User-OTP Breaks Android App on OC 8.x

[wuffleton]

Recently, I've been noticing weird stuff happening in the android app, like missing thumbnails and inability to share links, which I initially blamed on the app and OC 8, however after some more digging, it looks like user-otp is causing these issues. It seems that for the thumbnails and app sharing API, user-otp thinks there should be an OTP present, but when I go directly to them in my browser, I get a standard HTTP auth dialog, which my credentials do not work in (they did after disabling user-otp). As a result, all requests 401 out because it failed to authenticate.

I tried older older commits of user-otp, until I found that b84ab02 did not exhibit this behavior. Anything newer than that is affected by this issue. Kinda weird, since c74ba5aa77 was working fine with OC 7.x and the same version of the Android app.

Older versions of the android app also behave the same way, so it doesn't look like it's being caused by the app itself either.

Environment Info: OS: Arch Linux PHP: 5.6.8-2 DB: MariaDB 10.0.17-2 OC Version: 8.0.3-1 User-OTP Version: git master Android app version: 1.7.1

Relevant server access logs when the issue is occurring:

Apr 27 12:18:19 Asmodeus uwsgi[5311]: [pid: 8675|app: -1|req: -1/558] 205.175.119.146 () {34 vars in 622 bytes} [Mon Apr 27 12:18:19 2015] GET /ocs/v1.php/apps/files_sharing/api/v1/shares?path=%2F&reshares=false&subfiles=true => generated 153 bytes in 260 msecs (HTTP/1.1 401) 13 headers in 696 bytes (0 switches on core 0)
Apr 27 12:18:22 Asmodeus uwsgi[5311]: [pid: 8675|app: -1|req: -1/559] 205.175.119.146 () {32 vars in 595 bytes} [Mon Apr 27 12:18:22 2015] GET /index.php/apps/files/api/v1/thumbnail/96/96/7fdff1fb5bcc9595091c175ebaf21a3a.jpg => generated 43 bytes in 258 msecs (HTTP/1.1 401) 13 headers in 631 bytes (0 switches on core 0)

OwnCloud Log Entries

{"reqId":"3088771fdbd70a8e8427ee82e07301bc","remoteAddr":"205.175.119.146","app":"core","message":"Adding default user backend OTP.","level":0,"time":"2015-04-27T12:18:23-07:00","method":"GET","url":"\/index.php\/apps\/files\/api\/v1\/thumbnail\/96\/96\/7fdff1fb5bcc9595091c175ebaf21a3a.jpg"}
{"reqId":"3088771fdbd70a8e8427ee82e07301bc","remoteAddr":"205.175.119.146","app":"OC_USER_OTP","message":"checkPassword().","level":0,"time":"2015-04-27T12:18:23-07:00","method":"GET","url":"\/index.php\/apps\/files\/api\/v1\/thumbnail\/96\/96\/7fdff1fb5bcc9595091c175ebaf21a3a.jpg"}
{"reqId":"3088771fdbd70a8e8427ee82e07301bc","remoteAddr":"205.175.119.146","app":"OC_USER_OTP","message":"used auth method : 3","level":0,"time":"2015-04-27T12:18:23-07:00","method":"GET","url":"\/index.php\/apps\/files\/api\/v1\/thumbnail\/96\/96\/7fdff1fb5bcc9595091c175ebaf21a3a.jpg"}
{"reqId":"3088771fdbd70a8e8427ee82e07301bc","remoteAddr":"205.175.119.146","app":"core","message":"Login failed: '<MY_USER>' (Remote IP: '205.175.119.146', X-Forwarded-For: '')","level":2,"time":"2015-04-27T12:18:23-07:00","method":"GET","url":"\/index.php\/apps\/files\/api\/v1\/thumbnail\/96\/96\/7fdff1fb5bcc9595091c175ebaf21a3a.jpg"} {"reqId":"3088771fdbd70a8e8427ee82e07301bc","remoteAddr":"205.175.119.146","app":"PHP","message":"Argument 2 passed to OCA\\Files\\Service\\TagService::__construct() must be an instance of OCP\\ITags, null given, called in \/usr\/share\/webapps\/owncloud\/apps\/files\/appinfo\/application.php on line 52 and defined at \/usr\/share\/webapps\/owncloud\/apps\/files\/service\/tagservice.php#35","level":3,"time":"2015-04-27T12:18:23-07:00","method":"GET","url":"\/index.php\/apps\/files\/api\/v1\/thumbnail\/96\/96\/7fdff1fb5bcc9595091c175ebaf21a3a.jpg"}
{"reqId":"3088771fdbd70a8e8427ee82e07301bc","remoteAddr":"205.175.119.146","app":"PHP","message":"Argument 3 passed to OCA\\Files\\Service\\TagService::__construct() must be an instance of OCP\\Files\\Folder, null given, called in \/usr\/share\/webapps\/owncloud\/apps\/files\/appinfo\/application.php on line 52 and defined at \/usr\/share\/webapps\/owncloud\/apps\/files\/service\/tagservice.php#37","level":3,"time":"2015-04-27T12:18:23-07:00","method":"GET","url":"\/index.php\/apps\/files\/api\/v1\/thumbnail\/96\/96\/7fdff1fb5bcc9595091c175ebaf21a3a.jpg"}{"reqId":"3088771fdbd70a8e8427ee82e07301bc","remoteAddr":"205.175.119.146","app":"no app in context","message":"Current user is not logged in","level":0,"time":"2015-04-27T12:18:23-07:00","method":"GET","url":"\/index.php\/apps\/files\/api\/v1\/thumbnail\/96\/96\/7fdff1fb5bcc9595091c175ebaf21a3a.jpg"} {"reqId":"62d230f892cea86ea8f72c92946f40b9","remoteAddr":"205.175.119.90","app":"core","message":"Adding default user backend OTP.","level":0,"time":"2015-04-27T12:18:24-07:00","method":"PROPFIND","url":"\/remote.php\/webdav\/"}

[kneissel]

Same here, can't load thumbnails in android apps, and can't use ownclous sms too. If i disable otp or set it to "password or otp" apps works fine. Tell me if you need more/same informations than thoses guiven by wuffleton

Thanks

[kneissel]

Ok, i think i found a workaroud : Edit file .../apps/user_otp/lib/otp.php

find line : "preg_match("#^/apps/news/api/v1-2(.*)$#i", $_SERVER['PATH_INFO'])" And REPLACE by theses (added file sharing, thumbnails and ocsms) :

    preg_match("#^/apps/news/api/v1-2(.*)$#i", $_SERVER['PATH_INFO']) ||
    preg_match("#^/apps/ocsms(.*)$#i", $_SERVER['PATH_INFO']) ||
    preg_match("#^/apps/files/api/v1/thumbnail(.*)$#i", $_SERVER['PATH_INFO']) ||
    preg_match("#^/apps/files_sharing/api/v1/shares(.*)$#i", $_SERVER['PATH_INFO'])

Works for me !!!! I'm not realy good with regexp, if something look's awfull, tell me :) I make a patch and send it for pull request

[wuffleton]

Those regexps don't look too bad from my basic knowledge of them and how PHP does things! I can confirm that this is indeed working on my setup as well with no bad behavior introduced that I can see.

[loki36]

close with pull request #106 from kneissel