[BUG][API]: HTTP 412 error on missing X-API-SESSION header

[kamou]

⚠️ This issue respects the following points: ⚠️

• [X] This is a single bug, not a question or a configuration/webserver/proxy issue.
• [X] This is not a bug in the browser extension or another client.
• [X] This issue is not already reported on Github (I've searched it).
• [X] Nextcloud Server and the Passwords App is up to date. See Nextcloud Apps.
• [X] There are no warnings and errors reported in the Passwords App settings in the admin area
• [X] The following apps are not installed: Rainloop

Server Information

{
    "version": {
        "server": "26.0.1.1",
        "app": "2023.5.0",
        "lsr": true,
        "php": "8.0.23",
        "cronPhp": "8.0.23"
    },
    "environment": {
        "os": "Linux",
        "architecture": "x86_64",
        "bits": 64,
        "database": "mysql",
        "cron": "cron",
        "proxy": false,
        "sslProxy": false,
        "subdirectory": true
    },
    "services": {
        "images": "gdlib",
        "favicons": "default",
        "previews": "default",
        "security": "hibp",
        "words": "auto",
        "previewApi": false,
        "faviconApi": false
    },
    "status": {
        "autoBackupRestored": false
    },
    "settings": {
        "channel": "stable",
        "nightlies": false,
        "handbook": false,
        "performance": 5
    },
    "encryption": {
        "sse": {
            "SSEv1r1": false,
            "SSEv1r2": true,
            "SSEv2r1": false,
            "SSEv3r1": false,
            "none": true,
            "default": "none"
        },
        "cse": {
            "CSEv1r1": true,
            "none": true,
            "default": "CSEv1r1"
        }
    }
}

Client Information

using pynacl 1.5.0 (python bindings to libsodium) plugin version: 2023.5.30 nextcloud version: 26.0.1

Bug description

all the passwords tools are working properly. the firefox extension, the web interface. works great, and thanks for this quite useful plugin !

This is maybe not a bug, my question is related to the API usage. I'm using my own python command line tool to gather passwords information from my nextcloud instance. Up to some update (sorry, I have no idea of the date or version, can't even tell you if it is after a nextcloud update or a passwrods update) My plugin used to be able to work properly just using the nextcloud cookies as stated in the developer handbook. Since some update, it is not the case anymore. I now have to set the X-API-SESSION for each request. Is this expected ? if yes, I guess the developer handbook needs to be updated.

Steps to reproduce

do not set the X-API-SESSION header.

Expected behavior

accessing session required api should not result in http 412 (precondition failed)

Nextcloud Logs

{"reqId":"NpMP8ARjmy39kOesYgMt","level":3,"time":"2023-05-07T13:20:34+00:00","remoteAddr":"192.168.1.1","user":"ak42","app":"passwords","method":"GET","url":"/index.php/apps/passwords/api/1.0/password/list","message":"Error \"Authorized session required\" in OCA\\Passwords\\Controller\\Api\\PasswordApiController::list","userAgent":"python-requests/2.28.2","version":"26.0.1.1","data":{"app":"passwords"},"id":"6457afa722a37"}

Browser Logs

N/A

[marius-wieschollek]

You're right. NC no longer sends a session cookie if the API is used. Instead, every session cookie sent that way is deleted.

I have found a way around this by sending my own cookie. This will be available in the next nightly release.

[marius-wieschollek]

This should be fixed with the latest 2023.8 update. Can you confirm this?