OCS Create Share API Fails with "CSRF check failed"

Firstly I have done the CSRF Check Failed search on the forum - the results do not seem to match my problem.
We have 2 OCS installations.
#1 Windows running WSL Ubuntu 20.04
#2 Linux native Ubuntu 20.04
Both installations are working correctly. We can sign in to the console, create and share files and folders and the OwnCloud client is successfully connecting and sharing files.

The next step of our project is to be able to dynamically share existing folders with users. In otherwords in response to an external event we want to either share a specific folder under one account with another user (or remove that share).

For this we are looking at the OCS API and specifically the Create Share Endpoint (OCS Share API :: ownCloud Documentation)

As a test we first called the capabilities API (OCS Rest API :: ownCloud Documentation)

For our tests we are using PostMan.

The capabilities call works fine and we get back a JSON structure defining the available capabilities on the server.

However when we call the Create Share API we get this
<?xml version="1.0"?>
<ocs>
<meta>
<status>failure</status>
<statuscode>996</statuscode>
<message>CSRF check failed</message>
<totalitems></totalitems>
<itemsperpage></itemsperpage>
</meta>
<data/>
</ocs>

We have tried various work-arounds (putting the OCS-APIRequest: true header in the request), different parameter values - same result.

In addition to PostMan we have tried cUrl and a PHP script with Guzzle as per the script example on the Create Share page - all return the same result.

Both installations are using 10.7

i did come across this link (http://owncloud.com/security-advisories/cross-site-request-forgery-in-the-ocs-api/) - just wondering if this fix did not perhaps cause something in the API to break - or introduce an additional requirement not in the docs.

I assume this is related to your server(s) and or networking environment. Maybe you could post some (failing) examples?

1 Like

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.