Timeout on entering password so short it affects people with disabilities.

[ArmyOfMonkies]

When upgrading apps in nextcloud you are required to enter your password again in a small little box that shows upp on the app page. There is a timeout on this that is unreasonably short. My estimate is that the timeout is 10 seconds. For a fully fit person with normal typing skills using a keyboard this is not an issue. But for people with disabilities the 10 second timeout is just impossible to meet. It can even get tricky for fully fit people if they use a touch device such as a mobile phone and have a passphrase with lots of non standard characters that take time to input.

Im also a bit puzzled by the need for someone already logged in as administrator to have to enter the password again. At least as long as there are lots of other critial things the administrator can do without entering the password again such as removing apps altogether.

Steps to reproduce

1. Click the uppgrade button for an up gradable app in the app page under settings
2. Type in the password to slow, my estimate is 10 seconds
3. The uppgrade fails with a message saying you took to long to enter the password

Expected behaviour

The system should wait a reasonable time before aborting the authentication process.

Actual behaviour

The system aborts the authentication process after an unreasonably short time and the app uppgrade fails.

Server configuration

Operating system: Ubuntu 18.04 LTS

Web server: ; Apache 2.4.29

Database: SQLite 3.22.0

PHP version: 7.2.10

Nextcloud version: 14.0.1

Updated from an older Nextcloud/ownCloud or fresh install: Upgraded from an older Nextcloud version

Where did you install Nextcloud from: www.nextcloud.com

Signing status:

Signing status

No errors have been found.

List of activated apps:

App list

Enabled:
  - accessibility: 1.0.1
  - activity: 2.7.0
  - admin_audit: 1.4.0
  - apporder: 0.5.0
  - audioplayer: 2.4.1
  - bookmarks: 0.13.1
  - bruteforcesettings: 1.1.0
  - calendar: 1.6.2
  - circles: 0.15.1
  - cloud_federation_api: 0.0.1
  - comments: 1.4.0
  - contacts: 2.1.6
  - dav: 1.6.0
  - deck: 0.4.1
  - encryption: 2.2.0
  - external: 3.1.0
  - federatedfilesharing: 1.4.0
  - federation: 1.4.0
  - files: 1.9.0
  - files_accesscontrol: 1.4.0
  - files_automatedtagging: 1.4.0
  - files_downloadactivity: 1.3.0
  - files_markdown: 2.0.4
  - files_pdfviewer: 1.3.2
  - files_retention: 1.3.0
  - files_sharing: 1.6.2
  - files_texteditor: 2.6.0
  - files_trashbin: 1.4.1
  - files_versions: 1.7.1
  - files_videoplayer: 1.3.0
  - firstrunwizard: 2.3.0
  - gallery: 18.1.0
  - groupfolders: 1.3.3
  - logreader: 2.0.0
  - lookup_server_connector: 1.2.0
  - metadata: 0.7.0
  - mindmaps: 0.1.0
  - news: 13.0.2
  - nextcloud_announcements: 1.3.0
  - notes: 2.4.2
  - notifications: 2.2.1
  - oauth2: 1.2.1
  - ownbackup: 18.8.1
  - password_policy: 1.4.0
  - provisioning_api: 1.4.0
  - qownnotesapi: 18.8.0
  - serverinfo: 1.4.0
  - sharebymail: 1.4.0
  - spreed: 4.0.0
  - support: 1.0.0
  - survey_client: 1.2.0
  - systemtags: 1.4.0
  - tasks: 0.9.7
  - theming: 1.5.0
  - twofactor_backupcodes: 1.3.1
  - twofactor_totp: 1.5.0
  - updatenotification: 1.4.1
  - user_ldap: 1.4.0
  - workflowengine: 1.4.0
Disabled:
  - bookmarks_fulltextsearch
  - files_external
  - files_fulltextsearch
  - files_opds
  - files_reader
  - fulltextsearch
  - mail
  - passman
  - quicknotes
  - richdocuments
  - twofactor_u2f
  - user_external

Nextcloud configuration:

Config report

{
    "system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "**REMOVED SENSITIVE VALUE***",
            "**REMOVED SENSITIVE VALUE***",
            "**REMOVED SENSITIVE VALUE***"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "sqlite3",
        "version": "14.0.1.1",
        "installed": true,
        "forcessl": true,
        "appcodechecker": false,
        "theme": "",
        "maintenance": false,
        "secret": "***REMOVED SENSITIVE VALUE***",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpmode": "php",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "appstore.experimental.enabled": true,
        "loglevel": 0,
        "trashbin_retention_obligation": "auto",
        "enabledPreviewProviders": [
            "OC\\Preview\\Image",
            "OC\\Preview\\MP3",
            "OC\\Preview\\TXT",
            "OC\\Preview\\MarkDown",
            "OC\\Preview\\Epub",
            "OC\\Preview\\PDF"
        ],
        "updatechecker": false,
        "overwrite.cli.url": "**REMOVED SENSITIVE VALUE***",
        "ldapIgnoreNamingRules": false,
        "ldapProviderFactory": "OCA\\User_LDAP\\LDAPProviderFactory"
    }
}

Are you using external storage, if yes which one: only local storage

Are you using encryption: no
Are you using an external user-backend, if yes which one: no

Eventually replace sensitive data as the name/IP-address of your LDAP server or groups.

</details>

### Client configuration
**Browser:** chrome and firefox

**Operating system:** chromeos and fedora 28

### Logs
#### Web server error log
<details>
<summary>Web server error log</summary>

</details>

#### Nextcloud log (data/nextcloud.log)
<details>
<summary>Nextcloud log</summary>

</details>

#### Browser log
<details>
<summary>Browser log</summary>

``

[nextcloud-bot]

GitMate.io thinks possibly related issues are #11271 (password timeout for enable/disable apps too quick to enter password), #11448 (Admin password confirmation popup timeout is too short), #5935 (Check password after second factor code entered), #11224 (Password input time for admin reaproval to short), and #8785 (Password expiration).

[MorrisJobke]

Thanks for the report - we have already a ticket about this: #11224 - let me close this here then and continue in #11224