"Disconnect" application password should kill its open sessions

[SamuAlfageme]

Directly related to #27845

Steps to reproduce

1. Create an application password and use it to login in a Desktop/Mobile client
2. Click on "Disconnect" the application

Expected behavior

• The same behavior as it happens with the webUI:
  • (After s.1) - The session appears listed in https://<server>/index.php/settings/personal?sectionid=security#sessions -> Sessions of Desktop, iOS and Android clients should be shown #27845
  • (After s.2) - The sessions are deleted and refreshing the browser redirects to login
• The same effect as revoking an OAuth2 application authorized on https://<server>/index.php/settings/personal?sectionid=security#oauth-2.0: the clients re-asks for authorization (credentials, in this case) again.

Actual behavior

The session tokens are still valid even when they don't appear listed in authtoken in the DB (where are these stored then?) and the Desktop client is able to use them for syncing until the client is restarted (when it uses the password stored in the keychain to re-authenticate and fails)

[DeepDiver1975]

@Peter-Prochaska something for you I guess ;-)

[SamuAlfageme]

Resolved in #28879

[PVince81]

I've observed this yesterday on 10.0.5 final.

[ownclouders]

Hey, this issue has been closed because the label status/STALE is set and there were no updates for 7 days. Feel free to reopen this issue if you deem it appropriate.

(This is an automated comment from GitMate.io.)

[individual-it]

in 10.0.8RC1 the sessions of the client are listed now, but even "disconnecting" them does not end the session of the client. Next time the client syncs a new session is established

[phil-davis]

I guess that is expected behavior? When the client syncs again it will provide valid authentication (it knows the username/password for the account on the server). And so the server will establish a session for it, just as if it is the first time that it connected.

To stop that, the sequence would need to be:

1. Change password on the server
2. Delete existing session/s

The the next connect from the client will have an invalid password.

[individual-it]

as I've deleted the app password the client cannot provide any valid authentication anymore

[butonic]

yeah, known issue I would say. same happens for oauth based sessions. you have to delete the app password or oauth token to prevent sessions from reviving.

[ownclouders]

Hey, this issue has been closed because the label status/STALE is set and there were no updates for 7 days. Feel free to reopen this issue if you deem it appropriate.

(This is an automated comment from GitMate.io.)

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.