Skip to content

fix(authentication): Only verify each hash once #36048

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
nickvergessen merged 4 commits into from
Jan 10, 2023
Merged

fix(authentication): Only verify each hash once #36048

nickvergessen merged 4 commits into from
Jan 10, 2023

Conversation

@nickvergessen
Copy link
Member

@nickvergessen nickvergessen commented Jan 9, 2023

Fix #36046

Regression from #33898

While the given patch heavily improves the situation, it still performs kind of a DDoS attach on the database, as all entries get updated on each authentication, which also is on basic auth.

I might be wrong, but I think $this->hasher->verify is meant to be !$this->hasher->verify, so we update the password of all tokens that do NOT decrypt to the current password?

Checklist

@nickvergessen nickvergessen added this to the Nextcloud 26 milestone Jan 9, 2023
@marcelklehr
Copy link
Member

marcelklehr commented Jan 9, 2023

Yep, I'm sorry. I messed up the !

@nickvergessen
fix(authentication): Invert the logic to the original intention
c5bb196 
We need to store the new authentication details when the hash did **not** verify
the old password.

Signed-off-by: Joas Schilling <[email protected]>
marcelklehr
marcelklehr reviewed Jan 9, 2023
View reviewed changes
marcelklehr
marcelklehr reviewed Jan 9, 2023
View reviewed changes
@nickvergessen nickvergessen self-assigned this Jan 9, 2023
github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 9, 2023
View reviewed changes
@nickvergessen nickvergessen force-pushed the bugfix/36046/only-verify-the-same-hash-once branch from 0810d46 to 2fb4dac Compare January 9, 2023 15:32
@nickvergessen nickvergessen mentioned this pull request Jan 9, 2023
Closed
@marcelklehr
Copy link
Member

marcelklehr commented Jan 9, 2023

Thanks! Looks much better now :)

@ChristophWurst ChristophWurst added 4. to release Ready to be released and/or waiting for tests to finish and removed 3. to review Waiting for reviews labels Jan 10, 2023
@nickvergessen nickvergessen merged commit fc096ae into master Jan 10, 2023
@nickvergessen nickvergessen deleted the bugfix/36046/only-verify-the-same-hash-once branch January 10, 2023 14:40
@ChristophWurst ChristophWurst mentioned this pull request Jan 24, 2024
Closed
@marcelklehr
Copy link
Member

marcelklehr commented Jan 29, 2024

Customer reports slowdowns on basic auth with this applied to stable25

@nickvergessen
Copy link
Member Author

nickvergessen commented Jan 29, 2024

See above your comment?
grafik

@marcelklehr
Copy link
Member

marcelklehr commented Jan 29, 2024

Yes, that is the patch that causes slowdowns

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@marcelklehr marcelklehr marcelklehr approved these changes

@juliusknorr juliusknorr juliusknorr approved these changes

@ChristophWurst ChristophWurst Awaiting requested review from ChristophWurst

Assignees

@nickvergessen nickvergessen

Labels

4. to release Ready to be released and/or waiting for tests to finish bug feature: authentication performance 🚀 regression

Projects

None yet

Milestone

Nextcloud 26

Development

Successfully merging this pull request may close these issues.

[Bug]: Password update routine slowness

5 participants

@nickvergessen @marcelklehr @juliusknorr @ChristophWurst