search

nextcloud / user_external

👥 External user authentication methods like IMAP, SMB and FTP
https://apps.nextcloud.com/apps/user_external
108 stars 64 forks source link

No Auth Header on HTTP Basic Auth #110

Closed flexwie closed 4 years ago

flexwie commented 4 years ago

Steps to reproduce

  1. setup HTTP Basic Auth
  2. log header of request on the serverside
  3. profit

Expected behaviour

There should be a header called Authorization with the username and password Base64 encoded as stated here

Actual behaviour

the headers look like this include x-forwarded-for, host and connection

Affected Authentication backend

HTTP Basic Auth

Server configuration

User External App version: (see Nextcloud apps page)

Operating system: Ubuntu 16.04

Web server: nginx

Database: mySQL

PHP version: 7.2

Nextcloud version: 16.0

Updated from an older Nextcloud/ownCloud or fresh install: fresh install

Where did you install Nextcloud from: nextcloud manual

Signing status:

Signing status Results ======= - core - INVALID_HASH - .htaccess - FILE_MISSING - .user.ini Raw output ========== Array ( [core] => Array ( [INVALID_HASH] => Array ( [.htaccess] => Array ( [expected] => f30494d88fc2d7caf0be8b27629cb246483cea0203696e44fd376bff19db51bb89c9f4076b1f849627ef3cb011f4a20088116e7b0d10ce467a3dde5db71e108b [current] => cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e ) ) [FILE_MISSING] => Array ( [.user.ini] => Array ( [expected] => 4843b3217e91f8536cb9b52700efb20300290292cf6286f92794d4cec99df286afeb7dd6c91b1be20bc55eda541eef230a5c5e7dcd46c189edd0ed1e80c6d3f5 [current] => ) ) ) )

List of activated apps:

App list ``` If you have access to your command line run e.g.: sudo -u www-data php occ app:list from within your Nextcloud installation folder ```
nerdmaennchen commented 4 years ago

Hello flexwie, thank you for contributing!

The described behavior indeed sounds undesired. However the BasicAuth code performs two requests to the authentication backed.

The idea behind this strategy is to prevent logins to nextcloud when the backend is misconfigured or the URI is set up incorrectly. E.g., when a ressource is loaded that would always give a 200 response code and therefore would allow any username/password combination to log in.

Could you check again if you see both requests?

All the best, Lutz

flexwie commented 4 years ago

Thanks for your response! I only see one request like this:

0|index | { 0|index | 'x-forwarded-for': '116.203.xxx.xx', 0|index | host: 'xxx.com', 0|index | connection: 'close' 0|index | } 0|index | GET /api/auth 500 - 21.736 ms

flexwie commented 4 years ago

It seems that the plugin is looking for a www-authenticate header on the first request? Is this a desired behaviour? If yes, it would be good to include this information in the documentation and add a hint to the error message.

nerdmaennchen commented 4 years ago

You're absolutely correct. This is confusing and I didn't mention the necessity of that response header. And yeah... this matter should be documented!

Sorry for the troubles!

violoncelloCH commented 4 years ago

nice, thank you both for the contributions! let's merge that...