent
0: allocate response received:
0: allocate sent
0: allocate response received:
0: success
0: IPv4. Received relay addr: XXXXXXX:60912
0: clnet_allocate: rtv=14423037746665744047
0: refresh sent
0: refresh response received:
0: success
0: IPv4. Connected from: XXXXXXX:20433
0: IPv4. Connected to: XXXXXXX:3478
0: IPv4. Connected from: XXXXXXX:55010
0: IPv4. Connected to: XXXXXXX:3478
0: IPv4. Connected from: XXXXXXX:52837
0: IPv4. Connected to: XXXXXXX:3478
0: IPv4. Connected from: XXXXXXX:10998
0: IPv4. Connected to: XXXXXXX:3478
0: allocate sent
0: allocate response received:
0: allocate sent
0: allocate response received:
0: success
0: IPv4. Received relay addr: XXXXXXX:60913
0: clnet_allocate: rtv=0
0: refresh sent
0: refresh response received:
0: success
0: allocate sent
0: allocate response received:
0: allocate sent
0: allocate response received:
0: success
0: IPv4. Received relay addr: XXXXXXX:64860
0: clnet_allocate: rtv=11258168645090730040
0: refresh sent
0: refresh response received:
0: success
0: allocate sent
0: allocate response received:
0: allocate sent
0: allocate response received:
0: success
0: IPv4. Received relay addr: XXXXXXX:64861
0: clnet_allocate: rtv=0
0: refresh sent
0: refresh response received:
0: success
0: allocate sent
0: allocate response received:
0: allocate sent
0: allocate response received:
0: success
0: IPv4. Received relay addr: XXXXXXX:57400
0: clnet_allocate: rtv=418823899079440265
0: refresh sent
0: refresh response received:
0: success
0: channel bind sent
0: cb response received:
0: success: 0x6ecd
0: channel bind sent
0: cb response received:
0: success: 0x50de
0: channel bind sent
0: cb response received:
0: success: 0x6559
0: channel bind sent
0: cb response received:
0: success: 0x75c2
0: Total connect time is 0
1: start_mclient: msz=4, tot_send_msgs=0, tot_recv_msgs=0, tot_send_bytes ~ 0, tot_recv_bytes ~ 0
2: start_mclient: msz=4, tot_send_msgs=9, tot_recv_msgs=8, tot_send_bytes ~ 900, tot_recv_bytes ~ 800
3: start_mclient: msz=4, tot_send_msgs=10, tot_recv_msgs=10, tot_send_bytes ~ 1000, tot_recv_bytes ~ 1000
4: start_mclient: msz=4, tot_send_msgs=10, tot_recv_msgs=10, tot_send_bytes ~ 1000, tot_recv_bytes ~ 1000
5: start_mclient: msz=4, tot_send_msgs=15, tot_recv_msgs=15, tot_send_bytes ~ 1500, tot_recv_bytes ~ 1500
5: done, connection 0x7f1a29c0a010 closed.
5: done, connection 0x7f1a29be9010 closed.
5: done, connection 0x7f1a29bc8010 closed.
5: done, connection 0x7f1a29ba7010 closed.
5: start_mclient: tot_send_msgs=20, tot_recv_msgs=20
5: start_mclient: tot_send_bytes ~ 2000, tot_recv_bytes ~ 2000
5: Total transmit time is 5
5: Total lost packets 0 (0.000000%), total send dropped 0 (0.000000%)
5: Average round trip delay 17.400000 ms; min = 15 ms, max = 21 ms
5: Average jitter 1.600000 ms; min = 0 ms, max = 5 ms

Errors to the talk client reported are;

‘Access denied state token does not match’

or

‘Nextcloud Talk app not installed on the server, aborting’

The second error doesn’t generate any errors in the log. I have disabled the coturn settings in nextcloud and have the same issue with these phones, so the coturn settings don’t seem to be at fault.

When checking the users security settings, the failed logins are being recorded as active sessions;

| |Samsung SM-A105FN (Android) |an hour ago ||
||Samsung SM-A105FN (Nextcloud Talk) |2 hours ago ||
||Samsung SM-A105FN (Nextcloud Talk) |2 hours ago ||
||Samsung SM-A105FN (Nextcloud Talk) |3 hours ago ||
||Samsung SM-A105FN (Nextcloud Talk) |3 hours ago ||
||Samsung SM-A105FN (Nextcloud Talk) |3 hours ago ||
||Samsung SM-A105FN (Nextcloud Talk) |4 hours ago ||

I have tried using an app password, this works for my older android device but not for the Samsung SM-A105FN listed above.

expert-geeks · June 19, 2022, 12:59pm

I resolved the issue, it was down to the device not the server config. ‘Clear Storage’ for NC Talk on the phone did not resolve the problem, NC Talk App needed to be fully uninstalled and then reinstalled to fix. It must have been properly borked on these two devices. This explains why there was nothing in the logs at connection (the app wasn’t actually attempting to connect, just raising the error).

I hope that helps.