`occ user:add-app-password` should also work without the users login password

[schiessle]

The occ command user:add-app-password should work without the users login password.

If a admin needs to create a app password for a user for whatever reasons (e.g. in migration szenarios) it is quite unlikely that they know the login password from the users. The provisioning API and the graphical user management allow the admin to change the users password without knowing the old one. Why should the user:add-app-password be more strict?

Second, in case of SSO no user has a login password on Nextcloud. All passwords are handled by the IDP. The current behavior of the occ command makes it completely useless in any SSO environment.

Therefore I would suggest to remove the password input/check or at least make it optional.

[wiswedel]

Regardless of what you enter as a password, it's not validated anyway. The generated app password works - even if the password is wrong.
ref: https://github.com/nextcloud/server/blob/master/core/Command/User/AddAppPassword.php#L118

So the password check can as well be dropped.

[rullzer]

The password is there because we validate it if the backend supports it. So it is validated on actual use.
Same for SMB etc.

But sure feel free to shoot in a PR to make it optional.

[wiswedel]

The password is there because we validate it if the backend supports it. So it is validated on actual use.

That's the thing: we don't.

Steps to reproduce

1. Have a local user Alice with password Bob123
2. Test the password with a PROPFIND Dav API call authenticating with -u Alice:Bob123 --> works
3. Test a wrong password with a PROPFIND Dav API call authenticating with -u Alice:Bob1234 --> [...] Username or password was incorrect [...] --> works as intended
4. Run occ user:add-app-password Alice
5. Prompt asks for password: Type asdfasdfasdf --> output=token
6. Run Call from 2. but replace Bob123 with token from 5.

Expected behavior

• Token gets rejected

Actual behavior

• Token gets accepted as app password --> no validation of the entered password happening

[szaimen]

So the generated token works although the provided password was wrong? If yes, we should probably drop all password related parts of the code. If the generated token doesn't work, we should probably validate the password correctly, no?

This issue has been automatically marked as stale because it has not had recent activity and seems to be missing some essential information. It will be closed if no further activity occurs. Thank you for your contributions.

[yoyoyonas]

So the generated token works although the provided password was wrong?

That's correct. Tested on NC 21.0.3.