-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unexpected authentication behavior when switching between DAV and OCS REST endpoints #12866
Comments
Does it work if you leave out the cookies in |
Yes, it does. That's how I work around the issue currently. Sorry, I should have mentioned this in my original report. |
then it is more or less expected behavior. |
Also it is not recommended to use the password. If you use an apptoken instead it will also work with cookies enabled as the app token has priority over the cookies. |
It might be expected, but is it intended? This seems like an unintended side-effect rather than something that would be designed to function this way, especially considering how inconsistent the results are. |
Yes it is intended that there is a DAV exclusive session. So you have those options:
|
Thank you for the explanation. Should the OCS authentication layer possibly fall back to checking for credentials supplied via basic auth for password confirmation when needed? It would save time over having to submit another request if the user is already providing the password it's looking to confirm.
Is this documented somewhere? Would have saved me quite a bit of time had I seen it.
I have added this as optional functionality to my project and it works as expected. Thank you. |
Not sure, but there's always room for improvement. ;-) If you see a good spot for it in either the Dev Manual or Admin Manual (https://docs.nextcloud.com) maybe you can trigger an addition (by either submitting a PR or opening an Issue with some preliminary language that would have helped you)? |
Bug description
Howdy!
I'm running into some weird behavior when switching between DAV and OCS REST endpoints. After issuing a couple of DAV requests and then attempting to create a user via the OCS endpoint, I get "[403] Password confirmation is required". The session is created and all of the calls happen within a few seconds of each other, not 30 minutes later.
Here's the weird part: it only happens if I run two DAV operations back-to-back and then try to create the user.
Here is a minimal bash script using curl to reproduce the error:
I originally found this behavior by running two
PUT
requests against the DAV interface to upload files before creating a user, so this isn't limited to justPROPFIND
operations.Running
list_directory
only once followed bycreate_user
behaves as expected.Oddly, this variation succeeds for all three
create_user
calls:but this one fails on the 2nd
create_user
call:When I say "succeeds", I mean I get a
User already exists
message instead of aPassword confirmation required
message.This affects every version of Nextcloud I have tried: 29, 30, 31, master.
Thanks in advance for your time and attention.
Steps to reproduce
See above
Expected behavior
See above.
Nextcloud Server version
master
Operating system
Debian/Ubuntu
PHP engine version
PHP 8.2
Web server
Apache (supported)
Database engine version
MariaDB
Is this bug present after an update or on a fresh install?
Fresh Nextcloud Server install
Are you using the Nextcloud Server Encryption module?
None
What user-backends are you using?
Configuration report
List of activated Apps
Nextcloud Signing status
Nextcloud Logs
No relevant logs generated.
Additional info
This behavior is also exhibited using python httpx and aiohttp libraries.
The text was updated successfully, but these errors were encountered: