[Bug]: Something Leads to MFA Login Loop

[rtfmkiesel]

⚠️ This issue respects the following points: ⚠️

• This is a bug, not a question or a configuration/webserver/proxy issue.
• This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
• Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
• I agree to follow Nextcloud's Code of Conduct.

Bug description

When my colleagues and I are trying to log into our Nextcloud instance, we cannot do so without clearing our browser cache. If we did not clear our cache before accessing the site, we would land in an endless loop. The issue only happens with Firefox-based browsers (and not even all of them). It was tested with all browser extensions disabled, just in case.

Behavior/To reproduce

0. Have a valid session the last time the browser was open. (yesterday, before lunch, ...)
1. Open the browser, go to the base URL, get redirected to /login
2. Enter credentials -> the POST /login request results in a redirect to /login/selectchallenge since we enforce MFA
3. Select an MFA method (We use TOTP and WebAuthn, the issue happens with both)
4. This results in the browser making a GET /login/challenge/totp request (in the case of TOTP) -> The server responds with a redirect to /login?redirect_url=/login/challenge/totp and we are back on the login page ¯_(ツ)_/¯

If we repeat this, the response from the server will always append the redirect_url parameter. So after the 2nd cycle, we end up on /login?redirect_url=/login/challenge/totp?redirect_url%3D/login/challenge/totp.

After some debugging, I landed in lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php due to the debug log printing:

"File":"/var/www/html/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php","Line":134,"message":"Current user is not logged in","exception":{},"CustomMessage":"Current user is not logged in"

In there, we get a NotLoggedInException because $authorized is false. Somehow, we fail the condition.

if ($this->userSession instanceof Session && $this->userSession->getSession()->get('app_api') === true && $this->userSession->getUser() === null) {
	$authorized = true;
}

Because I saw that app_api is somehow involved in this, I re-enabled the AppApi extension... and voila! It works again.

Do not ask me why this only happens with Firefox and not Chrome. Maybe a local cache issue since Nextcloud tries to re-establish a session with previous cookies/session data?

Steps to reproduce

See above

Expected behavior

A normal login flow (get prompted for MFA instead of a redirect to /login)

Nextcloud Server version

32

Operating system

Debian/Ubuntu

PHP engine version

None

Web server

None

Database engine version

None

Is this bug present after an update or on a fresh install?

None

Are you using the Nextcloud Server Encryption module?

None

What user-backends are you using?

• Default user-backend (database)
• LDAP/ Active Directory
• SSO - SAML
• Other

Configuration report

List of activated Apps

Nextcloud Signing status

Nextcloud Logs

Additional info

No response

[joshtrichards]

What version of v32 precisely?
When did the problem start?

Do not ask me why this only happens with Firefox and not Chrome. Maybe a local cache issue since Nextcloud tries to re-establish a session with previous cookies/session data?

Do you have a reverse proxy such as NPM in front?

[rtfmkiesel]

We are currently on 32.0.6. The problem started with the migration from 28 to 32.0.6. We use the Nextcloud Docker image (non-AIO), as well as MariaDB 11.8 and Redis 8.4.

Yes, there is Caddy in front with a very minimal config:

nextcloud.domain.tld {
        route {
                redir /.well-known/carddav /remote.php/dav 301
                redir /.well-known/caldav /remote.php/dav 301
                reverse_proxy nextcloud:80 {
                        header_down Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"
                }
        }
}

Here are some config.php options which are maybe relevant. They were the same before the upgrade, so the should not be the issue.

...
  'allow_user_to_change_display_name' => false,
  'remember_login_cookie_lifetime' => 0,
  'auto_logout' => false,
  'auth.webauthn.enabled' => false,
  'hide_login_form' => false,
...

---

We have upgraded now to 33.0.0 and the issue still happens if the AppAPI extension is disabled.

What we have also noticed, is that almost all the logins from Firefox get classified as a suspicious login by the extension with the same name. Disabling this extension does not solve the problem however.

{
  "reqId": "ldEOXxvXHqRmVvna27ts",
  "level": 1,
  "time": "2026-03-26T15:12:33+01:00",
  "remoteAddr": "<cens>",
  "user": "<cens>",
  "app": "suspicious_login",
  "method": "POST",
  "url": "/login",
  "scriptName": "/index.php",
  "message": "Detected a login from a suspicious login. user=<cens> ip=<cens> strategy=ipv4",
  "userAgent": "Mozilla/5.0 (X11; Linux x86_64; rv:149.0) Gecko/20100101 Firefox/149.0",
  "version": "32.0.6.1",
  "data": {
    "app": "suspicious_login"
  }
}

[szaimen]

cc @nextcloud/integration

[DaphneMuller]

@oleksandr-nc can you check if this is related to AppAPI? And if so report it in the right repository please? Thanks!

[oleksandr-nc]

Looked into this - does not look like an AppAPI bug.

AppAPI writes the app_api session key in exactly one place (AppAPIService::finalizeRequestToNC()), and only when a request have an AUTHORIZATION-APP-API header (ExApp --> NC call or DAV auth)

A browser doing a normal user login never hits that path, so the key is never written for your session regardless of whether AppAPI is enabled.

@rtfmkiesel Could you share the request/response headers (especially Set-Cookie/Cookie) for both requests, plus any debug-level line sharing the reqId of the NotLoggedInException?

[rtfmkiesel]

@oleksandr-nc Here are the response headers

POST /login

HTTP/2 303 
cache-control: no-cache, no-store, must-revalidate
content-security-policy: default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none'
content-type: text/html; charset=UTF-8
date: Mon, 13 Apr 2026 06:36:34 GMT
feature-policy: autoplay 'none';camera 'none';fullscreen 'none';geolocation 'none';microphone 'none';payment 'none'
location: /login/selectchallenge
referrer-policy: no-referrer
set-cookie: oc5iubrdcb5o=c01b0f4941699aa574XXXXXX; path=/; secure; HttpOnly; SameSite=Lax
set-cookie: oc5iubrdcb5o=a3dfcc7c854fdb29cdXXXXXX; path=/; secure; HttpOnly; SameSite=Lax
strict-transport-security: max-age=15768000; includeSubDomains; preload;
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-permitted-cross-domain-policies: none
x-request-id: g1qWkUvOq5D5RhjSGBYU
x-robots-tag: noindex, nofollow
x-user-id: <my user>

GET /login/selectchallenge

HTTP/2 200 
cache-control: no-cache, no-store, must-revalidate
content-encoding: gzip
content-security-policy: default-src 'none';base-uri 'none';manifest-src 'self';script-src 'nonce-dLLazR6GKDcps4GEGJKu0R5LZ5wRFOFfsr6oyZvUG6g=';script-src-elem 'strict-dynamic' 'nonce-dLLazR6GKDcps4GEGJKu0R5LZ5wRFOFfsr6oyZvUG6g=';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-src 'self';frame-ancestors 'self';form-action 'self'
content-type: text/html; charset=UTF-8
date: Mon, 13 Apr 2026 06:36:36 GMT
feature-policy: autoplay 'self';camera 'none';fullscreen 'self';geolocation 'none';microphone 'none';payment 'none'
referrer-policy: no-referrer
set-cookie: oc5iubrdcb5o=a3dfcc7c854fdb29cdXXXXXX; path=/; secure; HttpOnly; SameSite=Lax
strict-transport-security: max-age=15768000; includeSubDomains; preload;
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-permitted-cross-domain-policies: none
x-request-id: WkVdUXKCQH8PlMphGjzT
x-robots-tag: noindex, nofollow
x-user-id: <my user>

GET /login/challenge/webauthn

HTTP/2 303 
cache-control: no-cache, no-store, must-revalidate
content-security-policy: default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none'
content-type: text/html; charset=UTF-8
date: Mon, 13 Apr 2026 06:37:23 GMT
feature-policy: autoplay 'none';camera 'none';fullscreen 'none';geolocation 'none';microphone 'none';payment 'none'
location: /login?redirect_url=/login/challenge/webauthn
referrer-policy: no-referrer
strict-transport-security: max-age=15768000; includeSubDomains; preload;
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-permitted-cross-domain-policies: none
x-request-id: 9nmFHFULqBSxFqygxhfJ
x-robots-tag: noindex, nofollow
content-length: 0

And the exception:

{
    "reqId": "9nmFHFULqBSxFqygxhfJ",
    "level": 0,
    "time": "2026-04-13T08:37:23+02:00",
    "remoteAddr": "<my IP>",
    "user": "--",
    "app": "core",
    "method": "GET",
    "url": "/login/challenge/webauthn",
    "scriptName": "/index.php",
    "message": "Current user is not logged in",
    "userAgent": "Mozilla/5.0 (X11; Linux x86_64; rv:149.0) Gecko/20100101 Firefox/149.0",
    "version": "33.0.0.16",
    "exception": {
        "Exception": "OC\\AppFramework\\Middleware\\Security\\Exceptions\\NotLoggedInException",
        "Message": "Current user is not logged in",
        "Code": 401,
        "Trace": [
            {
                "file": "/var/www/html/lib/private/AppFramework/Middleware/MiddlewareDispatcher.php",
                "line": 73,
                "function": "beforeController",
                "class": "OC\\AppFramework\\Middleware\\Security\\SecurityMiddleware",
                "type": "->",
                "args": [
                    {
                        "__class__": "OC\\Core\\Controller\\TwoFactorChallengeController"
                    },
                    "showChallenge"
                ]
            },
            {
                "file": "/var/www/html/lib/private/AppFramework/Http/Dispatcher.php",
                "line": 110,
                "function": "beforeController",
                "class": "OC\\AppFramework\\Middleware\\MiddlewareDispatcher",
                "type": "->",
                "args": [
                    {
                        "__class__": "OC\\Core\\Controller\\TwoFactorChallengeController"
                    },
                    "showChallenge"
                ]
            },
            {
                "file": "/var/www/html/lib/private/AppFramework/App.php",
                "line": 153,
                "function": "dispatch",
                "class": "OC\\AppFramework\\Http\\Dispatcher",
                "type": "->",
                "args": [
                    {
                        "__class__": "OC\\Core\\Controller\\TwoFactorChallengeController"
                    },
                    "showChallenge"
                ]
            },
            {
                "file": "/var/www/html/lib/private/Route/Router.php",
                "line": 321,
                "function": "main",
                "class": "OC\\AppFramework\\App",
                "type": "::",
                "args": [
                    "OC\\Core\\Controller\\TwoFactorChallengeController",
                    "showChallenge",
                    {
                        "__class__": "OC\\AppFramework\\DependencyInjection\\DIContainer"
                    },
                    {
                        "_route": "core.twofactorchallenge.showchallenge",
                        "challengeProviderId": "webauthn"
                    }
                ]
            },
            {
                "file": "/var/www/html/lib/base.php",
                "line": 1155,
                "function": "match",
                "class": "OC\\Route\\Router",
                "type": "->",
                "args": ["/login/challenge/webauthn"]
            },
            {
                "file": "/var/www/html/index.php",
                "line": 25,
                "function": "handleRequest",
                "class": "OC",
                "type": "::",
                "args": []
            }
        ],
        "File": "/var/www/html/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php",
        "Line": 134,
        "message": "Current user is not logged in",
        "exception": "{\"class\":\"OC\\AppFramework\\Middleware\\Security\\Exceptions\\NotLoggedInException\",\"message\":\"Current user is not logged in\",\"code\":401,\"file\":\"/var/www/html/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php:134\",\"trace\":\"#0 /var/www/html/lib/private/AppFramework/Middleware/MiddlewareDispatcher.php(73): OC\\AppFramework\\Middleware\\Security\\SecurityMiddleware->beforeController(Object(OC\\Core\\Controller\\TwoFactorChallengeController), 'showChallenge')\\n#1 /var/www/html/lib/private/AppFramework/Http/Dispatcher.php(110): OC\\AppFramework\\Middleware\\MiddlewareDispatcher->beforeController(Object(OC\\Core\\Controller\\TwoFactorChallengeController), 'showChallenge')\\n#2 /var/www/html/lib/private/AppFramework/App.php(153): OC\\AppFramework\\Http\\Dispatcher->dispatch(Object(OC\\Core\\Controller\\TwoFactorChallengeController), 'showChallenge')\\n#3 /var/www/html/lib/private/Route/Router.php(321): OC\\AppFramework\\App::main('OC\\\\Core\\\\Control...', 'showChallenge', Object(OC\\AppFramework\\DependencyInjection\\DIContainer), Array)\\n#4 /var/www/html/lib/base.php(1155): OC\\Route\\Router->match('/login/challeng...')\\n#5 /var/www/html/index.php(25): OC::handleRequest()\\n#6 {main}\"}",
        "CustomMessage": "Current user is not logged in"
    }
}

[rtfmkiesel]

Small update - this is still driving me mad.

Even with the AppAPI enabled, this happens. Just not as frequently as before.

Because my login is always flagged as suspicious (even when I train the plugin), I disabled the nextcloud/suspicious_login plugin.

Now I get the following warnings in the log:

QueryNotFoundExceptionCould not resolve OCA\SuspiciousLogin\BackgroundJob\TrainJobIpV6! Class "OCA\SuspiciousLogin\BackgroundJob\TrainJobIpV6" does not exist
failed to create instance of background job: OCA\SuspiciousLogin\BackgroundJob\TrainJobIpV6

Also as a "Info", I get:

Notification was not parsed by any notifier [app: suspicious_login, subject: suspicious_login_detected]

Is it possible that user should not be able to disable the plugin suspicious_login?

Our logs are also spammed with

no app in context
	
NotAuthenticated

No public access to this resource., AppAPIAuth has not passed, This request is not for a federated calendar, No 'Authorization: Bearer' header found. Either the client didn't send one, or the server is mis-configured, No 'Authorization: Basic' header found. Either the client didn't send one, or the server is misconfigured