[Bug]: Some users can access webdav with their password with token_auth_enforced set

[rseabra]

⚠️ This issue respects the following points: ⚠️

• This is a bug, not a question or a configuration/webserver/proxy issue.
• This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
• Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
• I agree to follow Nextcloud's Code of Conduct.

Bug description

NOTE: the server is slightly not up to date, but will be on Friday a week or two pending scheduled maintenance approval, however it's very recent (30). Also, this is so strange that I doubt it will be changed by the time we complete the update.

We have token_auth_enforced as true, but some users are able to map a web drive in Windows using their user + password, whilst trying to access with cadaver they can't.

It's not all users, and I haven't found a way to determine which, but I have a couple to compare, say guser1 who could (BAD) and ouser2 o can't (OK)
I will replace further occurrences of their logins by these tokens.

My first suspicion was that it happened because they're LDAP users, but both guser1 and ouser2 are similar LDAP users with the same privileges.

My second suspicion is that it's something related with their age, as those we tested that can't are more recent than 4 years, whilst those we tested that could were 4 and older.

Steps to reproduce

I'm unsure how to reproduce.

Expected behavior

No user should be able to access their files via webdav with their password, they should all have to use an app token.

Nextcloud Server version

30

Operating system

RHEL/CentOS

PHP engine version

PHP 8.2

Web server

Apache (supported)

Database engine version

MariaDB

Is this bug present after an update or on a fresh install?

None

Are you using the Nextcloud Server Encryption module?

Encryption is Disabled

What user-backends are you using?

• Default user-backend (database)
• LDAP/ Active Directory
• SSO - SAML
• Other

Configuration report

{
    "system": {
        "has_internet_connection": true,
        "dns_pinning": false,
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "version": "30.0.0.14",
        "dbtype": "mysql",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpmode": "smtp",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "587",
        "mail_smtpsecure": "tls",
        "mail_smtpauth": true,
        "mail_smtpauthtype": "LOGIN",
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "appstoreenabled": true,
        "updatechecker": true,
        "log_type": "syslog",
        "log_authfailip": true,
        "forcessl": true,
        "proxy": "myProxy:8080",
        "proxyexclude": [
            "nextcloud.example.com"
        ],
        "logtimezone": "Europe\/Lisbon",
        "remember_login_cookie_lifetime": 3600,
        "session_lifetime": 900,
        "session_keepalive": true,
        "auto_logout": false,
        "token_auth_enforced": true,
        "loglevel": 2,
        "maintenance": false,
        "maintenance_window_start": 1,
        "memcache.local": "\\OC\\Memcache\\APCu",
        "filelocking.enabled": true,
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 0,
            "user": "***REMOVED SENSITIVE VALUE***",
            "password": "***REMOVED SENSITIVE VALUE***",
            "timeout": 0
        },
        "trusted_domains": [
            "nextcloud.example.com"
        ],
        "overwrite.cli.url": "https:\/\/nextcloud.example.com",
        "overwrite.cli.protocol": "https",
        "ldapIgnoreNamingRules": false,
        "login_form_autocomplete": false,
        "ldapProviderFactory": "OCA\\User_LDAP\\LDAPProviderFactory",
        "mysql.utf8mb4": true,
        "csrf.optout": [
            "\/^SomeIdiot\/"
        ],
        "default_phone_region": "PT",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "app_install_overwrite": [
            "files_mindmap",
            "announcementcenter",
            "files_trackdownloads",
            "quicknotes",
            "files_antivirus",
            "twofactor_admin",
            "forms"
        ],
        "trashbin_retention_obligation": "7, auto",
        "versions_retention_obligation": "7, auto",
        "tempdirectory": "\/var\/lib\/nextcloud\/data\/tmp"
    }
}

List of activated Apps

$ occ app:list
Enabled:
  - activity: 3.0.0
  - admin_audit: 1.20.0
  - analytics: 5.2.3
  - announcementcenter: 7.1.0
  - bookmarks: 15.0.4
  - bruteforcesettings: 3.0.0
  - calendar: 5.0.9
  - checksum: 1.2.5
  - circles: 30.0.0-dev
  - cloud_federation_api: 1.13.0
  - comments: 1.20.1
  - contacts: 6.1.3
  - contactsinteraction: 1.11.0
  - dav: 1.31.1
  - deck: 1.14.3
  - federatedfilesharing: 1.20.0
  - files: 2.2.0
  - files_accesscontrol: 1.20.1
  - files_antivirus: 5.6.1
  - files_automatedtagging: 1.20.0
  - files_downloadactivity: 1.17.0
  - files_downloadlimit: 3.0.0
  - files_external: 1.22.0
  - files_pdfviewer: 3.0.0
  - files_reminders: 1.3.0
  - files_sharing: 1.22.0
  - files_trashbin: 1.20.1
  - files_versions: 1.23.0
  - firstrunwizard: 3.0.0
  - flow_notifications: 1.10.1
  - forms: 4.3.5
  - groupfolders: 18.0.8
  - groupquota: 0.2.1
  - impersonate: 1.17.1
  - lookup_server_connector: 1.18.0
  - notes: 4.11.0
  - notifications: 3.0.0
  - oauth2: 1.18.1
  - ownershiptransfer: 1.0.1
  - password_policy: 2.0.0
  - phonetrack: 0.8.2
  - photos: 3.0.2
  - polls: 7.2.9
  - privacy: 2.0.0
  - provisioning_api: 1.20.0
  - quota_warning: 1.20.0
  - recommendations: 3.0.0
  - related_resources: 1.5.0
  - secrets: 2.1.2
  - serverinfo: 2.0.0
  - settings: 1.13.0
  - sharebymail: 1.20.0
  - spreed: 20.1.2
  - support: 2.0.0
  - survey_client: 2.0.0
  - suspicious_login: 8.0.0
  - systemtags: 1.20.0
  - tables: 0.8.3
  - tasks: 0.16.1
  - text: 4.1.0
  - theming: 2.5.0
  - twofactor_admin: 4.7.1
  - twofactor_backupcodes: 1.19.0
  - twofactor_totp: 12.0.0-dev
  - twofactor_webauthn: 2.0.0
  - updatenotification: 1.20.0
  - user_ldap: 1.21.0
  - user_status: 1.10.0
  - viewer: 3.0.0
  - weather_status: 1.10.0
  - webhook_listeners: 1.1.0-dev
  - whiteboard: 1.0.4
  - workflow_script: 1.15.0
  - workflowengine: 2.12.0
Disabled:
  - dashboard: 7.10.0 (installed 7.10.0)
  - drawio: 3.0.3 (installed 3.0.3)
  - encryption: 2.18.0 (installed 2.13.0)
  - federation: 1.20.0 (installed 1.3.0)
  - logreader: 3.0.0 (installed 2.14.0)
  - nextcloud_announcements: 2.0.0 (installed 1.11.0)
  - twofactor_nextcloud_notification: 4.0.0

Nextcloud Signing status

No errors have been found.

Nextcloud Logs

unsure which entries to place

Additional info

No response

[rseabra]

The maintenance window was anticipated to this Friday.
Please let me know of what further information you my need in order to try to infer the root cause.