Password input time for admin reaproval to short

[nextgen-networks]

When changing settings for nextcloud via web interface the timeframe is to short to type in ma password.
This happens if an session exists a couple of time and reaproval of credentials is forced.

In case you have an very long (and hopefully a secure) password the timeframe to type in exeeds an you face an error message.
This feature has been introduced in NC14.

I've found no option to extend the timeframe for the password input in the web interface.

Please make it configureable.

[nextcloud-bot]

GitMate.io thinks possibly related issues are #10706 (Add admin password time indicator), #213 (Allow admin to define a password rules), #3416 (admin password confirmation problem), #1261 (force password change for all users by admin), and #3777 (Change of user passwords by admin fails).

[ghost]

Was just having the same issue when doing it from the phone. It's very difficult to type a long password in time.

[kesselb]

server/settings/src/store/api.js

Line 89 in 40bb452

}, 7000);

indeed. 7 seconds are a bit short.

[MorrisJobke]

cc @nickvergessen @skjnldsv

[skjnldsv]

We need to migrate to https://github.com/ChristophWurst/nextcloud-password-confirmation/blob/master/confirmation.js

[MorrisJobke]

cc @ChristophWurst

[ChristophWurst]

We need to migrate to https://github.com/ChristophWurst/nextcloud-password-confirmation/blob/master/confirmation.js

I think the problem is that the code times our at the wrong layer. There should be a timeout, but on the password confirmation dialogue itself. This timeout error should be propagated to the code that requested password confirmation.

Otherwise you still see the password confirmation dialogue, but the code that requested it might already have considered it as timed out and the callback leads to undefined behavior.

[skjnldsv]

@ChristophWurst if we use await or .then it should be fine, right?

[ChristophWurst]

No, because OC.PasswordConfirmation.requirePasswordConfirmation only resolves on success and never rejects on error/timeout.

[skjnldsv]

@ChristophWurst Ah, I thought you worked around this.
This is the time where we need our modal component, right? :)

[ChristophWurst]

Either that or adjust the existing code 😉

[FlorianFranzen]

So let me get this straight: I can only update my apps if I am being able to type my password within seven seconds (as the occ command does not support updating apps, #8773)?

What is the purpose of a timeout in the first place? What is gained by timing out the dialog?

[TheNomad11]

Still not fixed?

[kesselb]

server/settings/src/store/api.js

Line 89 in 40bb452

}, 7000);

is the only place where requirePasswordConfirmation is used with a timeout in nextcloud\server. Why is there a timeout for password confirmation in this place? @skjnldsv @ChristophWurst

[ChristophWurst]

f330655#diff-176813153209ad865076f526b3568ae1R65 @skjnldsv 👀

[skjnldsv]

@ChristophWurst yes, we just need to migrate to your solution or to nextcloud-axios?

[kesselb]

Is there a technical reason why you need the timeout here? Could you just drop it and use it like anywhere else in nextcloud\server?

[skjnldsv]

Is there a technical reason why you need the timeout here? Could you just drop it and use it like anywhere else in nextcloud\server?

Yes there is a valid reason behind.
And yes we can drop by using another implementation

[ChristophWurst]

@ChristophWurst yes, we just need to migrate to your solution or to nextcloud-axios?

Well, https://www.npmjs.com/package/nextcloud-password-confirmation does just call OC.PasswordConfirmation.requirePasswordConfirmation and never resolves if the user does not enter a correct password. https://www.npmjs.com/package/nextcloud-axios is unrelated to this issue.

[nado]

Is there a technical reason why you need the timeout here? Could you just drop it and use it like anywhere else in nextcloud\server?

Yes there is a valid reason behind.

Care to explain what is the reason? I suppose myself and others dont exactly see the point of it.

[skjnldsv]

Is there a technical reason why you need the timeout here? Could you just drop it and use it like anywhere else in nextcloud\server?

Yes there is a valid reason behind.

Care to explain what is the reason? I suppose myself and others dont exactly see the point of it.

Of course :)
It was a technical issue because I did not found a proper way to use an asynchronous callback on the password confirmation and we had to set a limit for the script to wait for the dialog to resolve instead of directly use the user input to detect if the user did something. With @ChristophWurst's implementation it will be all fixed! 🤗

[Scorry]

And, finally, how to disable this behavior?

[ChristophWurst]

skjnldsv moved this from To do to Priorities (up next) in Skjnldsv's Tasks 2 days ago

Thanks 🙌

[MorrisJobke]

Will be shipped with 14.0.4