Nextcloud is a great platform to work with and my setup only uses 2 additional apps. TOTP and U2F. But yesterday I was curious why I wasn’t asked for my 2nd factor after I pressed login. Instead I passed right to my files WebUI.
That was a very scary moment. At first I thought I had some kind of cookie in my browser which say "don’t ask on this PC, but I didn’t trust the situation and checked the apps. Boom… Both 2nd factor apps disabled. That’s a security disaster.
So i checked back what happened the last view days, usually I don’t use the webUI so lets see. The only thing that happened a few days ago was an update of the docker image. It was upgraded as part of the many processes I automated in my docker setup. Checking the logs shown that it upgraded without a problem. So i checked the documentation of the docker image about upgrading instructions. docker pull and docker run the new image version if you don’t persist the whole html directory. So for me that’s it. And that’s exactly what I did.
Question: Why does an upgrade disable apps and even more scary: why doesn’t it notify me about that? No problem if it disables a app like a music player but security apps? I’m really unhappy about that. Ao either the upgrade instructions or the way how upgrades are handles has to be upgraded.
But maybe I misunderstood something or did something completely wrong, feel free to correct me.
Currently I use the official docker image: nextcloud:11.0-apache