Open salonikumawat28 opened 1 year ago
salonikumawat28
commented
1 year ago I looked into similar issues like https://github.com/nextcloud/server/issues/3131 and all the solution attempts and temporary hacks mentioned in the issue were based on the suggested mentioned in the issue, NextCloud login v2 flow doc and NextCloud OAuth flow doc but I was not able to find a solution which doesn't involve changes in NextCloud server.
salonikumawat28
commented
1 year ago Gentle Reminde : Can someone help me into this ?
salonikumawat28
commented
1 year ago Can please someone help me on this issue?
meltzow
commented
1 year ago same problem here.
juliusknorr
commented
1 year ago I think for the Login Flow V2 controller it should be fine to set the @CORS annotation on the API endpoints, but I'm not fully sure if there would be any security implications by that.
For Oauth or CORS in general I think we should have some way so that admins can configure a potential allow list. Maybe we could start with just having a config.php option for this to set the header accordingly in https://github.com/nextcloud/server/blob/c8b7a233a5b05fd4402936a343b0dc1f6442c5ed/lib/private/AppFramework/Middleware/Security/CORSMiddleware.php#L134
@julien-nc Didn't you also recently setup something with the oauth app?
julien-nc
commented
1 year ago @juliushaertl Not really, no. The only topic where it is currently possible to canonically deal with CORS headers is WebDAV endpoints (by adding a Sabre plugin like the WebAppPassword app does).
@salonikumawat28 By the way, out of topic, if you want to avoid having WebAppPassword as a dependency, you can easily implement a similar Sabre plugin in your app that will whitelist your website's domain.
IMO you can avoid dealing with CORS issues if you implement the login flow v2 or OAuth2 code flow using your website's backend which will be able to reach the "/token" endpoint. Once you get an OAuth token (or an app password), you can provide it to your frontend which can then use it for requests to WebDAV endpoints (CORS being dealt with by WebAppPassword).
But maybe you have a strong constraint to perform the auth flows entirely in the browser.
The integration_* apps implement the OAuth2 code flow (to connect to external services) using the NC backend to perform the last /token request.
So for you, the OAuth implementation would be:
/apps/oauth2/api/v1/token request to get the tokenmeltzow
commented
1 year ago Hi, I develop a open-source Progressive web app (PWA) for nextcloud deck. I want to use login v2 too, but I got the same CORS issue like described above. I can't understand why the public Login Flow V2 controller doesn't have the @CORS annotation. Currently I must "hack" my application and use native HTTP Request to solve the CORS issues. Because native HTTP ignore some security things. Are they any plans to add the annotations in login flow v2? if no, why? Thank you.
beatles1
commented
7 months ago I'm also confused by this, I've made a browser extension for someone else's Nextcloud app. I want to be able to use the login v2 flow but because my app is in a browser and respects CORS I can't without asking the user for full permission to the servers domain.
I don't understand why the login flow would be configured to only work for the same origin, I'd assume using it from other origins is one of the main reasons it exists. Of course this works fine from a mobile app or something which doesn't respect CORS but just not for client only webapps.
Chalolennox
commented
6 months ago Is someone still working on this? Honestly, this is an essential feature.
Context
I have created a NextCloud app which adds a file menu item in
Filesapp. When you click this menu item, it opens our website. From this website, I want to login into NextCloud so that I can get credentials which I can use to download and upload files.First step I did was using the hardcoded
username:passwordand passed it inAuthorizationheader to download and upload URLs which failed on CORS. I was able to resolve the CORS issues once I installedWebAppPasswordand whitelisted my website.As a second step, I replaced the hardcoded
username:passwordwith the login v2 flow and it failed on CORS. This was surprising as my websiteoriginwas already whitelisted inWebAppPasswordand was working for download and upload URLs. As a temporary hack, I added@CORSannotation in the login v2 controllers and it worked on all URLs exceptlogin/v2/pollbecause it fails onpreflightrequest as it's aPOSTcall withjsoncontent type. To solve this, another temporary hack I did was to add preflight URL forlogin v2 flow.As a third step, I tried the OAuth2 flow. Similar to second step, I faced CORS and preflight issues. As a temporary hack I added
@CORSinapps/oauth2/lib/Controller/OauthApiController.phpmethods and added preflight URL route.Problem
As these hacks were direct code changes in the NextCloud server code, I want to replace these hacks with a proper solution. Things I tried:
Feature request
Ask: Generic solution for CORS for NextCloud app developer
As a NextCloud app developer, we can't make changes in the NextCloud server. So what's the generic solution for NextCloud app developers to resolve CORS and preflight issues?
Ask: Update login flow documentation
As a NextCloud app developer, we rely on login flow documentations(Login v2, OAuth) which doesn't talk about CORS issues and how to resolve. This ask is to update the login flow documentation to cover such issues and ways to resolve them.
Ask: Extend WebAppPassword for login URLs
As
WebAppPasswordworks for download and upload URLs, can you extend theWebAppPasswordsupport for login flows (both login v2 and OAuth) as well?