Open Thesola10 opened 2 years ago
Here's a quick HTTP dump of the issue (some info redacted):
curl -i https://has2fa:@nextcloud/remote.php/dav
HTTP/2 401
server: nginx
date: Fri, 22 Apr 2022 09:33:21 GMT
content-type: application/xml; charset=utf-8
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-store, no-cache, must-revalidate
pragma: no-cache
set-cookie: oc_sessionPassphrase=...; path=/; secure; HttpOnly; SameSite=Lax
set-cookie: ...; path=/; secure; HttpOnly; SameSite=Lax
set-cookie: __Host-nc_sameSiteCookielax=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax
set-cookie: __Host-nc_sameSiteCookiestrict=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict
content-security-policy: default-src 'none';
strict-transport-security: max-age=15552000; includeSubDomains
<?xml version="1.0" encoding="utf-8"?>
<d:error xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns" xmlns:o="http://owncloud.org/ns">
<s:exception>OCA\DAV\Connector\Sabre\Exception\PasswordLoginForbidden</s:exception>
<s:message/>
<o:hint xmlns:o="o:">password login forbidden</o:hint>
</d:error>
curl -i https://no2fa:@nextcloud/remote.php/dav
HTTP/2 401
server: nginx
date: Fri, 22 Apr 2022 09:33:32 GMT
content-type: application/xml; charset=utf-8
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-store, no-cache, must-revalidate
pragma: no-cache
set-cookie: oc_sessionPassphrase=...; path=/; secure; HttpOnly; SameSite=Lax
set-cookie: __Host-nc_sameSiteCookielax=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax
set-cookie: __Host-nc_sameSiteCookiestrict=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict
content-security-policy: default-src 'none';
set-cookie: ...; path=/; secure; HttpOnly; SameSite=Lax
www-authenticate: Basic realm="Nextcloud", charset="UTF-8"
strict-transport-security: max-age=15552000; includeSubDomains
<?xml version="1.0" encoding="utf-8"?>
<d:error xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns">
<s:exception>Sabre\DAV\Exception\NotAuthenticated</s:exception>
<s:message>No public access to this resource., Username or password was incorrect, No 'Authorization: Bearer' header found. Either the client didn't send one, or the server is mis-configured, Username or password was incorrect</s:message>
</d:error>
Note the www-authenticate
second-to-last in the non-2FA output is lacking from the 2FA output. This is what this bug is reporting.
As mentioned on GNOME/gvfs#617, this is causing libsoup
to not retry authentication, and GNOME integration to fail to mount the WebDAV filesystem.
This issue has been automatically marked as stale because it has not had recent activity and seems to be missing some essential information. It will be closed if no further activity occurs. Thank you for your contributions.
What kind of additional info is needed?
This issue has been automatically marked as stale because it has not had recent activity and seems to be missing some essential information. It will be closed if no further activity occurs. Thank you for your contributions.
Can we reopen this issue, as it seems to be unresolved in latest versions ?
I suspect this either got closed without review by accident or because it lacked a configuration and version info to review against while reproducing.
I haven't looked into this matter at all, but did run across it (this closed issue, not the prospective bug itself) while reviewing some other work. So reopened for later follow-up and to link the PR on the gvfs said that is supposedly a workaround for something we're doing that is unexpected here:
https://gitlab.gnome.org/GNOME/gvfs/-/commit/6636d89ff549d2ea51dbe2911bae92250be8bea0
⚠️ This issue respects the following points: ⚠️
Bug description
First reported on GNOME/gvfs#617.
When accessing the
remote.php/dav
orremote.php/webdav
endpoints with a correct, 2FA-enabled username and an incorrect/empty password (like GVFS does), the particular error does not return aWWW-Authenticate
header, which violates standard and prevents GVFS from connecting.This only occurs with the
password login forbidden
error.Steps to reproduce
2fauser
with 2-factor authentication enabledcurl -i https://2fauser:@NC/remote.php/dav
www-authenticate
header.Expected behavior
The error returns a
www-authenticate
header, like other 401 errors.Installation method
NixOS option
services.nextcloud
Operating system
NixOS 21.11
PHP engine version
PHP 8.0.18
Web server
Nginx
Database engine version
MariaDB
Is this bug present after an update or on a fresh install?
Updated to a major version (ex. 22.2.3 to 23.0.1)
Are you using the Nextcloud Server Encryption module?
Encryption is Disabled
What user-backends are you using?
Configuration report
No response
List of activated Apps
Nextcloud Signing status
Nextcloud Logs
No response
Additional info
No response