Login loop/fails after database migration mysql > pgsql

ℹ️ Support
1

Nextcloud version : 23.0.2
Operating system and version : docker instance
Apache or nginx version : nginx on nextcloud docker + nginx with letsencrypt for reverse proxy
PHP version : 7.4

Context :

  • I successfully migrated from version 21 to 23, system was up and running fine
  • I decided to migrate the db from mariadb to pgsql (running both in a separate docker instance). Migration appeared to work fine
  • I manually updated my conf.php in order to change db hostname/user/password

Error :
Unfortunately I am now having a login loop even if I put in the right credentials.
It tries to connect and looks like it is working but after ~30 seconds it gets back to the login page.
I have tried to login several times and now nextcloud thinks I am trying to bruteforce :smiling_face_with_tear:

Do you guys have any idea what I should look at to get it back working ?

Here is my config.php :

<?php
$CONFIG = array (
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'datadirectory' => '/data',
  'trusted_proxies' => 
  array (
    0 => 'letsencrypt',
  ),
  'overwritewebroot' => '/nextcloud',
  'overwrite.cli.url' => 'https://mydomain.com/nextcloud',
  'trusted_domains' => 
  array (
    0 => 'mydomain.com',
  ),
  'instanceid' => 'ocuc82sk26kc',
  'passwordsalt' => '***',
  'secret' => '***,
  'dbtype' => 'pgsql',
  'version' => '23.0.2.1',
  'dbname' => 'nextcloud_db',
  'dbhost' => 'nextcloud_db',
  'dbport' => '5432',
  'dbtableprefix' => 'oc_',
  'dbuser' => '***',
  'dbpassword' => '***',
  'installed' => true,
  'maintenance' => false,
  'loglevel' => 0,
...
);

outpout of nextcloud.log (normal manual login)

{'reqId':'U2Lkj23TB1ARBuiM3gpS','level':1,'time':'2022-02-26T09:32:19+00:00','remoteAddr':'192.168.1.1','user':'--','app':'no app in context','method':'POST','url':'/nextcloud/index.php','message':'IP address throttled because it reached the attempts limit in the last 30 minutes [action: login, delay: 25000, ip: 192.168.1.1]','userAgent':'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:97.0) Gecko/20100101 Firefox/97.0','version':'23.0.2.1'}
{'reqId':'U2Lkj23TB1ARBuiM3gpS','level':2,'time':'2022-02-26T09:32:45+00:00','remoteAddr':'192.168.1.1','user':'--','app':'no app in context','method':'POST','url':'/nextcloud/index.php','message':'Login failed: djelizou (Remote IP: 192.168.1.1)','userAgent':'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:97.0) Gecko/20100101 Firefox/97.0','version':'23.0.2.1'}
{'reqId':'U2Lkj23TB1ARBuiM3gpS','level':1,'time':'2022-02-26T09:33:10+00:00','remoteAddr':'192.168.1.1','user':'--','app':'core','method':'POST','url':'/nextcloud/index.php','message':'Bruteforce attempt from \'192.168.1.1\' detected for action \'login\'.','userAgent':'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:97.0) Gecko/20100101 Firefox/97.0','version':'23.0.2.1'}

outpout of nextcloud.log (ios app / webdabv)

{'reqId':'G6GLegUgmrPdhKYhNNhI','level':0,'time':'2022-02-26T11:58:01+00:00','remoteAddr':'192.168.1.1','user':'--','app':'no app in context','method':'GET','url':'/nextcloud/ocs/v2.php/cloud/user?format=json','message':'Token is not valid: Token does not exist','userAgent':'Mozilla/5.0 (iOS) Nextcloud-iOS/4.2.2','version':'23.0.2.1','exception':{'Exception':'OC\\Authentication\\Exceptions\\InvalidTokenException','Message':'Token does not exist','Code':0,'Trace':[{'file':'/config/www/nextcloud/lib/private/Authentication/Token/Manager.php','line':146,'function':'getToken','class':'OC\\Authentication\\Token\\DefaultTokenProvider','type':'->','args':['*** sensitive parameters replaced ***']},{'file':'/config/www/nextcloud/lib/private/User/Session.php','line':531,'function':'getToken','class':'OC\\Authentication\\Token\\Manager','type':'->','args':['*** sensitive parameters replaced ***']},{'file':'/config/www/nextcloud/lib/private/User/Session.php','line':447,'function':'isTokenPassword','class':'OC\\User\\Session','type':'->','args':['*** sensitive parameters replaced ***']},{'file':'/config/www/nextcloud/lib/private/User/Session.php','line':584,'function':'logClientIn','class':'OC\\User\\Session','type':'->','args':['*** sensitive parameters replaced ***']},{'file':'/config/www/nextcloud/lib/base.php','line':1057,'function':'tryBasicAuthLogin','class':'OC\\User\\Session','type':'->'},{'file':'/config/www/nextcloud/ocs/v1.php','line':59,'function':'handleLogin','class':'OC','type':'::'},{'file':'/config/www/nextcloud/ocs/v2.php','line':23,'args':['/config/www/nextcloud/ocs/v1.php'],'function':'require_once'}],'File':'/config/www/nextcloud/lib/private/Authentication/Token/DefaultTokenProvider.php','Line':150,'Previous':{'Exception':'OCP\\AppFramework\\Db\\DoesNotExistException','Message':'token does not exist','Code':0,'Trace':[{'file':'/config/www/nextcloud/lib/private/Authentication/Token/DefaultTokenProvider.php','line':148,'function':'getToken','class':'OC\\Authentication\\Token\\DefaultTokenMapper','type':'->','args':['*** sensitive parameters replaced ***']},{'file':'/config/www/nextcloud/lib/private/Authentication/Token/Manager.php','line':146,'function':'getToken','class':'OC\\Authentication\\Token\\DefaultTokenProvider','type':'->','args':['*** sensitive parameters replaced ***']},{'file':'/config/www/nextcloud/lib/private/User/Session.php','line':531,'function':'getToken','class':'OC\\Authentication\\Token\\Manager','type':'->','args':['*** sensitive parameters replaced ***']},{'file':'/config/www/nextcloud/lib/private/User/Session.php','line':447,'function':'isTokenPassword','class':'OC\\User\\Session','type':'->','args':['*** sensitive parameters replaced ***']},{'file':'/config/www/nextcloud/lib/private/User/Session.php','line':584,'function':'logClientIn','class':'OC\\User\\Session','type':'->','args':['*** sensitive parameters replaced ***']},{'file':'/config/www/nextcloud/lib/base.php','line':1057,'function':'tryBasicAuthLogin','class':'OC\\User\\Session','type':'->'},{'file':'/config/www/nextcloud/ocs/v1.php','line':59,'function':'handleLogin','class':'OC','type':'::'},{'file':'/config/www/nextcloud/ocs/v2.php','line':23,'args':['/config/www/nextcloud/ocs/v1.php'],'function':'require_once'}],'File':'/config/www/nextcloud/lib/private/Authentication/Token/DefaultTokenMapper.php','Line':93},'CustomMessage':'Token is not valid: Token does not exist'}}

I checked the error.log on var/lib/nginx/logs for both my nextcloud docker and reverse proxy and it’s empty.

Any help on my problem would be appreciated :slight_smile:

2

it looks like your browser offers a token the system doesn’t trust (anymore). and the system counts your login as “brute-force”

try “incognito/private mode” - this should create new session which might work…

3

thank you for answering. I have tried different browsers with private made mode (no local cache) from different devices on different IPs but still the same :

{"reqId":"6xjGUg5IXM0AjNtBQFh9","level":2,"time":"2022-02-27T06:52:17+00:00","remoteAddr":"37.120.136.249","user":"--","app":"no app in context","method":"POST","url":"/nextcloud/index.php","message":"Login failed: djelizou (Remote IP: 37.120.136.249)","userAgent":"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:97.0) Gecko/20100101 Firefox/97.0","version":"23.0.2.1"}
{"reqId":"6xjGUg5IXM0AjNtBQFh9","level":1,"time":"2022-02-27T06:52:17+00:00","remoteAddr":"37.120.136.249","user":"--","app":"core","method":"POST","url":"/nextcloud/index.php","message":"Bruteforce attempt from \"37.120.136.249\" detected for action \"login\".","userAgent":"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:97.0) Gecko/20100101 Firefox/97.0","version":"23.0.2.1"}
{"reqId":"BMp98xcl6IJxLz5Chj2E","level":1,"time":"2022-02-27T06:52:24+00:00","remoteAddr":"37.120.136.249","user":"--","app":"no app in context","method":"POST","url":"/nextcloud/index.php","message":"IP address throttled because it reached the attempts limit in the last 30 minutes [action: login, delay: 200, ip: 37.120.136.249]","userAgent":"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:97.0) Gecko/20100101 Firefox/97.0","version":"23.0.2.1"}
{"reqId":"BMp98xcl6IJxLz5Chj2E","level":2,"time":"2022-02-27T06:52:24+00:00","remoteAddr":"37.120.136.249","user":"--","app":"no app in context","method":"POST","url":"/nextcloud/index.php","message":"Login failed: djelizou (Remote IP: 37.120.136.249)","userAgent":"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:97.0) Gecko/20100101 Firefox/97.0","version":"23.0.2.1"}
{"reqId":"BMp98xcl6IJxLz5Chj2E","level":1,"time":"2022-02-27T06:52:24+00:00","remoteAddr":"37.120.136.249","user":"--","app":"core","method":"POST","url":"/nextcloud/index.php","message":"Bruteforce attempt from \"37.120.136.249\" detected for action \"login\".","userAgent":"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:97.0) Gecko/20100101 Firefox/97.0","version":"23.0.2.1"}
{"reqId":"0wFwBkZl3U2f10YOPmto","level":1,"time":"2022-02-27T06:52:43+00:00","remoteAddr":"37.120.136.249","user":"--","app":"no app in context","method":"POST","url":"/nextcloud/index.php","message":"IP address throttled because it reached the attempts limit in the last 30 minutes [action: login, delay: 400, ip: 37.120.136.249]","userAgent":"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:97.0) Gecko/20100101 Firefox/97.0","version":"23.0.2.1"}
{"reqId":"0wFwBkZl3U2f10YOPmto","level":2,"time":"2022-02-27T06:52:43+00:00","remoteAddr":"37.120.136.249","user":"--","app":"no app in context","method":"POST","url":"/nextcloud/index.php","message":"Login failed: djelizou (Remote IP: 37.120.136.249)","userAgent":"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:97.0) Gecko/20100101 Firefox/97.0","version":"23.0.2.1"}
{"reqId":"0wFwBkZl3U2f10YOPmto","level":1,"time":"2022-02-27T06:52:43+00:00","remoteAddr":"37.120.136.249","user":"--","app":"core","method":"POST","url":"/nextcloud/index.php","message":"Bruteforce attempt from \"37.120.136.249\" detected for action \"login\".","userAgent":"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:97.0) Gecko/20100101 Firefox/97.0","version":"23.0.2.1"}
4

New log still show same issue - you login is blocked by the bruteforce app. Maybe bruteforce app is broken somehow. try to disable it on the command line:

 docker exec --user www-data <nextcloud container> php occ app:disable bruteforcesettings
5

I tried but there is no bruteforce app, because this is the answer I get :

No such app enabled: bruteforcesettings

here is the list of apps:

Enabled:
  - cloud_federation_api: true
  - dav: true
  - federatedfilesharing: true
  - files: true
  - lookup_server_connector: true
  - oauth2: true
  - provisioning_api: true
  - settings: true
  - twofactor_backupcodes: true
  - viewer: true
  - workflowengine: true
Disabled:
  - accessibility
  - activity
  - admin_audit
  - circles
  - comments
  - contactsinteraction
  - dashboard
  - duplicatefinder
  - encryption
  - facerecognition
  - federation
  - files_external
  - files_markdown
  - files_pdfviewer
  - files_rightclick
  - files_sharing
  - files_trashbin
  - files_versions
  - files_videoplayer
  - firstrunwizard
  - logreader
  - maps
  - nextcloud_announcements
  - notifications
  - password_policy
  - photos
  - previewgenerator
  - privacy
  - recommendations
  - serverinfo
  - sharebymail
  - support
  - survey_client
  - systemtags
  - text
  - theming
  - updatenotification
  - user_ldap
  - user_status
  - weather_status

I also tried this but without better luck:

occ maintenance:repair

other ideas I have had :

  • password hash corrupted
  • folder rights gone wrong (don’t know why/how but still…)
  • broken app which prevents the login to go through
6

I’m little surprised - the logs are more or less clear… and my list of apps is much longer… maybe you somehow hit the state the app does exist but is not registered on the DB?

try to install and then disable the bruteforce app (maybe repeat with other from my list)…

 docker exec --user www-data <nextcloud container> php occ app:install bruteforcesettings
 docker exec --user www-data <nextcloud container> php occ app:disable bruteforcesettings

my list of my apps as reference (majority is core/default apps):

Enabled:
  - accessibility: 1.9.0
  - activity: 2.15.0
  - admin_audit: 1.13.0
  - bruteforcesettings: 2.3.0
  - circles: 23.0.1
  - cloud_federation_api: 1.6.0
  - comments: 1.13.0
  - contacts: 4.0.8
  - contactsinteraction: 1.4.0
  - dashboard: 7.3.0
  - dav: 1.21.0
  - federatedfilesharing: 1.13.0
  - federation: 1.13.0
  - files: 1.18.0
  - files_external: 1.15.0
  - files_pdfviewer: 2.4.0
  - files_rightclick: 1.2.0
  - files_sharing: 1.15.0
  - files_trashbin: 1.13.0
  - files_versions: 1.16.0
  - files_videoplayer: 1.12.0
  - firstrunwizard: 2.12.0
  - groupfolders: 11.1.2
  - logreader: 2.8.0
  - lookup_server_connector: 1.11.0
  - nextcloud_announcements: 1.12.0
  - notifications: 2.11.1
  - notify_push: 0.3.0
  - oauth2: 1.11.0
  - password_policy: 1.13.0
  - photos: 1.5.0
  - privacy: 1.7.0
  - provisioning_api: 1.13.0
  - recommendations: 1.2.0
  - richdocuments: 5.0.2
  - serverinfo: 1.13.0
  - settings: 1.5.0
  - sharebymail: 1.13.0
  - spreed: 13.0.3
  - support: 1.6.0
  - survey_client: 1.11.0
  - systemtags: 1.13.0
  - text: 3.4.0
  - theming: 1.14.0
  - twofactor_backupcodes: 1.12.0
  - twofactor_totp: 6.2.0
  - twofactor_webauthn: 0.2.15
  - updatenotification: 1.13.0
  - user_status: 1.3.1
  - viewer: 1.7.0
  - weather_status: 1.3.0
  - workflowengine: 2.5.0
Disabled:
  - encryption
  - end_to_end_encryption: 1.7.1
  - user_ldap

P.S: regarding missing apps: when you ran you migration did you add --all-apps parameter to your occ db:convert-type maybe this is the reason why some apps are in unhealthy state…

7

I followed your instructions and now the bruteforceseetings apps show as disabled, but still no better.
I also updated all apps with

occ app:update --all

finally I decided to try another way by using the “password forgotten” function and there is an interesting log ouput which states that my user is unkown :smiling_face_with_tear:

{"reqId":"UOcz8ywPNsVPy9FkhcqM","level":2,"time":"2022-02-28T11:45:42+00:00","remoteAddr":"46.16.40.252","user":"--","app":"core","method":"POST","url":"/nextcloud/index.phpord/email","message":"Could not send password reset email: Could not find user","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36","version":"23.0.2.1"}
{"reqId":"UOcz8ywPNsVPy9FkhcqM","level":1,"time":"2022-02-28T11:45:42+00:00","remoteAddr":"46.16.40.252","user":"--","app":"core","method":"POST","url":"/nextcloud/index.phpord/email","message":"Bruteforce attempt from \"46.16.40.252\" detected for action \"passwordResetEmail\".","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36","version":"23.0.2.1"}

now, this is the ouput for occ:user report

+------------------+---+
| User Report      |   |
+------------------+---+
| Database         | 0 |
|                  |   |
| total users      | 0 |
|                  |   |
| user directories | 1 |
| active users     | 0 |
| disabled users   | 0 |
+------------------+---+

something definitely got broken during migration…

8

most likely this doesn’t add missing apps but just update existing.

as your list of active apps is much shorter than mine try installing all the apps from my list - maybe you miss some mandatory app.

9

I really think something got wrong with the database migration since most of the tables in the new database are empty. I will try to check the status of those same tables in the old mariadb instance

for example this is the ouput for occ:user report

+------------------+---+
| User Report      |   |
+------------------+---+
| Database         | 0 |
|                  |   |
| total users      | 0 |
|                  |   |
| user directories | 1 |
| active users     | 0 |
| disabled users   | 0 |
+------------------+---+