Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

App Passwords generated via API not working #6147

Open
5 tasks done
phoenixtechnam opened this issue Nov 8, 2024 · 4 comments
Open
5 tasks done

App Passwords generated via API not working #6147

phoenixtechnam opened this issue Nov 8, 2024 · 4 comments

Comments

@phoenixtechnam
Copy link

phoenixtechnam commented Nov 8, 2024

Contribution guidelines

I've found a bug and checked that ...

  • ... I understand that not following the below instructions will result in immediate closure and/or deletion of my issue.
  • ... I have understood that this bug report is dedicated for bugs, and not for support-related inquiries.
  • ... I have understood that answers are voluntary and community-driven, and not commercial support.
  • ... I have verified that my issue has not been already answered in the past. I also checked previous issues.

Description

I am using a script to generate app passwords for specific users accounts via the API.
The API call succeeds and returns the same PW as was generated by the script.
But when trying to use the generated app password for login, it does not work.
When updating the same app password via the UI, login starts working.

Logs:

EPmC4LDpfMMjY5Fj9wHzyxwDbX76gq    <-- PW generated by my script

API Response:
[{"type":"success","log":["app_passwd","add",{"username":"[email protected]","app_name":"WEBMAIL","app_password":"EPmC4LDpfMMjY5Fj9wHzyxwDbX76gq","app_password2":"EPmC4LDpfMMjY5Fj9wHzyxwDbX76gq","active":"1","protocols":["imap_access","dav_access","smtp_access","eas_access","pop3_access","sieve_access"]}],"msg":"app_passwd_added"}]

Steps to reproduce:

1. Generate random PW and API request data
2. Issue API request
3. Evaluate response and extract returned app PW
4. Try IMAP login with app PW, it fails
5. Using the very same PW, update the app password in the Mailcow Web UI
6. IMAP login now works

Which branch are you using?

nightly

Which architecture are you using?

x86

Operating System:

Debian 12

Server/VM specifications:

4cores, 8GB Ram

Is Apparmor, SELinux or similar active?

no

Virtualization technology:

KVM

Docker version:

27.3.1

docker-compose version or docker compose version:

v2.29.7

mailcow version:

Build: 2024-09-06 10:05:00 +0200

Reverse proxy:

no

Logs of git diff:

.

Logs of iptables -L -vn:

.

Logs of ip6tables -L -vn:

.

Logs of iptables -L -vn -t nat:

.

Logs of ip6tables -L -vn -t nat:

.

DNS check:

.
@DerLinkman
Copy link
Member

@FreddleSpl0it intended?

@FreddleSpl0it
Copy link
Collaborator

You extracted the app_passwd from the api response?
The api returns 'app_passwd': '*', 'app_passwd2': '*'

I could not reproduce the issue with these scripts on nightly branch

create-apppasswd.py

import requests

url = "https://mailcow.tld/api/v1/add/app-passwd"
username = "[email protected]"
app_password = "EPmC4LDpfMMjY5Fj9wHzyxwDbX76gq"
api_key = "APIKEY"
app_name = "testapp"


headers = {
  "X-API-Key": api_key,
  "Content-Type": "application/json"
}
payload = {
  "active": "1",
  "username": username,
  "app_name": app_name,
  "app_passwd": app_password,
  "app_passwd2": app_password,
  "protocols": [
    "imap_access",
    "dav_access",
    "smtp_access",
    "eas_access",
    "pop3_access",
    "sieve_access"
  ]
}

try:
  response = requests.post(url, json=payload, headers=headers)

  if response.status_code == 200:
    print("App password created successfully.")
    print("Response:", response.json())
  elif response.status_code == 401:
    print("Authentication failed. Please check your credentials.")
    print("Response:", response.json())
  else:
    print(f"Request failed with status code {response.status_code}")
    print("Response:", response.json())

except requests.RequestException as e:
  print(f"An error occurred: {e}")

check-apppasswd.py

import imaplib


imap_server = "127.0.0.1"
imap_port = 993
username = "[email protected]"
app_password = "EPmC4LDpfMMjY5Fj9wHzyxwDbX76gq"

try:
  mail = imaplib.IMAP4_SSL(imap_server, imap_port)
  login_status, login_message = mail.login(username, app_password)

  if login_status == "OK":
    print("IMAP login successful.")
    print("Login message:", login_message)
    mail.logout()
  else:
    print("IMAP login failed.")
    print("Login message:", login_message)

except imaplib.IMAP4.error as e:
  print(f"IMAP login error: {e}")

@phoenixtechnam
Copy link
Author

@FreddleSpl0it I updated mailcow today via update.sh.
Issue is not not resolved for me. The API response still contains the actual app passwords as shown above.
Login still doesnt work using the new PW.

@phoenixtechnam
Copy link
Author

was finally able to fix this issue, I had used a wrong attribute name in payload "app_password" instead of "app_pw"...
embarrassing :-( but thanks for your help, this issue can be closed !

If #6082 could be fixed, I would achieve full provisioning of OIDC user accounts via API

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants