user_external icon indicating copy to clipboard operation
user_external copied to clipboard
verified publisher icon nextcloud

External User Login is case sensitive and creates new user accounts if the upper/lower case is typed differently

Open jasond2020 opened this issue 5 years ago • 3 comments

Steps to reproduce

  1. activate external user suppert
  2. authenticate against a third-party authentication instance
  3. login e.g with all lower-case e-mail-adress (name@domain)
  4. logout
  5. re-login with same e-mail-adress but now with uppercase characters (Name@domain)

Expected behaviour

One user account is created - including the folder below the data-directory and regardless of upper/lower-cases in the login-name the user logs into the same account every time

Actual behaviour

first login (lower case): user account and folders are created second login (with upper case characters): another user account and different folders are created

Server configuration

Operating system: ubuntu 20.04.1

Web server: apache2

Database: mysql 5.7

PHP version: 7.4

Nextcloud version: (see Nextcloud admin page) 20.0.2

Updated from an older Nextcloud/ownCloud or fresh install: fresh install

Where did you install Nextcloud from: zip-file from download.nextcloud.com

Are you using external storage, if yes which one: local/smb/sftp/... no

Are you using encryption: yes/no no

jasond2020 avatar Dec 18 '20 13:12 jasond2020

maybe related: nextcloud/server#7084

jasond2020 avatar Dec 18 '20 13:12 jasond2020

This problem only exists if your authentication backend is case-insensitive (most of them probably are).

This user experience is pretty bad - the user logs in once with their lower case username (joe). They save a bunch of files. They logout and the next day they login again with their mixed case username (Joe) and - their files are gone because Nextcloud is treating them as a different user (you'll see data/joe and data/Joe in the file system).

I think the proper fix is to convert all usernames to lowercase regardless of what the users submits (which can be implemented in any back end provider by lowercasing the $uid variable before returning in the checkPassword function).

However, if you do this on an existing Nextcloud installation that has been allowing mixed case logins, you will create a big mess - since people who have been logging in with mixed case logins will be considered a new user by Nextcloud and will suddenly lose access to their files.

I'm not sure how to properly recover from this condition without laboriosly manipulating all the directories in your data directory and updating all the instances of the uid in the database to make them all uniformaly lowercase and then implementing the fix in the code.

jmcclelland avatar Jun 18 '21 19:06 jmcclelland

Is a fix for this bug on your roadmap or is it not going to be fixed?

After looking at https://github.com/nextcloud/user_external/blob/master/lib/basicauth.php it seems to be easily fixable by adding strtolower($uid) to all occurences of $uid inside of checkPassword(). :wrench:

If the above explained fix is acceptable for you, I can create a pull request. If this cannot be fixed for backward compatibility reasons, we may still fix it by adding an additional configuration variable e.g. isBackendCaseSensitive with default value true. :muscle:

nebulak avatar Sep 28 '21 20:09 nebulak