Does not use authentication when doing WebDAV/HTTP PUT?

[Steltek]

Trying to open a database via WebDAV (on a Seafile server), which works for reading, but fails for writing. I have 'File Transactions' turned off in 'File Handling' (due to a bug in Seafile where the MOVE command doesn't work).

My logs indicate that Keepass2Android isn't using authentication when issuing the PUT request, and thus failing:

2020-05-02 13:54:46.131 - <140435312285504> wsgidav.wsgidav_app INFO : 127.0.0.1 - (anonymous) - [2020-05-02 11:54:46] "GET /path/keepass.kdbx" elap=0.000sec -> 401 Not Authorized 2020-05-02 13:54:46.175 - <140435312285504> wsgidav.wsgidav_app INFO : 127.0.0.1 - user@domain.com - [2020-05-02 11:54:46] "GET /path/keepass.kdbx" depth=0, elap=0.031sec -> 200 OK 2020-05-02 13:54:48.545 - <140435312285504> wsgidav.wsgidav_app INFO : 127.0.0.1 - (anonymous) - [2020-05-02 11:54:48] "PUT /path/keepass.kdbx" length=2138382, elap=0.000sec -> 401 Not Authorized

It seems to correctly recognise the "401 Not Authorized" when doing the GET request (repeats the request with the necessary credentials to get the file), but when doing the same for the PUT request, it never comes back and just fails. (To work correctly, it would either need to blindly include the credentials in the first request, or react to receiving the 401 status code and repeat the request with credentials at that point.)

(I tested with with both direct calls to the seafile WebDAV process, and with calls going through an Apache 2.4 reverse proxy, the latter both with HTTP/1.1-only, and with HTTP/2 enabled. None of the 3 worked.)

Device: Samsung Galaxy S8+ Keepass2Android: 1.07b-r0 Android 9 (Security Patch level: 1 April 2020) Samsung build: PPR1.180610.011.G99FXXS8DTC6 (Also reproduced on a Samsung Galaxy Tab S2 8.0 with Android 7)

[andi-blafasl]

I have the exact same problem here. Using seafile server with webdav behind a apache reverse proxy is not working. The problem only appears with keepass2android because it is trying to do an anonymous put first. With any other webdav client that I tried there ist no such behavior. But the Problem only appears after upgrading the seafile server from version 7.0.5 to 7.1.4. So it must have something to do with the combination of Keepass2android and Seafile 7.1.4. They changed the webdav backend to a new version and you have to add a workaround for renaming files (https://forum.seafile.com/t/seafdav-move-command-causing-502/11582/23) but that doesn't fix the Keeepass2Android problem.

Would be nice if Keepass2Android could handle the requests with authentication to fix this problem, but I will also tell Seafile that there is a Bug with the new webdav module.

[Steltek]

Unfortunately, I don't know the details of WebDAV/PUT requests. I do know that it is normal for GET requests to start unauthenticated, and get an HTTP "401 Unauthorized" response, which triggers the client to repeat the request with the credentials. So the question is: Is the PUT request supposed to be sent with credentials inherently, or is it also supposed to behave like that. If the former, why does Keepass2Android not send it that way? If the latter, why does Keepass2Android not repeat the PUT request with credentials. (Is the '401 Unauthorized' from Seafile somehow mis-formatted, or is there a code issue in Keepass2Android?)

[andi-blafasl]

Browsers are doing the first GET without auth. But all webdav clients that I tested are sending credentials with every request.

[r4ptor]

I know this issue is kind of old, but I stumbled across it today as I had the same problem.

Updating the seafile-server to 8.0.3 resolved this problem for me.