v12.6.0 broke user authentication

[kovacs-andras]

Hello! I tried to update my container based server to the latest v12.6.0 release, but authentication is not working.
Neither the passwords or the TOTP codes (on a password reset) are accepted.
Reverting to onlyoffice/communityserver:12.5.2.1848 authentication is working again.
I couldn't find any specific logs.

[Carazyda]

Hello @kovacs-andras, please describe in more detail how you installed Onlyoffice and how you updated it to the latest version? Also check web.log and web.api.log for errors?

[kovacs-andras]

It's container based, started by docker compose.
This image is working: onlyoffice/communityserver:12.5.2.1848
This one isn't: onlyoffice/communityserver:12.6.0.1900
I updated it with docker compose up-down.
My other containers are:

• mysql:8.0.36
• onlyoffice/documentserver:8.0.1.1

In my onlyoffice-community-server container the following services are disabled:

• elasticsearch.service
• jabber.god
• onlyofficeJabber.service
• onlyofficeMailAggregator.service
• onlyofficeMailCleaner.service
• onlyofficeMailImap.service
• onlyofficeMailWatchdog.service
• onlyofficeRadicale.service
• onlyofficeSsoAuth.service
• onlyofficeTelegram.service
• onlyofficeUrlShortener.service
• onlyofficeWebDav.service

I execed into my running onlyoffice-community-server container where the mentioned /var/log/onlyoffice/web.api.log is empty. The other one, /var/log/onlyoffice/web.log has a bunch of WARN [5] localhost - ASC.Core - Can not decrypt cookie:... and ERROR [24] localhost - ASC.Core - Authenticate error: cookie... messages in it, but the log file is not growing with new login attempts.

It was a pretty old install which I upgraded last year (step-by-step from version-to-version). I lost all my old passwords somewhere around onlyoffice/communityserver:12.1.0.1760 - 12.5.1.1837 but since then the authentication was not an issue.
I can send a password reset email for any user account but when it asks for TOTP it won't be accepted either.
If I revert to onlyoffice/communityserver:12.5.2.1848 everything works just fine.

[kovacs-andras]

I also realised that there was a failing sed command previously when I started this container which has thrown a bunch of errors but that vanished now.

[kovacs-andras]

As I mentioned when I'm trying to reset my password it asks for a TOTP code and it doesn' t work. I tried the backup codes but those doesn't work either.

[Carazyda]

What error do you get when logging in? What about when resetting the password? Can you attach screenshots?

[kovacs-andras]

I couldn't find any relevant errors yet.
Password reset is not working. The link in the password reset email is still asking for the TOTP which is also not working, neither any of the recovery codes.
Downgrading to the previous image it works again.

[Carazyda]

I mean, what's the error in your browser? Incorrect verification code? Can you try disabling 2FA, then update to 12.6 and try logging in?

[kovacs-andras]

On the UI it says: "Invalid username or password."
When I'm trying to reset my password via email, following the reset link and then typeing my PIN into the box it says: "Incorrect code"
Neither the recovery codes are working.

As a bunch of sed commands have been fixed in run-document-server.sh I bind-mounted the previous version from the previous release but it didn't help.

Rolling back to the previous image onlyoffice/communityserver:12.5.2.1848 made things work again.

[ns2nata]

Any update on this issue ? have the same problem... running WinServer 2019.. update to 12.6. broke the authorization with "Invalid username or password".. both administrators and users.. using this ONLYOFFICE_CommunityServer_Win-install.v12.6.1258 to update..

[Carazyda]

Can you check the machinekey value in web.appsettings.config before and after the update, is it the same?

Also check passwordHash in your browser console. In Google Chrome, in the Network tab, you need to enable "Keep log" and for "auth.aspx" check in "Payload". Are these values the same before and after the update?

[kovacs-andras]

@Carazyda The value of passwordHash is different before-after the update.I've copy-diffed the /var/www/onlyoffice/WebStudio/web.appsettings.config file from both the old (working) and new containers.
Old (good): <add key="core.machinekey" value="Vskoproizvolny Salt par Chivreski" />
New (bad): <add key="core.machinekey" value="core_secret" />

The environemnt variable in the new and old containers are the same:
ONLYOFFICE_CORE_MACHINEKEY=core_secret

[kovacs-andras]

After I bind-mounted the web.appsettings.config with the old core.machinekey" value="Vskoproizvolny Salt par Chivreski" the authentication works again, now with onlyoffice/communityserver:12.6.0.1900 !
Could this be related to the previously failing sed commands?

[kovacs-andras]

I changed the content of the read-only ./CommunityServer/data/.private/machinekey from core_secret to my old Vskoproizvolny Salt par Chivreski and it works fine!
But I guess I should change this core secret somehow to sg. random. Am I right?

Many thanks @Carazyda !!! 🥳🥳🥳

[Carazyda]

I don't think you should change the secret after using the portal for several years. This will cause more difficulties than practical benefits.

Can you clarify whether the variable was specified in the original yuml file during installation?
environment: - ONLYOFFICE_CORE_MACHINEKEY=core_secret

[kovacs-andras]

Thanks! I won't change it.
Unfortunately I haven't been there at the time of the installation.
It has been installed with onlyoffice/communityserver 9.6.1.627 and I upgraded it step-by-step, version-to-version.