authentication issue

[benjaminfrank]

Since 0.10.0 I see some strange logs in my caldav/carddav server (owncloud via apache). It seems all requests are done twice: first all requests unauthenticated (HTTP status 401, no username in logs) and then all authenticated (an thus succeeding). Hence vdirsyncer does not complain but finishes succesfully. Any idea what might be wrong?

• Your vdirsyncer version

0.10.0

• Your Python version

Python 3.5.1 (default, Dec 11 2015, 22:37:54)
[GCC 4.2.1 Compatible Apple LLVM 7.0.0 (clang-700.1.76)] on darwin

• Your operating system

Mac OS X 10.11.4

• Your config file

[general]
status_path = ~/.vdirsyncer/status/

[pair contacts]
a = contacts_local
b = contacts_remote
collections = ["from b"]

[pair calendar]
a = calendar_local
b = calendar_remote
collections = ["from b"]

[storage calendar_local]
path = ~/.calendar
type = filesystem
fileext = .ics

[storage calendar_remote]
type = caldav
url = <server>
verify = true
username = <user>
password.fetch = <redacted>

[storage contacts_local]
type = filesystem
path = ~/.contacts/
fileext = .vcf

[storage contacts_remote]
type = carddav
url = <server>
verify=true
username = <user>
password.fetch = <redacted>

• Use vdirsyncer -vdebug for debug output.

No strange errors, can send detailed output via mail

• webserver logfile

<IP> - - [10/May/2016:20:30:40 +0200] "PROPFIND /remote.php/caldav/calendars/<user>/<calendarname>/ HTTP/1.1" 401 4355 "-" "vdirsyncer"
<IP> - - [10/May/2016:20:30:40 +0200] "PROPFIND /remote.php/caldav/calendars/<user>/<calendarname>/ HTTP/1.1" 401 4355 "-" "vdirsyncer"
<IP> - - [10/May/2016:20:30:40 +0200] "PROPFIND /remote.php/caldav/calendars/<user>/<calendarname>/ HTTP/1.1" 401 4355 "-" "vdirsyncer"
<IP> - - [10/May/2016:20:30:40 +0200] "PROPFIND /remote.php/caldav/calendars/<user>/<calendarname>/ HTTP/1.1" 401 4355 "-" "vdirsyncer"
<IP> - - [10/May/2016:20:30:40 +0200] "PROPFIND /remote.php/caldav/calendars/<user>/<calendarname>/ HTTP/1.1" 401 4355 "-" "vdirsyncer"
<IP> - - [10/May/2016:20:30:40 +0200] "PROPFIND /remote.php/carddav/addressbooks/<user>/<addressbookname>/ HTTP/1.1" 401 4355 "-" "vdirsyncer"
<IP> - - [10/May/2016:20:30:40 +0200] "PROPFIND /remote.php/carddav/addressbooks/<user>/<addressbookname>/ HTTP/1.1" 401 4355 "-" "vdirsyncer"
<IP> - - [10/May/2016:20:30:40 +0200] "PROPFIND /remote.php/carddav/addressbooks/<user>/<addressbookname>/ HTTP/1.1" 401 4355 "-" "vdirsyncer"
<IP> - - [10/May/2016:20:30:40 +0200] "PROPFIND /remote.php/caldav/calendars/<user>/<calendarname>/ HTTP/1.1" 401 4355 "-" "vdirsyncer"
<IP> - <user> [10/May/2016:20:30:47 +0200] "PROPFIND /remote.php/carddav/addressbooks/<user>/<addressbookname>/ HTTP/1.1" 207 12634 "-" "vdirsyncer"
<IP> - <user> [10/May/2016:20:30:48 +0200] "PROPFIND /remote.php/caldav/calendars/<user>/<calendarname>/ HTTP/1.1" 207 63001 "-" "vdirsyncer"
<IP> - <user> [10/May/2016:20:30:47 +0200] "PROPFIND /remote.php/caldav/calendars/<user>/<calendarname>/ HTTP/1.1" 207 9963 "-" "vdirsyncer"
<IP> - <user> [10/May/2016:20:30:47 +0200] "PROPFIND /remote.php/carddav/addressbooks/<user>/<addressbookname>/ HTTP/1.1" 207 18999 "-" "vdirsyncer"
<IP> - <user> [10/May/2016:20:30:47 +0200] "PROPFIND /remote.php/caldav/calendars/<user>/<calendarname>/ HTTP/1.1" 207 49716 "-" "vdirsyncer"
<IP> - <user> [10/May/2016:20:30:47 +0200] "PROPFIND /remote.php/carddav/addressbooks/<user>/<addressbookname>/ HTTP/1.1" 207 22740 "-" "vdirsyncer"
<IP> - <user> [10/May/2016:20:30:47 +0200] "PROPFIND /remote.php/caldav/calendars/<user>/<calendarname>/ HTTP/1.1" 207 41041 "-" "vdirsyncer"
<IP> - <user> [10/May/2016:20:30:47 +0200] "PROPFIND /remote.php/caldav/calendars/<user>/<calendarname>/ HTTP/1.1" 207 14490 "-" "vdirsyncer"
<IP> - <user> [10/May/2016:20:30:47 +0200] "PROPFIND /remote.php/caldav/calendars/<user>/<calendarname>/ HTTP/1.1" 207 21140 "-" "vdirsyncer"
<IP> - <user> [10/May/2016:20:30:57 +0200] "REPORT /remote.php/caldav/calendars/<user>/<calendarname>/ HTTP/1.1" 207 24130 "-" "vdirsyncer"

[untitaker]

This has been there in earlier versions. That behavior is not really incorrect.

There are two things vdirsyncer doesn't know about how to do authentication beforehand:

• Which authentication method to use. Two are relevant: basic and digest. digest was established as a "more secure" method, but with HTTPS deployed, they don't differ in security at all. The server dictates which authentication scheme has to be used.
• Whether the server requires a username/password at all.

So, vdirsyncer sends an unauthenticated request. If the server returns 401, a password is required. In that case, the response also contains a header with the authentication method dictated by the server.

There are many clients that just send the password using the basic method, without asking the server first. Of course this is more performant, and also works with most servers. But not with all, at least in theory. If your server supports it, set this in your storage config:

auth = basic

[untitaker]

Note that vdirsyncer did initially have auth = basic as default. See https://github.com/pimutils/vdirsyncer/issues/33.

[benjaminfrank]

Interesting, I never saw those unauthenticated queries before. but that might have been due to my logging or something. your suggestion works as expected. Thanks a lot!