[Bug]: Disabled AppAPI Extension Leads to MFA Login Loop

[rtfmkiesel]

⚠️ This issue respects the following points: ⚠️

• This is a bug, not a question or a configuration/webserver/proxy issue.
• This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
• Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
• I agree to follow Nextcloud's Code of Conduct.

Bug description

When my colleagues and I are trying to log into our Nextcloud instance, we cannot do so without clearing our browser cache. If we did not clear our cache before accessing the site, we would land in an endless loop. The issue only happens with Firefox-based browsers (and not even all of them). It was tested with all browser extensions disabled, just in case.

Behavior/To reproduce

0. Have a valid session the last time the browser was open. (yesterday, before lunch, ...)
1. Open the browser, go to the base URL, get redirected to /login
2. Enter credentials -> the POST /login request results in a redirect to /login/selectchallenge since we enforce MFA
3. Select an MFA method (We use TOTP and WebAuthn, the issue happens with both)
4. This results in the browser making a GET /login/challenge/totp request (in the case of TOTP) -> The server responds with a redirect to /login?redirect_url=/login/challenge/totp and we are back on the login page ¯_(ツ)_/¯

If we repeat this, the response from the server will always append the redirect_url parameter. So after the 2nd cycle, we end up on /login?redirect_url=/login/challenge/totp?redirect_url%3D/login/challenge/totp.

After some debugging, I landed in lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php due to the debug log printing:

"File":"/var/www/html/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php","Line":134,"message":"Current user is not logged in","exception":{},"CustomMessage":"Current user is not logged in"

In there, we get a NotLoggedInException because $authorized is false. Somehow, we fail the condition.

if ($this->userSession instanceof Session && $this->userSession->getSession()->get('app_api') === true && $this->userSession->getUser() === null) {
	$authorized = true;
}

Because I saw that app_api is somehow involved in this, I re-enabled the AppApi extension... and voila! It works again.

Do not ask me why this only happens with Firefox and not Chrome. Maybe a local cache issue since Nextcloud tries to re-establish a session with previous cookies/session data?

Steps to reproduce

See above

Expected behavior

A normal login flow (get prompted for MFA instead of a redirect to /login)

Nextcloud Server version

32

Operating system

Debian/Ubuntu

PHP engine version

None

Web server

None

Database engine version

None

Is this bug present after an update or on a fresh install?

None

Are you using the Nextcloud Server Encryption module?

None

What user-backends are you using?

• Default user-backend (database)
• LDAP/ Active Directory
• SSO - SAML
• Other

Configuration report

List of activated Apps

Nextcloud Signing status

Nextcloud Logs

Additional info

No response

[joshtrichards]

What version of v32 precisely?
When did the problem start?

Do not ask me why this only happens with Firefox and not Chrome. Maybe a local cache issue since Nextcloud tries to re-establish a session with previous cookies/session data?

Do you have a reverse proxy such as NPM in front?

[rtfmkiesel]

We are currently on 32.0.6. The problem started with the migration from 28 to 32.0.6. We use the Nextcloud Docker image (non-AIO), as well as MariaDB 11.8 and Redis 8.4.

Yes, there is Caddy in front with a very minimal config:

nextcloud.domain.tld {
        route {
                redir /.well-known/carddav /remote.php/dav 301
                redir /.well-known/caldav /remote.php/dav 301
                reverse_proxy nextcloud:80 {
                        header_down Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"
                }
        }
}

Here are some config.php options which are maybe relevant. They were the same before the upgrade, so the should not be the issue.

...
  'allow_user_to_change_display_name' => false,
  'remember_login_cookie_lifetime' => 0,
  'auto_logout' => false,
  'auth.webauthn.enabled' => false,
  'hide_login_form' => false,
...

---

We have upgraded now to 33.0.0 and the issue still happens if the AppAPI extension is disabled.

What we have also noticed, is that almost all the logins from Firefox get classified as a suspicious login by the extension with the same name. Disabling this extension does not solve the problem however.

{
  "reqId": "ldEOXxvXHqRmVvna27ts",
  "level": 1,
  "time": "2026-03-26T15:12:33+01:00",
  "remoteAddr": "<cens>",
  "user": "<cens>",
  "app": "suspicious_login",
  "method": "POST",
  "url": "/login",
  "scriptName": "/index.php",
  "message": "Detected a login from a suspicious login. user=<cens> ip=<cens> strategy=ipv4",
  "userAgent": "Mozilla/5.0 (X11; Linux x86_64; rv:149.0) Gecko/20100101 Firefox/149.0",
  "version": "32.0.6.1",
  "data": {
    "app": "suspicious_login"
  }
}