Direct download does not work for cross-site requests

[Kharonus]

⚠️ This issue respects the following points: ⚠️

• [X] This is a bug, not a question or a configuration/webserver/proxy issue.
• [X] This issue is not already reported on Github (I've searched it).
• [X] Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
• [X] Nextcloud Server is running on 64bit capable CPU, PHP and OS.
• [X] I agree to follow Nextcloud's Code of Conduct.

Bug description

The direct download link, returned by this API request, does not work if embedded into any other website.

Steps to reproduce

1. As an authenticated user, fetch direct download link with POST /ocs/v2.php/apps/dav/api/v1/direct.
2. Take direct download link from response and put it into any anchor tag of your website (not nextcloud).
3. Open a private browser window (free of cookies) and open the website.
4. Click the link.
5. Open the website again and click the link again.

Expected behavior

The download behaviour should happen everytime I click the link.

Installation method

Community Docker image

Operating system

Debian/Ubuntu

PHP engine version

PHP 8.0

Web server

Apache (supported)

Database engine version

MySQL

Is this bug present after an update or on a fresh install?

Fresh Nextcloud Server install

Are you using the Nextcloud Server Encryption module?

No response

What user-backends are you using?

• [ ] Default user-backend (database)
• [ ] LDAP/ Active Directory
• [ ] SSO - SAML
• [ ] Other

Configuration report

{
    "system": {
        "htaccess.RewriteBase": "\/",
        "memcache.local": "\\OC\\Memcache\\APCu",
        "apps_paths": [
            {
                "path": "\/var\/www\/html\/apps",
                "url": "\/apps",
                "writable": false
            },
            {
                "path": "\/var\/www\/html\/custom_apps",
                "url": "\/custom_apps",
                "writable": true
            }
        ],
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "localhost:8080",
            "nextcloud.local"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "pgsql",
        "version": "24.0.3.2",
        "overwrite.cli.url": "http:\/\/localhost:8080",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "allow_local_remote_servers": "1",
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
        "overwriteprotocol": "https",
        "loglevel": 2,
        "maintenance": false,
        "theme": ""
    }
}

List of activated Apps

Enabled:
  - accessibility: 1.10.0
  - activity: 2.16.0
  - bruteforcesettings: 2.4.0
  - circles: 24.0.0
  - cloud_federation_api: 1.7.0
  - collectives: 1.5.1
  - comments: 1.14.0
  - contacts: 4.2.2
  - contactsinteraction: 1.5.0
  - dashboard: 7.4.0
  - dav: 1.22.0
  - federatedfilesharing: 1.14.0
  - federation: 1.14.0
  - files: 1.19.0
  - files_pdfviewer: 2.5.0
  - files_rightclick: 1.3.0
  - files_sharing: 1.16.2
  - files_trashbin: 1.14.0
  - files_versions: 1.17.0
  - files_videoplayer: 1.13.0
  - firstrunwizard: 2.13.0
  - groupfolders: 12.0.2
  - integration_openproject: 2.1.0
  - logreader: 2.9.0
  - lookup_server_connector: 1.12.0
  - nextcloud_announcements: 1.13.0
  - notifications: 2.12.0
  - oauth2: 1.12.0
  - password_policy: 1.14.0
  - photos: 1.6.0
  - privacy: 1.8.0
  - provisioning_api: 1.14.0
  - recommendations: 1.3.0
  - serverinfo: 1.14.0
  - settings: 1.6.0
  - sharebymail: 1.14.0
  - spreed: 14.0.6
  - support: 1.7.0
  - survey_client: 1.12.0
  - systemtags: 1.14.0
  - text: 3.5.1
  - theming: 1.15.0
  - twofactor_backupcodes: 1.13.0
  - updatenotification: 1.14.0
  - user_status: 1.4.0
  - viewer: 1.8.0
  - weather_status: 1.4.0
  - workflowengine: 2.6.0
Disabled:
  - admin_audit
  - encryption
  - files_external
  - user_ldap

Nextcloud Signing status

No errors have been found.

Nextcloud Logs

{"reqId":"vifcuHKr0T2v2d9aydgl","level":2,"time":"2022-11-30T12:12:47+00:00","remoteAddr":"172.25.0.2","user":"admin","app":"no app in context","method":"GET","url":"/apps/dashboard/","message":"Invalid oauth-connection-error-message data provided to provideInitialState by integration_openproject","userAgent":"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0","version":"24.0.3.2","data":[]}
{"reqId":"oh7532vEBNTh8ndAnIBT","level":3,"time":"2022-11-30T12:28:25+00:00","remoteAddr":"172.25.0.2","user":"--","app":"PHP","method":"POST","url":"/ocs/v2.php/apps/dav/api/v1/direct","message":"TypeError: OCA\\DAV\\Controller\\DirectController::__construct(): Argument #4 ($userId) must be of type string, null given at /var/www/html/apps/dav/lib/Controller/DirectController.php#63","userAgent":"Apache-HttpClient/4.5.13 (Java/17.0.5)","version":"24.0.3.2","data":{"app":"PHP"}}
{"reqId":"28dSD3V0hhbIMDKuGtsI","level":3,"time":"2022-11-30T12:30:03+00:00","remoteAddr":"172.25.0.2","user":"--","app":"PHP","method":"POST","url":"/ocs/v2.php/apps/dav/api/v1/direct","message":"TypeError: OCA\\DAV\\Controller\\DirectController::__construct(): Argument #4 ($userId) must be of type string, null given at /var/www/html/apps/dav/lib/Controller/DirectController.php#63","userAgent":"Apache-HttpClient/4.5.13 (Java/17.0.5)","version":"24.0.3.2","data":{"app":"PHP"}}
{"reqId":"wmA9bXmSZiLXk2S6F1iT","level":2,"time":"2022-11-30T13:19:15+00:00","remoteAddr":"172.25.0.2","user":"admin","app":"no app in context","method":"GET","url":"/apps/dashboard/","message":"Invalid oauth-connection-result data provided to provideInitialState by integration_openproject","userAgent":"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0","version":"24.0.3.2","data":[]}
{"reqId":"wmA9bXmSZiLXk2S6F1iT","level":2,"time":"2022-11-30T13:19:15+00:00","remoteAddr":"172.25.0.2","user":"admin","app":"no app in context","method":"GET","url":"/apps/dashboard/","message":"Invalid oauth-connection-error-message data provided to provideInitialState by integration_openproject","userAgent":"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0","version":"24.0.3.2","data":[]}
{"reqId":"W57pdtZueQnpWjS20lGB","level":2,"time":"2022-11-30T13:46:03+00:00","remoteAddr":"172.25.0.2","user":"admin","app":"no app in context","method":"GET","url":"/apps/dashboard/","message":"Invalid oauth-connection-result data provided to provideInitialState by integration_openproject","userAgent":"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0","version":"24.0.3.2","data":[]}
{"reqId":"W57pdtZueQnpWjS20lGB","level":2,"time":"2022-11-30T13:46:03+00:00","remoteAddr":"172.25.0.2","user":"admin","app":"no app in context","method":"GET","url":"/apps/dashboard/","message":"Invalid oauth-connection-error-message data provided to provideInitialState by integration_openproject","userAgent":"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0","version":"24.0.3.2","data":[]}

Additional info

The request done by clicking the <a> tag with the target reference returns a 503. It does not happen, if executed in a browser without any cookies set for the nextcloud host. Yet, executing it once opens the NC domain, and doing so sets cookies. Hence, doing it twice, even in a "fresh" browser leads to the same error behaviour.

For example purposes I used a simple HTML like:

<!DOCTYPE html>
<html>
  <head>
    <title>Test direct download</title>
    <meta charset="utf-8"/>
    <meta name="viewport" content="width=device-width, initial-scale=1">
  </head>
  <body>
    <a href="https://YOUR.HOSTl/remote.php/direct/YOUR_TOKEN">Click me</a>
  </body>
</html>

[Kharonus]

Ahoi @julien-nc ,

as decided in last Jour Fixes I assembled a full scale bug report with all the information I gather around the direct download bug.

[szaimen]

Hi, please update to 25.0.7 or better 26.0.2 and report back if it fixes the issue. Thank you!

My goal is to add a label like e.g. 26-feedback to this ticket of an up-to-date major Nextcloud version where the bug could be reproduced. However this is not going to work without your help. So thanks for all your effort!

If you don't manage to reproduce the issue in time and the issue gets closed but you can reproduce the issue afterwards, feel free to create a new bug report with up-to-date information by following this link: https://github.com/nextcloud/server/issues/new?assignees=&labels=bug%2C0.+Needs+triage&template=BUG_REPORT.yml&title=%5BBug%5D%3A+

[Kharonus]

Ahoi @szaimen,

thanks for you efforts.

I updated my NC testing instance to 26.0.1 and executed the above mentioned reproducing steps, and the problem still persist. You mentioned, that you were not able to reproduce it. Would a video help explaining the steps more detailed?