No WWW-Authenticate header on WebDAV when 2FA is set up

Thesola10 commented 2 years ago

⚠️ This issue respects the following points: ⚠️

[X] This is a bug, not a question or a configuration/webserver/proxy issue.
[X] This issue is not already reported on Github (I've searched it).
[X] Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
[X] I agree to follow Nextcloud's Code of Conduct.

Bug description

When accessing the remote.php/dav or remote.php/webdav endpoints with a correct, 2FA-enabled username and an incorrect/empty password (like GVFS does), the particular error does not return a WWW-Authenticate header, which violates standard and prevents GVFS from connecting.

This only occurs with the password login forbidden error.

Steps to reproduce

Given user 2fauser with 2-factor authentication enabled
curl -i https://2fauser:@NC/remote.php/dav
No www-authenticate header.

Expected behavior

The error returns a www-authenticate header, like other 401 errors.

Installation method

NixOS option services.nextcloud

Operating system

NixOS 21.11

PHP engine version

PHP 8.0.18

Web server

Nginx

Database engine version

MariaDB

Is this bug present after an update or on a fresh install?

Updated to a major version (ex. 22.2.3 to 23.0.1)

Are you using the Nextcloud Server Encryption module?

Encryption is Disabled

What user-backends are you using?

[X] Default user-backend (database)
[ ] LDAP/ Active Directory
[ ] SSO - SAML
[ ] Other

Configuration report

No response

List of activated Apps

Enabled:
  - accessibility: 1.9.0
  - activity: 2.15.0
  - admin_audit: 1.13.0
  - announcementcenter: 6.1.1
  - apporder: 0.15.0
  - breezedark: 23.2.1
  - bruteforcesettings: 2.4.0
  - calendar: 3.2.2
  - camerarawpreviews: 0.7.15
  - circles: 23.1.0
  - cloud_federation_api: 1.6.0
  - cms_pico: 1.0.18
  - collectives: 1.0.0
  - comments: 1.13.0
  - contacts: 4.1.0
  - contactsinteraction: 1.4.0
  - dashboard: 7.3.0
  - data_request: 1.10.0
  - dav: 1.21.0
  - deck: 1.6.1
  - dicomviewer: 1.2.3
  - drawio: 1.0.2
  - external: 3.10.2
  - extract: 1.3.3
  - federatedfilesharing: 1.13.0
  - federation: 1.13.0
  - files: 1.18.0
  - files_3d: 0.5.0
  - files_accesscontrol: 1.13.0
  - files_automatedtagging: 1.13.0
  - files_external: 1.15.0
  - files_fulltextsearch: 23.0.1
  - files_linkeditor: 1.1.9
  - files_rightclick: 1.2.0
  - files_sharing: 1.15.0
  - files_trashbin: 1.13.0
  - files_versions: 1.16.0
  - files_videoplayer: 1.12.0
  - firstrunwizard: 2.12.0
  - flow_notifications: 1.2.0
  - forms: 2.5.0
  - fulltextsearch: 23.0.0
  - fulltextsearch_elasticsearch: 23.0.0
  - gpxmotion: 0.1.0
  - groupfolders: 11.1.2
  - guests: 2.2.0
  - impersonate: 1.10.0
  - integration_dropbox: 1.0.4
  - integration_google: 1.0.6
  - integration_onedrive: 1.1.2
  - jsloader: 1.5.0
  - keeporsweep: 0.2.1
  - keeweb: 0.6.8
  - logreader: 2.8.0
  - lookup_server_connector: 1.11.0
  - mail: 1.11.7
  - maps: 0.1.10
  - mediadc: 0.1.9
  - metadata: 0.15.0
  - music: 1.5.1
  - nextcloud_announcements: 1.12.0
  - notes: 4.3.1
  - notifications: 2.11.1
  - oauth2: 1.11.0
  - oidc: 0.1.0
  - onlyoffice: 7.3.2
  - password_policy: 1.13.0
  - photos: 1.5.0
  - previewgenerator: 4.0.0
  - privacy: 1.7.0
  - provisioning_api: 1.13.0
  - quota_warning: 1.14.0
  - ransomware_protection: 1.13.0
  - recognize: 1.11.0
  - recommendations: 1.2.0
  - serverinfo: 1.13.0
  - settings: 1.5.0
  - side_menu: 2.3.5
  - socialsharing_email: 2.5.0
  - socialsharing_facebook: 2.5.0
  - socialsharing_twitter: 2.5.0
  - solid: 0.0.3
  - spreed: 13.0.5
  - survey_client: 1.11.0
  - systemtags: 1.13.0
  - tasks: 0.14.4
  - text: 3.4.1
  - theming: 1.14.0
  - theming_customcss: 1.11.0
  - twofactor_backupcodes: 1.12.0
  - twofactor_email: 2.3.0
  - twofactor_nextcloud_notification: 3.3.1
  - twofactor_totp: 6.2.0
  - twofactor_u2f: 6.3.0
  - twofactor_webauthn: 0.3.1
  - unsplash: 1.2.4
  - updatenotification: 1.13.0
  - user_status: 1.3.1
  - viewer: 1.7.0
  - weather_status: 1.3.0
  - welcome: 1.0.1
  - workflow_pdf_converter: 1.8.0
  - workflow_script: 1.8.0
  - workflowengine: 2.5.0
Disabled:
  - encryption: 2.5.0
  - files_pdfviewer: 2.1.0
  - hidesidebars: 2.0.0
  - integration_whiteboard: 0.0.14
  - openhab: 0.9.5
  - quickaccesssorting: 1.1.3
  - richdocuments: 5.0.3
  - richdocumentscode: 21.11.306
  - sharebymail: 1.12.0
  - souvenirs: 1.3.0
  - support: 1.0.0
  - telephoneprovider: 1.0.3
  - user_ldap: 1.5.0

Nextcloud Signing status

No errors have been found.

Nextcloud Logs

No response

Additional info

No response

Thesola10 commented 2 years ago

Here's a quick HTTP dump of the issue (some info redacted):

curl -i https://has2fa:@nextcloud/remote.php/dav

HTTP/2 401 
server: nginx
date: Fri, 22 Apr 2022 09:33:21 GMT
content-type: application/xml; charset=utf-8
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-store, no-cache, must-revalidate
pragma: no-cache
set-cookie: oc_sessionPassphrase=...; path=/; secure; HttpOnly; SameSite=Lax
set-cookie: ...; path=/; secure; HttpOnly; SameSite=Lax
set-cookie: __Host-nc_sameSiteCookielax=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax
set-cookie: __Host-nc_sameSiteCookiestrict=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict
content-security-policy: default-src 'none';
strict-transport-security: max-age=15552000; includeSubDomains

<?xml version="1.0" encoding="utf-8"?>
<d:error xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns" xmlns:o="http://owncloud.org/ns">
  <s:exception>OCA\DAV\Connector\Sabre\Exception\PasswordLoginForbidden</s:exception>
  <s:message/>
  <o:hint xmlns:o="o:">password login forbidden</o:hint>
</d:error>

curl -i https://no2fa:@nextcloud/remote.php/dav

HTTP/2 401 
server: nginx
date: Fri, 22 Apr 2022 09:33:32 GMT
content-type: application/xml; charset=utf-8
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-store, no-cache, must-revalidate
pragma: no-cache
set-cookie: oc_sessionPassphrase=...; path=/; secure; HttpOnly; SameSite=Lax
set-cookie: __Host-nc_sameSiteCookielax=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax
set-cookie: __Host-nc_sameSiteCookiestrict=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict
content-security-policy: default-src 'none';
set-cookie: ...; path=/; secure; HttpOnly; SameSite=Lax
www-authenticate: Basic realm="Nextcloud", charset="UTF-8"
strict-transport-security: max-age=15552000; includeSubDomains

<?xml version="1.0" encoding="utf-8"?>
<d:error xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns">
  <s:exception>Sabre\DAV\Exception\NotAuthenticated</s:exception>
  <s:message>No public access to this resource., Username or password was incorrect, No 'Authorization: Bearer' header found. Either the client didn't send one, or the server is mis-configured, Username or password was incorrect</s:message>
</d:error>

Note the www-authenticate second-to-last in the non-2FA output is lacking from the 2FA output. This is what this bug is reporting. As mentioned on GNOME/gvfs#617, this is causing libsoup to not retry authentication, and GNOME integration to fail to mount the WebDAV filesystem.

nextcloud-command commented 2 years ago

This issue has been automatically marked as stale because it has not had recent activity and seems to be missing some essential information. It will be closed if no further activity occurs. Thank you for your contributions.

Thesola10 commented 2 years ago

What kind of additional info is needed?

nextcloud-command commented 2 years ago

This issue has been automatically marked as stale because it has not had recent activity and seems to be missing some essential information. It will be closed if no further activity occurs. Thank you for your contributions.

ruliane commented 1 year ago

Can we reopen this issue, as it seems to be unresolved in latest versions ?

joshtrichards commented 1 week ago

I suspect this either got closed without review by accident or because it lacked a configuration and version info to review against while reproducing.

I haven't looked into this matter at all, but did run across it (this closed issue, not the prospective bug itself) while reviewing some other work. So reopened for later follow-up and to link the PR on the gvfs said that is supposedly a workaround for something we're doing that is unexpected here:

https://gitlab.gnome.org/GNOME/gvfs/-/commit/6636d89ff549d2ea51dbe2911bae92250be8bea0

nextcloud / server