search

pulsejet / memories

Fast, modern and advanced photo management suite. Runs as a Nextcloud app.
https://memories.gallery
GNU Affero General Public License v3.0
3.21k stars 87 forks source link

[Android App] Photos page always returns error #1336

Closed exu-g closed 2 weeks ago

exu-g commented 3 weeks ago

Describe the bug

I'm getting the "Failed to fetch" error every time I'm visiting the main timeline page.
My efforts to find blocked connections on the server side so far haven't turned up anything and I wasn't able to find anything relevant in Logcat on my phone.

Memories in Nextcloud is fully working and shows the timeline without issue. Preview Generator is working as well.

Steps To Reproduce

  1. Open the memories app
  2. Log in
  3. Observe error on the default screen

Platform

- OS: Android 14 (LineageOS 21)
- Browser: Memories app (F-Droid, version 1.12)
- Memories Version: 7.4.1
- Nextcloud Version: 29.0.8
- PHP Version: 8.2.24

Screenshots

No response

Additional context

I'm running Nextcloud with Apache2, but behind an nginx reverse proxy. Here are the relevant lines from the log for both:

nginx

178.194.142.206 - - [04/Nov/2024:17:43:22 +0100] "GET /index.php/apps/memories/api/days HTTP/2.0" 200 1161 "https://nextcloud.exu.li/index.php/apps/memories/" "MemoriesNative/1.12 Mozilla/5.0 (Linux; Android 10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.76 Mobile Safari/537.36"
178.194.142.206 - - [04/Nov/2024:17:43:22 +0100] "POST /index.php/apps/memories/api/days HTTP/2.0" 200 802 "https://nextcloud.exu.li/index.php/apps/memories/" "MemoriesNative/1.12 Mozilla/5.0 (Linux; Android 10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.76 Mobile Safari/537.36"

apache2

172.18.50.51 - - [04/Nov/2024:17:43:10 +0100] "POST /index.php/apps/memories/api/days HTTP/1.1" 200 1509
172.18.50.51 - - [04/Nov/2024:17:43:10 +0100] "GET /index.php/apps/memories/api/days HTTP/1.1" 200 1869
exu-g commented 3 weeks ago

On a whim I decided to disable all Content Security Policies and restart the app.
Without CSPs the page loads normally.

How can I figure out which policy is missing?

Current CSP: 

add_header Content-Security-Policy "connect-src 'self'; default-src 'none'; font-src 'self' data:; frame-src 'self' https://onlyoffice.exu.li; img-src 'self' data: https://* blob:; media-src 'self'; script-src-elem 'self' 'unsafe-inline' https://onlyoffice.exu.li; style-src-elem 'self' 'unsafe-inline'; style-src-attr 'unsafe-inline'; worker-src 'self'; frame-ancestors 'self';";
pulsejet commented 2 weeks ago

Nextcloud sets csp automatically. You don't need to set it like this.

exu-g commented 2 weeks ago

Thanks, I didn't know that.
I guess I always had some form of security policy with X-Frame-Options and later CSP active, so I never noticed.