[Bug]: Session blocked when a user changes their password to one that is too long

[Kipok42]

⚠️ This issue respects the following points: ⚠️

• This is a bug, not a question or a configuration/webserver/proxy issue.
• This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
• Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
• I agree to follow Nextcloud's Code of Conduct.

Bug description

Hi,
I’m currently running tests on a Nextcloud instance recently deployed by a colleague. During these tests I looked at whether there was a limit to the number of characters that could be entered when a user used the functionality to change their password.
I first tried with 800 characters and received a pop-up message ‘Unable to change personal password’. After a bit of research I came across a post indicating that the limit was set at 469, which is correct because I only get a pop-up after 470 characters.
Nextcloud | Report #1727424 - No password length limit when creating a user as an administrator | HackerOne
Also, I see in the hardening guidelines that bcrypt is only supposed to consider the first 72 characters which doesn’t seem to be the case here.

The problem is that if a user changes their password to a new one of between 215 and 469 characters, the server won’t display a pop-up, but will still accept the password (an error 500 is visible when inspecting the Network tab) and the user will no longer be able to log in.
When the user enters their credentials and logs in, they are automatically returned to the ‘Internal Server Error’ page and cannot do anything. The administrator then has to change their password to unblock it.
Do you think this is a problem on our side or could it be a bug?

Steps to reproduce

1. Login with a user and access /settings/user/security
2. Change password with one whose length is between 215 and 469 characters
   2.1 Inspect Network tab
3. Attempt to reconnect with the new password

Expected behavior

The user is able to log in using long password.
I would have liked to limit the authorized size myself but I can't find an option to do so.

Installation method

Community Manual installation with Archive

Nextcloud Server version

28

Operating system

Debian/Ubuntu

PHP engine version

PHP 8.2

Web server

Apache (supported)

Database engine version

MySQL

Is this bug present after an update or on a fresh install?

Fresh Nextcloud Server install

Are you using the Nextcloud Server Encryption module?

None

What user-backends are you using?

• Default user-backend (database)
• LDAP/ Active Directory
• SSO - SAML
• Other

Configuration report

<?php
$CONFIG = array (
  'instanceid' => 'xxxx',
  'passwordsalt' => 'xxxx',
  'secret' => 'xxxx',
  'trusted_domains' =>
  array (
    0 => 'x.x.x.x',
    1 => 'nextcloud.test.loc',
  ),
  'datadirectory' => 'xxxx',
  'dbtype' => 'mysql',
  'version' => '28.0.1.1',
  'overwrite.cli.url' => 'https://nextcloud.test.loc',
  'installed' => true,
  'has_internet_connection' => false,
  'debug' => 'false',
  'maintenance' => false,
  'dbname' => 'xxxx',
  'dbhost' => 'xxxx',
  'dbuser' => 'xxxx',
  'dbpassword' => 'xxxx',
  'mail_from_address' => 'xxxx',
  'mail_smtpmode' => 'smtp',
  'mail_sendmailmode' => 'smtp',
  'mail_domain' => 'xxxx',
  'mail_smtphost' => 'xxxx',
  'mail_smtpport' => 'xxxx',
  'mail_smtpsecure' => 'ssl',
  'mail_smtpauth' => 1,
  'mail_smtpname' => 'xxxx',
  'mail_smtppassword' => 'xxxx',
);

List of activated Apps

Enabled:
  - activity: 2.20.0
  - bruteforcesettings: 2.8.0
  - circles: 28.0.0-dev
  - cloud_federation_api: 1.11.0
  - comments: 1.18.0
  - contactsinteraction: 1.9.0
  - dashboard: 7.8.0
  - dav: 1.29.1
  - encryption: 2.16.0
  - federatedfilesharing: 1.18.0
  - federation: 1.18.0
  - files: 2.0.0
  - files_pdfviewer: 2.9.0
  - files_reminders: 1.1.0
  - files_sharing: 1.20.0
  - files_trashbin: 1.18.0
  - files_versions: 1.21.0
  - firstrunwizard: 2.17.0
  - logreader: 2.13.0
  - lookup_server_connector: 1.16.0
  - oauth2: 1.16.3
  - password_policy: 1.18.0
  - privacy: 1.12.0
  - provisioning_api: 1.18.0
  - recommendations: 2.0.0
  - related_resources: 1.3.0
  - serverinfo: 1.18.0
  - settings: 1.10.1
  - sharebymail: 1.18.0
  - spreed: 18.0.1
  - systemtags: 1.18.0
  - text: 3.9.1
  - theming: 2.3.0
  - twofactor_backupcodes: 1.17.0
  - user_status: 1.8.1
  - viewer: 2.2.0
  - workflowengine: 2.10.0
Disabled:
  - admin_audit: 1.18.0
  - files_external: 1.20.0
  - nextcloud_announcements: 1.17.0 (installed 1.17.0)
  - notifications: 2.16.0 (installed 2.16.0)
  - photos: 2.4.0 (installed 2.4.0)
  - support: 1.11.0 (installed 1.11.0)
  - survey_client: 1.16.0 (installed 1.16.0)
  - suspicious_login: 6.0.0
  - twofactor_totp: 10.0.0-beta.2
  - updatenotification: 1.18.0 (installed 1.18.0)
  - user_ldap: 1.19.0
  - weather_status: 1.8.0 (installed 1.8.0)

Nextcloud Signing status

No errors have been found.

Nextcloud Logs

{"reqId":"ZitxWupCQwENSxkXUse59gAAAAM","level":3,"time":"2024-04-26T09:18:19+00:00","remoteAddr":"x.x.x.x","user":"xxxx","app":"index","method":"POST","url":"/index.php/login","message":"base64_encode(): Argument #1 ($string) must be of type string, null given in file '/var/www/nextcloud/lib/private/Authentication/Token/PublicKeyTokenProvider.php' line 400","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36","version":"28.0.1.1","exception":{"Exception":"Exception","Message":"base64_encode(): Argument #1 ($string) must be of type string, null given in file '/var/www/nextcloud/lib/private/Authentication/Token/PublicKeyTokenProvider.php' line 400","Code":0,"Trace":[{"file":"/var/www/nextcloud/lib/private/AppFramework/App.php","line":184,"function":"dispatch","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->"},{"file":"/var/www/nextcloud/lib/private/Route/Router.php","line":315,"function":"main","class":"OC\\AppFramework\\App","type":"::"},{"file":"/var/www/nextcloud/lib/base.php","line":1069,"function":"match","class":"OC\\Route\\Router","type":"->"},{"file":"/var/www/nextcloud/index.php","line":39,"function":"handleRequest","class":"OC","type":"::"}],"File":"/var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php","Line":169,"Previous":{"Exception":"TypeError","Message":"base64_encode(): Argument #1 ($string) must be of type string, null given","Code":0,"Trace":[{"file":"/var/www/nextcloud/lib/private/Authentication/Token/PublicKeyTokenProvider.php","line":400,"function":"base64_encode"},{"file":"/var/www/nextcloud/lib/private/Authentication/Token/PublicKeyTokenProvider.php","line":531,"function":"encryptPassword","class":"OC\\Authentication\\Token\\PublicKeyTokenProvider","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/lib/public/AppFramework/Db/TTransactional.php","line":63,"function":"OC\\Authentication\\Token\\{closure}","class":"OC\\Authentication\\Token\\PublicKeyTokenProvider","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/lib/private/Authentication/Token/PublicKeyTokenProvider.php","line":500,"function":"atomic","class":"OC\\Authentication\\Token\\PublicKeyTokenProvider","type":"->"},{"file":"/var/www/nextcloud/lib/private/Authentication/Token/Manager.php","line":245,"function":"updatePasswords","class":"OC\\Authentication\\Token\\PublicKeyTokenProvider","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/lib/private/Authentication/Listeners/UserLoggedInListener.php","line":60,"function":"updatePasswords","class":"OC\\Authentication\\Token\\Manager","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/lib/private/EventDispatcher/ServiceEventListener.php","line":86,"function":"handle","class":"OC\\Authentication\\Listeners\\UserLoggedInListener","type":"->"},{"file":"/var/www/nextcloud/3rdparty/symfony/event-dispatcher/EventDispatcher.php","line":230,"function":"__invoke","class":"OC\\EventDispatcher\\ServiceEventListener","type":"->"},{"file":"/var/www/nextcloud/3rdparty/symfony/event-dispatcher/EventDispatcher.php","line":59,"function":"callListeners","class":"Symfony\\Component\\EventDispatcher\\EventDispatcher","type":"->"},{"file":"/var/www/nextcloud/lib/private/EventDispatcher/EventDispatcher.php","line":94,"function":"dispatch","class":"Symfony\\Component\\EventDispatcher\\EventDispatcher","type":"->"},{"file":"/var/www/nextcloud/lib/private/EventDispatcher/EventDispatcher.php","line":106,"function":"dispatch","class":"OC\\EventDispatcher\\EventDispatcher","type":"->"},{"file":"/var/www/nextcloud/lib/private/User/Session.php","line":392,"function":"dispatchTyped","class":"OC\\EventDispatcher\\EventDispatcher","type":"->"},{"file":"/var/www/nextcloud/lib/private/Authentication/Login/CompleteLoginCommand.php","line":39,"function":"completeLogin","class":"OC\\User\\Session","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/lib/private/Authentication/Login/ALoginCommand.php","line":39,"function":"process","class":"OC\\Authentication\\Login\\CompleteLoginCommand","type":"->"},{"file":"/var/www/nextcloud/lib/private/Authentication/Login/LoggedInCheckCommand.php","line":60,"function":"processNextOrFinishSuccessfully","class":"OC\\Authentication\\Login\\ALoginCommand","type":"->"},{"file":"/var/www/nextcloud/lib/private/Authentication/Login/ALoginCommand.php","line":39,"function":"process","class":"OC\\Authentication\\Login\\LoggedInCheckCommand","type":"->"},{"file":"/var/www/nextcloud/lib/private/Authentication/Login/EmailLoginCommand.php","line":68,"function":"processNextOrFinishSuccessfully","class":"OC\\Authentication\\Login\\ALoginCommand","type":"->"},{"file":"/var/www/nextcloud/lib/private/Authentication/Login/ALoginCommand.php","line":39,"function":"process","class":"OC\\Authentication\\Login\\EmailLoginCommand","type":"->"},{"file":"/var/www/nextcloud/lib/private/Authentication/Login/UidLoginCommand.php","line":53,"function":"processNextOrFinishSuccessfully","class":"OC\\Authentication\\Login\\ALoginCommand","type":"->"},{"file":"/var/www/nextcloud/lib/private/Authentication/Login/ALoginCommand.php","line":39,"function":"process","class":"OC\\Authentication\\Login\\UidLoginCommand","type":"->"},{"file":"/var/www/nextcloud/lib/private/Authentication/Login/UserDisabledCheckCommand.php","line":57,"function":"processNextOrFinishSuccessfully","class":"OC\\Authentication\\Login\\ALoginCommand","type":"->"},{"file":"/var/www/nextcloud/lib/private/Authentication/Login/ALoginCommand.php","line":39,"function":"process","class":"OC\\Authentication\\Login\\UserDisabledCheckCommand","type":"->"},{"file":"/var/www/nextcloud/lib/private/Authentication/Login/PreLoginHookCommand.php","line":52,"function":"processNextOrFinishSuccessfully","class":"OC\\Authentication\\Login\\ALoginCommand","type":"->"},{"file":"/var/www/nextcloud/lib/private/Authentication/Login/Chain.php","line":107,"function":"process","class":"OC\\Authentication\\Login\\PreLoginHookCommand","type":"->"},{"file":"/var/www/nextcloud/core/Controller/LoginController.php","line":307,"function":"process","class":"OC\\Authentication\\Login\\Chain","type":"->"},{"file":"/var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php","line":230,"function":"tryLogin","class":"OC\\Core\\Controller\\LoginController","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php","line":137,"function":"executeController","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->"},{"file":"/var/www/nextcloud/lib/private/AppFramework/App.php","line":184,"function":"dispatch","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->"},{"file":"/var/www/nextcloud/lib/private/Route/Router.php","line":315,"function":"main","class":"OC\\AppFramework\\App","type":"::"},{"file":"/var/www/nextcloud/lib/base.php","line":1069,"function":"match","class":"OC\\Route\\Router","type":"->"},{"file":"/var/www/nextcloud/index.php","line":39,"function":"handleRequest","class":"OC","type":"::"}],"File":"/var/www/nextcloud/lib/private/Authentication/Token/PublicKeyTokenProvider.php","Line":400},"message":"base64_encode(): Argument #1 ($string) must be of type string, null given in file '/var/www/nextcloud/lib/private/Authentication/Token/PublicKeyTokenProvider.php' line 400","exception":[],"CustomMessage":"base64_encode(): Argument #1 ($string) must be of type string, null given in file '/var/www/nextcloud/lib/private/Authentication/Token/PublicKeyTokenProvider.php' line 400"},"id":"662b7787ace93"}

Additional info

Browser console error:

encryption.js:12 Uncaught ReferenceError: OC is not defined
    at encryption.js:12:1
(anonymous) @ encryption.js:12

[joshtrichards]

Thanks for reporting this. It's a valid report.

To support longer passwords up to 469 bytes (since #33110) we use a larger key size when needed.

The problem is, I believe, we're not adjusting the key size in active session properly so the change fails.

The longer passwords (up to 469) are fine if set initially by the admin (or the user already has a longer password), but the user changing their password from shorter (<214) to a longer one (that is still under 469) is problematic because we have to swap the live token used in the session.

I think the cut-off is also wrong from looking at the code (250 rather than 214), but isn't the root of the issue but also a problem.