"Password Invalid" when opening Passwords app web UI

jeffpowell · November 16, 2023, 11:09pm

Nextcloud version: 27.1.3
Passwords version: 2023.11.30

I am attempting to install and run the Passwords app for the first time on my Nextcloud instance. For context, I’m using the lscr.io/linuxserver/nextcloud docker container image in a docker-compose setup together with a postgres database backend (I’ll include the specific config files after describing the problem I’m seeing), and it’s sitting behind a Traefik 2.10 reverse-proxy. The Passwords app downloads and installs fine through the Apps menu. When I booted up the app, it flagged some misconfiguration with regards to https behind the reverse proxy (I had to add ‘overwriteprotocol’ => ‘https’ as well as a ‘trusted_proxies’ array into my config.php file); those error messages are no longer showing up.
I’m stuck now, though, at the login screen:

I can’t figure out what password it’s wanting in this password box. I’ve tried my user password (logged in as the admin on the instance). I’ve tried the postgres database password. Hitting the login button sends a POST to /index.php/apps/passwords/api/1.0/session/open, but they return a 403 back and show “Password Invalid” as an error message.

I’ve unfortunately retried this too many times and the error message has now shifted to "Password invalid. Session revoked for too many failed login attempts. "

Breaking out the server logs, each failure is showing two separate logs: an error level, and a fatal level.

Here are the logs for when the error was just “Password Invalid”

{"reqId":"0iM5TuSCmJjzS1dpgeS8","level":3,"time":"2023-11-16T01:56:38+00:00","remoteAddr":"192.168.1.3","user":"jeff","app":"passwords","method":"POST","url":"/index.php/apps/passwords/api/1.0/session/open","message":"Error \"Password invalid\" in OCA\\Passwords\\Controller\\Api\\SessionApiController::open","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0","version":"27.1.3.2","data":{"app":"passwords"},"id":"65569fcab0dd9"}

{"reqId":"0iM5TuSCmJjzS1dpgeS8","level":4,"time":"2023-11-16T01:56:38+00:00","remoteAddr":"192.168.1.3","user":"jeff","app":"passwords","method":"POST","url":"/index.php/apps/passwords/api/1.0/session/open","message":"Password invalid","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0","version":"27.1.3.2","exception":{"Exception":"OCA\\Passwords\\Exception\\ApiException","Message":"Password invalid","Code":256,"Trace":[{"file":"/config/www/nextcloud/apps/passwords/lib/Services/UserChallengeService.php","line":134,"function":"solveChallenge","class":"OCA\\Passwords\\Helper\\Challenge\\ChallengeV1Helper","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/config/www/nextcloud/apps/passwords/lib/Controller/Api/SessionApiController.php","line":219,"function":"validateChallenge","class":"OCA\\Passwords\\Services\\UserChallengeService","type":"->"},{"file":"/config/www/nextcloud/apps/passwords/lib/Controller/Api/SessionApiController.php","line":138,"function":"verifyChallenge","class":"OCA\\Passwords\\Controller\\Api\\SessionApiController","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/app/www/public/lib/private/AppFramework/Http/Dispatcher.php","line":230,"function":"open","class":"OCA\\Passwords\\Controller\\Api\\SessionApiController","type":"->"},{"file":"/app/www/public/lib/private/AppFramework/Http/Dispatcher.php","line":137,"function":"executeController","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->"},{"file":"/app/www/public/lib/private/AppFramework/App.php","line":183,"function":"dispatch","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->"},{"file":"/app/www/public/lib/private/Route/Router.php","line":315,"function":"main","class":"OC\\AppFramework\\App","type":"::"},{"file":"/app/www/public/lib/base.php","line":1068,"function":"match","class":"OC\\Route\\Router","type":"->"},{"file":"/app/www/public/index.php","line":36,"function":"handleRequest","class":"OC","type":"::"}],"File":"/config/www/nextcloud/apps/passwords/lib/Helper/Challenge/ChallengeV1Helper.php","Line":61,"message":"Password invalid","exception":[],"CustomMessage":"Password invalid"},"id":"65569fcab0da5"}

Here are the logs for the “too many attempts” error:

{"reqId":"BikEI9PrrCtLawzmR3Qn","level":3,"time":"2023-11-16T23:02:25+00:00","remoteAddr":"192.168.1.3","user":"jeff","app":"passwords","method":"POST","url":"/index.php/apps/passwords/api/1.0/session/open","message":"Error \"Too many failed login attempts\" in OCA\\Passwords\\Controller\\Api\\SessionApiController::open","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0","version":"27.1.3.2","data":{"app":"passwords"},"id":"65569f9599496"}

{"reqId":"BikEI9PrrCtLawzmR3Qn","level":4,"time":"2023-11-16T23:02:25+00:00","remoteAddr":"192.168.1.3","user":"jeff","app":"passwords","method":"POST","url":"/index.php/apps/passwords/api/1.0/session/open","message":"Too many failed login attempts","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0","version":"27.1.3.2","exception":{"Exception":"OCA\\Passwords\\Exception\\ApiException","Message":"Too many failed login attempts","Code":256,"Trace":[{"file":"/config/www/nextcloud/apps/passwords/lib/Controller/Api/SessionApiController.php","line":223,"function":"registerFailedAttempt","class":"OCA\\Passwords\\Helper\\User\\UserLoginAttemptHelper","type":"->"},{"file":"/config/www/nextcloud/apps/passwords/lib/Controller/Api/SessionApiController.php","line":138,"function":"verifyChallenge","class":"OCA\\Passwords\\Controller\\Api\\SessionApiController","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/app/www/public/lib/private/AppFramework/Http/Dispatcher.php","line":230,"function":"open","class":"OCA\\Passwords\\Controller\\Api\\SessionApiController","type":"->"},{"file":"/app/www/public/lib/private/AppFramework/Http/Dispatcher.php","line":137,"function":"executeController","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->"},{"file":"/app/www/public/lib/private/AppFramework/App.php","line":183,"function":"dispatch","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->"},{"file":"/app/www/public/lib/private/Route/Router.php","line":315,"function":"main","class":"OC\\AppFramework\\App","type":"::"},{"file":"/app/www/public/lib/base.php","line":1068,"function":"match","class":"OC\\Route\\Router","type":"->"},{"file":"/app/www/public/index.php","line":36,"function":"handleRequest","class":"OC","type":"::"}],"File":"/config/www/nextcloud/apps/passwords/lib/Helper/User/UserLoginAttemptHelper.php","Line":114,"message":"Too many failed login attempts","exception":[],"CustomMessage":"Too many failed login attempts"},"id":"65569f9599460"}

And this is my docker-compose.yml file, in case that’s useful

---
version: "3.1"
services:
  nextcloud:
    image: lscr.io/linuxserver/nextcloud
    container_name: nextcloud
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=America/Boise
    volumes:
      - ./config:/config
      - ./data:/data
    networks:
      - proxy
      - nextcloud
    restart: unless-stopped
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=proxy"
      # Web portal HTTP config
      - "traefik.http.routers.nextcloud.entrypoints=http"
      - "traefik.http.routers.nextcloud.rule=Host(`redacted`)"
      - "traefik.http.middlewares.nextcloud-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.routers.nextcloud.middlewares=nextcloud-https-redirect"
      # Web portal HTTPS config
      - "traefik.http.middlewares.nextcloud-redirectregex-remote.redirectregex.permanent=true"
      - "traefik.http.middlewares.nextcloud-redirectregex-remote.redirectregex.regex=https://(.*)/\\.well-known/(?:card|cal)dav"
      - "traefik.http.middlewares.nextcloud-redirectregex-remote.redirectregex.replacement=https://$${1}/remote.php/dav"
      - "traefik.http.middlewares.nextcloud-redirectregex-index.redirectregex.permanent=true"
      - "traefik.http.middlewares.nextcloud-redirectregex-index.redirectregex.regex=https://(.*)/\\.well-known/(webfinger|nodeinfo)"
      - "traefik.http.middlewares.nextcloud-redirectregex-index.redirectregex.replacement=https://$${1}/index.php/.well-known/$${2}"
      - "traefik.http.middlewares.nextcloud-redirectchain.chain.middlewares=nextcloud-redirectregex-remote,nextcloud-redirectregex-index"
      - "traefik.http.routers.nextcloud-secure.entrypoints=https"
      - "traefik.http.routers.nextcloud-secure.rule=Host(`redacted`)"
      - "traefik.http.routers.nextcloud-secure.tls=true"
      - "traefik.http.routers.nextcloud-secure.service=nextcloud"
      - "traefik.http.routers.nextcloud-secure.middlewares=nextcloud-redirectchain"
      - "traefik.http.services.nextcloud.loadbalancer.server.port=80"

  database:
    container_name: nextcloud_postgres
    image: postgres:14-alpine@sha256:28407a9961e76f2d285dc6991e8e48893503cc3836a4755bbc2d40bcc272a441
    env_file:
      - .env
    environment:
      POSTGRES_PASSWORD: ${DB_PASSWORD}
      POSTGRES_USER: ${DB_USERNAME}
      POSTGRES_DB: ${DB_DATABASE_NAME}
    volumes:
      - pgdata:/var/lib/postgresql/data
    restart: always
    networks:
      - nextcloud
networks:
  proxy:
    external: true
  nextcloud:
volumes:
  pgdata:

mdw · November 17, 2023, 8:27am

This login page is usually there to enter your encryption passphrase.
That passphrase is set when you set up E2EE.

If this is the first time you install and open the app, you probably didn’t do that and there is some kind of error.

Can you check these things:

Is there a request to /apps/passwords/api/1.0/session/request and does the response look something like this?

{
  "challenge":{
     "salts":[
   	 "6c8e73fb433958e66f3787b472388fbe1031206c9016798f48cb71055a9f72b9cd5e53079de31e16a34b3ef7a65fcdcc1273eecdb783aeebbeed1aa8209097537f6e8391b5076d9f8e401e22c96bc84e965cb2f3097b48fc14d370536fc15059fe6544801e5d7714275ae76f68bdd052d2965268859e1feed08c06724614ec028053a7b73ec15ba533b41959f5d4aacc927c4873c919bc622e6fb83058cd8d121f2ac62f53ad7f440f0a9dded129a25d6628f37163284142acb8f53e0b4ac8ff639a06871a2cc4418dac7d8a37b5114d4e6e3d5c5e803b8699e32ec04545590540f6240375966566081337c3d29cd73699e2aef5277389ad30bba664ca52f92f",
   	 "701792f98f995c8b0b94cd8eaf4ecd60ca337666b44257ae5ca7ececdb8de0b688972865cf35298efcc82a1aa7432018cdf4d25e7e8d6fe815b3175eec3e68ae",
   	 "2dc9bed66811d2607c331231febd993f"
     ],
     "type":"PWDv1r1"
  }
}

Does the *PREFIX*_passwords_challenge have any entries for your user?
Does the command ./occ user:setting <user id> passwords user/challenge/id report that the setting exists for your user?

jeffpowell · November 17, 2023, 2:21pm

You have a correct understanding that I did not explicitly take any actions to setup E2EE on my instance yet.

I do see that request, and the response matches the JSON shape you provided
{"challenge":{"salts":["311f7dc32e08d0bfeeca453ff7ca0769032e7f9091f1bf4c67789522ced35314bcb2d7f27346746e11eb051eeef9b1e5e5b629f1083a378901029f6eb1e698b412314c328a8ff2afbd15739d828aae1075df2c97f414016f97b5f0cf85d882033210946d0af8dbe5f0823bc1796451d6c61a2d3597b64a0ee1709ab7be4ddd5f1ab9204da958ed421b0e476a1c670a0be3e68faf7ae3a77febed339da2edf0d0dbb3ed106987440aed2ae8659a6dd791df28e4bf23722a6eb909b872e36854dd3363e12ceed8890e70b445763e4c537a33f2649bb3fb5c5ea221b5930c62b1b5b433f5f03d47d15b244767f0f5f82a3d7d28c1869b17655d4ad1a617e31bd522","f3ca3185637cde82dcfe9e5f0b2db1bf23342df57ea8bc54c1bf4e7e0cb6ed171ec686ea4717d380edd62cade14a41dd2d542b4d5838ef546dd8c413170e29c2","629e438de42656bcc03548f6f8cf837e"],"type":"PWDv1r1"}}
Yes, there is an entry for my user in the oc_passwords_challenge table. Interestingly, not for the other non-admin users I configured on the instance.
That occ command gives back a UUID

mdw · November 17, 2023, 3:17pm

Well, this is certainly interesting. It looks as if the Passwords App was set up for your account at least once.

Maybe someone tested the app out once before and then uninstalled it afterwards?
The oc_passwords_challenge table does have timestamps for the entries, so you can check when the challenge was created. Additionally, if the oc_passwords_password_rv table has contents, that means there are passwords on the system.

I would be interested what the occ command passwords:backup:list shows. Are there old backups?

I will try and see if the same happens when i use your docker-compose file later.
The only other options (aside from someone testing the app before) i could imagine right now is if there is some kind of “auto setup” in the docker image, or if the database is initialized with an SQL dump, or if there is an old backup present on the system - because the app would automatically restore it if the database is empty.

If you just want to start over, use the occ command passwords:user:delete <user> (wiki). It will delete all the data for this user and you can just use the app as new.

jeffpowell · November 17, 2023, 3:39pm

I do see old backups with that occ command

  2023-11-15_16-35-02   329 B compressed
  2023-11-16_16-40-01   10 KB compressed

It’ll be a little bit before I can dig in more. I’ll keep you posted as I try other things, including what you’re suggesting.

jeffpowell · November 17, 2023, 6:29pm

Deleting the passwords user data for my user did the trick, I’m able to access the Passwords app now. Not sure how I got into that state. It is possible I set it up and then wiped that memory from my mind
Thanks for your quick response and help on this one, mdw!