[BUG]: Error "Authorized session required" in SessionApiController

[codegax]

⚠️ This issue respects the following points: ⚠️

• [X] This is a single bug, not a question or a configuration/webserver/proxy issue.
• [X] This is not a bug in the browser extension or another client.
• [X] This issue is not already reported on Github (I've searched it).
• [X] Nextcloud Server and the Passwords App is up to date. See Nextcloud Apps.
• [X] There are no warnings and errors reported in the Passwords App settings in the admin area
• [X] The following apps are not installed: Rainloop

Server Information

{
    "version": {
        "server": "28.0.1.1",
        "app": "2023.12.32",
        "lsr": false,
        "php": "8.2.14",
        "cronPhp": "8.2.14"
    },
    "environment": {
        "os": "Linux",
        "architecture": "x86_64",
        "bits": 64,
        "database": "pgsql",
        "cron": "cron",
        "proxy": false,
        "sslProxy": true,
        "subdirectory": false
    },
    "services": {
        "images": "imaginary",
        "favicons": "default",
        "previews": "default",
        "security": "hibp",
        "words": "auto",
        "previewApi": false,
        "faviconApi": false
    },
    "status": {
        "autoBackupRestored": false
    },
    "settings": {
        "channel": "stable",
        "nightlies": false,
        "handbook": false,
        "performance": 5
    },
    "encryption": {
        "sse": {
            "SSEv1r1": false,
            "SSEv1r2": true,
            "SSEv2r1": false,
            "SSEv3r1": false,
            "none": true,
            "default": "none"
        },
        "cse": {
            "CSEv1r1": true,
            "none": true,
            "default": "CSEv1r1"
        }
    }
}

Client Information

Browser and Version: Brave latest and Android Nextcloud Passwords 1.0.6 Client OS and Version: Linux Fedora, Android

Bug description

Can't access my passwords in any client. I only need one that is vital to me and I don't have it anywhere else. Is there a way to access directly?

Steps to reproduce

1. Open the app
2. Enter master password
3. Pop up saying "Authorized session required" instead of showing passwords

Expected behavior

1. Open the app
2. Enter master password
3. Show passwords

Nextcloud Logs

{"reqId":"fxMRZtDYOR9vDOQT2hvz","level":4,"time":"2024-01-03T21:17:25-06:00","remoteAddr":"192.168.1.170","user":"redking","app":"passwords","method":"POST","url":"/index.php/apps/passwords/api/1.0/session/open","message":"Authorized session required","userAgent":"Dart/2.19 (dart:io)","version":"28.0.1.1","exception":{"Exception":"OCA\\Passwords\\Exception\\ApiException","Message":"Authorized session required","Code":256,"Trace":[{"file":"/var/www/html/lib/private/AppFramework/Http/Dispatcher.php","line":230,"function":"open","class":"OCA\\Passwords\\Controller\\Api\\SessionApiController","type":"->","args":[]},{"file":"/var/www/html/lib/private/AppFramework/Http/Dispatcher.php","line":137,"function":"executeController","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->","args":[["OCA\\Passwords\\Controller\\Api\\SessionApiController"],"open"]},{"file":"/var/www/html/lib/private/AppFramework/App.php","line":184,"function":"dispatch","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->","args":[["OCA\\Passwords\\Controller\\Api\\SessionApiController"],"open"]},{"file":"/var/www/html/lib/private/Route/Router.php","line":315,"function":"main","class":"OC\\AppFramework\\App","type":"::","args":["SessionApiController","open",["OC\\AppFramework\\DependencyInjection\\DIContainer"],["passwords.session_api.open"]]},{"file":"/var/www/html/lib/base.php","line":1069,"function":"match","class":"OC\\Route\\Router","type":"->","args":["/apps/passwords/api/1.0/session/open"]},{"file":"/var/www/html/index.php","line":39,"function":"handleRequest","class":"OC","type":"::","args":[]}],"File":"/var/www/html/custom_apps/passwords/lib/Controller/Api/SessionApiController.php","Line":147,"Previous":{"Exception":"Exception","Message":"HMAC does not match.","Code":0,"Trace":[{"file":"/var/www/html/lib/private/Security/Crypto.php","line":119,"function":"decryptWithoutSecret","class":"OC\\Security\\Crypto","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/html/custom_apps/passwords/lib/Encryption/Keychain/SseV2KeychainEncryption.php","line":142,"function":"decrypt","class":"OC\\Security\\Crypto","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/html/custom_apps/passwords/lib/Encryption/Keychain/SseV2KeychainEncryption.php","line":127,"function":"tryDecryptKeychainWithoutServerSecret","class":"OCA\\Passwords\\Encryption\\Keychain\\SseV2KeychainEncryption","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/html/custom_apps/passwords/lib/Services/EncryptionService.php","line":175,"function":"decryptKeychain","class":"OCA\\Passwords\\Encryption\\Keychain\\SseV2KeychainEncryption","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/html/custom_apps/passwords/lib/Services/Object/KeychainService.php","line":195,"function":"decryptKeychain","class":"OCA\\Passwords\\Services\\EncryptionService","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/html/custom_apps/passwords/lib/Services/Object/KeychainService.php","line":103,"function":"decryptArray","class":"OCA\\Passwords\\Services\\Object\\KeychainService","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/html/custom_apps/passwords/lib/Services/Object/KeychainService.php","line":127,"function":"findByScope","class":"OCA\\Passwords\\Services\\Object\\KeychainService","type":"->","args":["client",true]},{"file":"/var/www/html/custom_apps/passwords/lib/Controller/Api/SessionApiController.php","line":144,"function":"getClientKeychainArray","class":"OCA\\Passwords\\Services\\Object\\KeychainService","type":"->","args":[]},{"file":"/var/www/html/lib/private/AppFramework/Http/Dispatcher.php","line":230,"function":"open","class":"OCA\\Passwords\\Controller\\Api\\SessionApiController","type":"->","args":[]},{"file":"/var/www/html/lib/private/AppFramework/Http/Dispatcher.php","line":137,"function":"executeController","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->","args":[["OCA\\Passwords\\Controller\\Api\\SessionApiController"],"open"]},{"file":"/var/www/html/lib/private/AppFramework/App.php","line":184,"function":"dispatch","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->","args":[["OCA\\Passwords\\Controller\\Api\\SessionApiController"],"open"]},{"file":"/var/www/html/lib/private/Route/Router.php","line":315,"function":"main","class":"OC\\AppFramework\\App","type":"::","args":["SessionApiController","open",["OC\\AppFramework\\DependencyInjection\\DIContainer"],["passwords.session_api.open"]]},{"file":"/var/www/html/lib/base.php","line":1069,"function":"match","class":"OC\\Route\\Router","type":"->","args":["/apps/passwords/api/1.0/session/open"]},{"file":"/var/www/html/index.php","line":39,"function":"handleRequest","class":"OC","type":"::","args":[]}],"File":"/var/www/html/lib/private/Security/Crypto.php","Line":158},"message":"Authorized session required","exception":[],"CustomMessage":"Authorized session required"},"id":"659623be4ae89"}

Browser Logs

{"reqId":"fxMRZtDYOR9vDOQT2hvz","level":3,"time":"2024-01-03T21:17:25-06:00","remoteAddr":"192.168.1.170","user":"redking","app":"passwords","method":"POST","url":"/index.php/apps/passwords/api/1.0/session/open","message":"Error \"Authorized session required\" in OCA\\Passwords\\Controller\\Api\\SessionApiController::open","userAgent":"Dart/2.19 (dart:io)","version":"28.0.1.1","data":{"app":"passwords"},"id":"659623be4aec5"}

[marius-wieschollek]

Unless there are other errors in the log, my guess would be that your server is not passing the "X-API-SESSION" header to Nextcloud. You should check that.

You can't access passwords directly, but you can try and disable the error:

• Open the file "lib/Middleware/ApiSessionMiddleware.php" in the installation folder of the passwords app (e.g. apps/passwords or custom_apps/passwords in your NC directory)
• comment out line 57 with // or #:

  
  # How it looks normally:
      if(!$this->sessionService->isAuthorized() && $this->requiresAuthorization($controller, $methodName)) {
          throw new ApiException('Authorized session required', Http::STATUS_PRECONDITION_FAILED);
      }

How it looks commented out:

    if(!$this->sessionService->isAuthorized() && $this->requiresAuthorization($controller, $methodName)) {
        // throw new ApiException('Authorized session required', Http::STATUS_PRECONDITION_FAILED);
    }

- In case you have code caching technologies (opcache, jit) enabled, you may need to restart your webserver or PHP FPM.

[codegax]

Thanks for the response I commented out line that throws the error in all:

• custom_apps/passwords/lib/Middleware
• custom_apps/passwords/lib/.overrides/nc25/Middleware
• custom_apps/passwords/lib/.overrides/nc26/Middleware

Restarted the whole system, confirmed that files had my changes but still get the error :( Should I look into nginx config for the missing X-API-SESSION or maybe the traefik ingress that I use to access the app?

Again thanks for the help!

[codegax]

Here's the header request from the web:

:authority:
nextcloud.site.com
:method:
POST
:path:
/index.php/apps/passwords/api/1.0/session/open
:scheme:
https
Accept:
application/json
Accept-Encoding:
gzip, deflate, br
Accept-Language:
en-US,en;q=0.7
Authorization:
Basic **redacted**
Content-Length:
80
Content-Type:
application/json
Origin:
https://nextcloud.site.com
Referer:
https://nextcloud.site.com/apps/passwords/
Sec-Ch-Ua:
"Not_A Brand";v="8", "Chromium";v="120", "Brave";v="120"
Sec-Ch-Ua-Mobile:
?0
Sec-Ch-Ua-Platform:
"Linux"
Sec-Fetch-Dest:
empty
Sec-Fetch-Mode:
cors
Sec-Fetch-Site:
same-origin
Sec-Gpc:
1
User-Agent:
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
X-Api-Session:
**re|da|c|ted**
X-Requested-With:
XMLHttpRequest

[codegax]

Try restoring oldest backup that has the password am looking for, then did occ maintanance:repair

 - Repair Passwords Database Objects
     - Checking 1 tag revisions
 1/1 [============================] 100%
     - Fixed 0 tag revisions
     - Checking 5 folder revisions
 5/5 [============================] 100%
     - Fixed 1 folder revisions
     - Checking 46 password revisions
 46/46 [============================] 100%
     - Fixed 6 password revisions
     - Checking 1 tag models
 1/1 [============================] 100%
     - Fixed 0 tag models
     - Checking 5 folder models
 5/5 [============================] 100%
     - Fixed 1 folder models
     - Checking 30 password models
 30/30 [============================] 100%
     - Fixed 3 password models
     - Checking 1 password tag relations
 1/1 [============================] 100%
     - Fixed 0 password tag relations
     - Checking 0 shares
    0 [>---------------------------]
     - Fixed 0 shares

Still no luck accessing the passwords, I also exported this backup nc-passwords.json.gz if that could help

[marius-wieschollek]

I just checked the log entry again and there is actually a second error in it: "HMAC does not match." The "Authorized session required" error occurs, because decrypting the encryption keys/keychain fails. So this is no session issue, there is a part of the encryption keys missing.

I would restore a backup from before the last Nextcloud update.

[codegax]

Restoring a backup from last Nextcloud update solved the issue. Thanks for the support!