New users attempt to set the initial password fails with an internal server error

[level420]

Steps to reproduce

1. Login in as administrator
2. Create a new user with a valid email address, but without setting the password
3. Open the sent email and click on the "reset password" link within the email

Expected behaviour

The user should be able to get to the form in order to change the password

Actual behaviour

The user gets an error page "inernal server error" which is logged in nextcloud.log (see below).

Server configuration

Operating system:
current docker image docker.io/nextcloud:fpm running with docker 1.13.1 on centos 7.5.1804

Web server:
apache 2.4 with mod_proxy_fcgi to php-fpm

Database:
mariadb 5.5.62

PHP version:
7.2.12 with fpm

Nextcloud version: (see Nextcloud admin page)
14.0.3

Updated from an older Nextcloud/ownCloud or fresh install:
Fresh install via docker.io/nextcloud:fpm

Where did you install Nextcloud from:
docker image from docker.io/nextcloud:fpm

Signing status:

Signing status

No errors have been found.

List of activated apps:

App list

Enabled:
  - accessibility: 1.0.1
  - activity: 2.7.0
  - bookmarks_fulltextsearch: 1.0.0
  - calendar: 1.6.3
  - cloud_federation_api: 0.0.1
  - comments: 1.4.0
  - contacts: 2.1.7
  - dav: 1.6.0
  - deck: 0.5.0
  - federatedfilesharing: 1.4.0
  - federation: 1.4.0
  - files: 1.9.0
  - files_fulltextsearch: 1.1.1
  - files_pdfviewer: 1.3.2
  - files_sharing: 1.6.2
  - files_texteditor: 2.6.0
  - files_trashbin: 1.4.1
  - files_versions: 1.7.1
  - files_videoplayer: 1.3.0
  - firstrunwizard: 2.3.0
  - fulltextsearch: 1.1.0
  - fulltextsearch_elasticsearch: 1.0.2
  - gallery: 18.1.0
  - groupfolders: 1.3.3
  - logreader: 2.0.0
  - lookup_server_connector: 1.2.0
  - nextcloud_announcements: 1.3.0
  - notes: 2.5.0
  - notifications: 2.2.1
  - oauth2: 1.2.1
  - password_policy: 1.4.0
  - provisioning_api: 1.4.0
  - serverinfo: 1.4.0
  - sharebymail: 1.4.0
  - support: 1.0.0
  - survey_client: 1.2.0
  - systemtags: 1.4.0
  - theming: 1.5.0
  - theming_customcss: 1.1.0
  - twofactor_backupcodes: 1.3.1
  - updatenotification: 1.4.1
  - workflowengine: 1.4.0
Disabled:
  - admin_audit
  - encryption
  - files_external
  - user_external
  - user_ldap

Nextcloud configuration:

Config report

{
    "system": {
        "htaccess.RewriteBase": "\/",
        "memcache.local": "\\OC\\Memcache\\APCu",
        "apps_paths": [
            {
                "path": "\/var\/www\/html\/apps",
                "url": "\/apps",
                "writable": false
            },
            {
                "path": "\/var\/www\/html\/custom_apps",
                "url": "\/custom_apps",
                "writable": true
            }
        ],
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": {
            "0": "localhost",
            "2": "myhost.mydomain.com"
        },
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "overwritehost": "myhost.mydomain.com",
        "overwriteprotocol": "https",
        "dbtype": "mysql",
        "version": "14.0.3.0",
        "overwrite.cli.url": "http:\/\/localhost",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 6379
        },
        "mail_smtpmode": "smtp",
        "mail_smtpsecure": "tls",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpauthtype": "LOGIN",
        "mail_smtpauth": 1,
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "587",
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "default_language": "de_DE",
        "maintenance": false
    }
}

Are you using external storage, if yes which one: local/smb/sftp/...
local

Are you using encryption: yes/no
none

Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/...
none

Client configuration

Browser:
Chrome 71, Firefox 64, Edge, Internet Explorer 11, Safari

Operating system:
Windows 7, Windows 10, OS X

Logs

Web server error log

Web server error log

nothing of value

Nextcloud log (data/nextcloud.log)

Nextcloud log

{"reqId":"W-KxxhDZULa4OLNsu7V-jAAAALQ","level":3,"time":"2018-11-19T12:51:18+00:00","remoteAddr":"172.19.0.3","user":"--","app":"index","method":"GET","url":"\/index.php\/lostpassword\/reset\/form\/c2zikzT1xyCNZAKe1U8iz\/testuser","message":{"Exception":"TypeError","Message":"Argument 1 passed to OC\\Security\\Crypto::decrypt() must be of the type string, null given, called in \/var\/www\/html\/core\/Controller\/LostController.php on line 180","Code":0,"Trace":[{"file":"\/var\/www\/html\/core\/Controller\/LostController.php","line":180,"function":"decrypt","class":"OC\\Security\\Crypto","type":"->","args":["*** sensitive parameters replaced ***"]},
{"file":"\/var\/www\/html\/core\/Controller\/LostController.php","line":146,"function":"checkPasswordResetToken","class":"OC\\Core\\Controller\\LostController","type":"->","args":["*** sensitive parameters replaced ***"]},
{"file":"\/var\/www\/html\/lib\/private\/AppFramework\/Http\/Dispatcher.php","line":166,"function":"resetform","class":"OC\\Core\\Controller\\LostController","type":"->","args":["*** sensitive parameter replaced ***","*** sensitive parameter replaced ***"]},
{"file":"\/var\/www\/html\/lib\/private\/AppFramework\/Http\/Dispatcher.php","line":99,"function":"executeController","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->","args":[{"__class__":"OC\\Core\\Controller\\LostController"},"resetform"]},
{"file":"\/var\/www\/html\/lib\/private\/AppFramework\/App.php","line":118,"function":"dispatch","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->","args":[{"__class__":"OC\\Core\\Controller\\LostController"},"resetform"]},
{"file":"\/var\/www\/html\/lib\/private\/AppFramework\/Routing\/RouteActionHandler.php","line":47,"function":"main","class":"OC\\AppFramework\\App","type":"::","args":["OC\\Core\\Controller\\LostController","resetform",{"__class__":"OC\\AppFramework\\DependencyInjection\\DIContainer"},{"token":"*** sensitive parameter replaced ***","userId":"*** sensitive parameter replaced ***","_route":"core.lost.resetform"}]},{"function":"__invoke","class":"OC\\AppFramework\\Routing\\RouteActionHandler","type":"->","args":[{"token":"*** sensitive parameter replaced ***","userId":"*** sensitive parameter replaced ***","_route":"core.lost.resetform"}]},{"file":"\/var\/www\/html\/lib\/private\/Route\/Router.php","line":297,"function":"call_user_func","args":[{"__class__":"OC\\AppFramework\\Routing\\RouteActionHandler"},{"token":"*** sensitive parameter replaced ***","userId":"*** sensitive parameter replaced ***","_route":"core.lost.resetform"}]},{"file":"\/var\/www\/html\/lib\/base.php","line":987,"function":"match","class":"OC\\Route\\Router","type":"->","args":["\/lostpassword\/reset\/form\/c2zikzT1xyCNZAKe1U8iz\/testuser"]},{"file":"\/var\/www\/html\/index.php","line":42,"function":"handleRequest","class":"OC","type":"::","args":[]}],"File":"\/var\/www\/html\/lib\/private\/Security\/Crypto.php","Line":112,"CustomMessage":"--"},"userAgent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64; rv:64.0) Gecko\/20100101 Firefox\/64.0","version":"14.0.3.0"}

Browser log

Browser log

Nothing of value

[nextcloud-bot]

GitMate.io thinks possibly related issues are #8734 (Internal Server Error on wrong password for LDAP user), #6994 (Internal Server Error), #10140 (Internal server error), #3826 (Password confirmation fails on some settings), and #5746 (Create user failed / password policy crash).

[ChristophWurst]

There is no reset token set for the user. Ref

server/core/Controller/LostController.php

Line 180 in 549d53c

$decryptedToken = $this->crypto->decrypt($encryptedToken, $mailAddress.$this->config->getSystemValue('secret'));

.

[ChristophWurst]

I guess the reset password link should not be shown in that case.

[level420]

@ChristophWurst but we need to handle the case where a fresh created user should be allowed to set his initial password. If the reset password link is not the right one, then a ‚set initial password‘ link should be in the email.

[ChristophWurst]

I see. Thanks for your feedback.

[level420]

@ChristophWurst any timeframe when this bug will be adressed? thank you!

[ChristophWurst]

I can't give you any estimation right now. Do you have a Nextcloud subscription? Than I can try to prioritize this.

[johanehnberg]

I can confirm this bug: creating new users on version 15.0.2 without password is as such broken.

[kesselb]

Are you able to reproduce this with newer versions? It works for me with Nextcloud 18.

[level420]

Just update to nextcloud docker image 17.0.2-fpm where I could not reproduce the issue anymore.
The issue seems to be fixed with at least 17.0.2.

[kesselb]

Thanks 👍