Owncloud 10.0.8: Basic Authentication not working for Mobile Apps (Nextcloud Notes)?

10

#1

Hello,

I upgraded from OC 10.0.7 to OC 10.0.8. Since then, basic authentication seems not to be working as expected any more - nor does the app password function, when OAuth2 is not supported by the client application.
Up to 10.0.7, the mobile application successfully exchanged data with OC, sending the basic auth info with every request.
OC 10.0.7 would respond with the content as requested PLUS an oc_sessionPassphrase.
Since 10.0.8, this oc_sessionPassphrase seems to be required for any content-call.

As an alternative, I set up an App password and used it together with my username. But I still cannot get Owncloud to respond with the data (I checked the basic auth header, it really contained the app password).

Any ideas on that? Is there a way to reestablish the basic auth behavior OC used to have?

Thanks a lot in advance.
Stefan

Steps to reproduce

  1. log on to the OC GUI using the username
  2. create an app password
  3. provide that app password in combination with the username used
  4. try to receive the notes

Expected behaviour

Owncloud should return the notes, since the app password should be enough

Actual behaviour

Owncloud responds with the oc_passphrase but does not return the content requested

Server configuration

Operating system:
Ubuntu 16.04 / Raspberry Jessie

Web server:
Apache2

Database:
MySQL

PHP version:
Ubuntu: PHP 7.0.30-0ubuntu0.16.04.1 (cli) ( NTS )
Raspberry: PHP 5.6.36-0+deb8u1 (cli) (built: Jun 26 2018 22:52:39)

ownCloud version: (see ownCloud admin page)
ownCloud 10.0.8 (stable)

Updated from an older ownCloud or fresh install:
updated from 10.0.7 (stable)

Where did you install ownCloud from:
Owncloud’s Ubuntu Repos

Signing status (ownCloud 9.0 and above):
dont know

Login as admin user into your ownCloud and access 
http://example.com/index.php/settings/integrity/failed 
paste the results into https://gist.github.com/ and puth the link here.

The content of config/config.php:

Log in to the web-UI with an administrator account and click on
'admin' -> 'Generate Config Report' -> 'Download ownCloud config report'
This report includes the config.php settings, the list of activated apps
and other details in a well sanitized form.

or 

If you have access to your command line run e.g.:
sudo -u www-data php occ config:list system
from within your ownCloud installation folder

*ATTENTION:* Do not post your config.php file in public as is. Please use one of the above
methods whenever possible. Both, the generated reports from the web-ui and from occ config:list
consistently remove sensitive data. You still may want to review the report before sending.
If done manually then it is critical for your own privacy to dilligently
remove *all* host names, passwords, usernames, salts and other credentials before posting.
You should assume that attackers find such information and will use them against your systems.

see https://gist.github.com/stefan-schilling/0902dd1507641850454f3b8730e78071

List of activated apps:

If you have access to your command line run e.g.:
sudo -u www-data php occ app:list
from within your ownCloud installation folder.

Enabled:

  • comments: 0.3.0
  • configreport: 0.1.1
  • dav: 0.3.2
  • federatedfilesharing: 0.3.1
  • federation: 0.1.0
  • files: 1.5.1
  • files_external: 0.7.1
  • files_sharing: 0.10.1
  • files_trashbin: 0.9.1
  • files_versions: 1.3.0
  • files_videoplayer: 0.9.8
  • firstrunwizard: 1.1
  • market: 0.2.4
  • notes: 2.0.2
  • notifications: 0.3.3
  • provisioning_api: 0.5.0
  • systemtags: 0.3.0
  • updatenotification: 0.2.1
    Disabled:
  • encryption
  • external
  • theme-example
  • user_external

Are you using external storage, if yes which one: local/smb/sftp/…
no

Are you using encryption: yes/no
no

Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/…
no

Client configuration

Browser:
nextcloud-notes/0.16.1 (Android)

Operating system:
Android 7

Logs

Web server error log

nothing relevant here: HTTP Status code 200 is returned

ownCloud log (data/owncloud.log)

nothing reported

Wireshark log (1st call using Postman, requesting oc_passphrase)

GET /owncloud/index.php/apps/notes/api/v0.2/notes HTTP/1.1
Host: 192.168.178.30
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36
Cache-Control: no-cache
Authorization: Basic c3RlZmFuOkZPVVFXLVFDU0FVLVdPWkpLLU9URUxY
Postman-Token: 5b1baeff-b2c7-2c6d-5996-8bff0e615f68
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7

HTTP/1.1 200 OK
Date: Tue, 03 Jul 2018 16:02:17 GMT
Server: Apache/2.4.18 (Ubuntu)
Set-Cookie: octta7j2xedi=7koualce3qu7t0783src2ntb85; path=/owncloud; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: oc_sessionPassphrase=ib7g76I67gCd2qd%2BcW616H%2BFFqS1uLFZUjPN6li0ylquK9XzNqlyp40atKAPZGCGelps2LXvC3SCUOEy97T2JRceqqctD1N6VJQeICyyA32oU2SEF02DOBKZC3E2Qmuk; path=/owncloud; HttpOnly
Content-Security-Policy: default-src 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'
Set-Cookie: octta7j2xedi=bklalbi2kpat9s7senlf186583; path=/owncloud; HttpOnly
Content-Length: 2
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Robots-Tag: none
X-Frame-Options: SAMEORIGIN
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/json; charset=utf-8

[]

Wireshark log (2nd call using Postman, content being returned)

GET /owncloud/ocs/v2.php/apps/notifications/api/v1/notifications?format=json HTTP/1.1
Host: 192.168.178.30
Connection: keep-alive
Accept: */*
requesttoken: MxwLEGZCEwtBbgECAlNELxUQfiJxDBI+ISEXODI5SyE=:IZlzIuTb68kcP+wEgJIh44+jwn8AXZreLRu2gV6smoo=
DNT: 1
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 OPR/54.0.2952.41
OCS-APIREQUEST: true
Accept-Encoding: gzip, deflate
Accept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: oc_sessionPassphrase=RKCX796HGL%2B7Vlb6vugdc9xvuKYNHReg3pivBH%2Bixw7o1V3p0%2FbFI%2Bhoa83PnA4hEQ4Ca51iZUV%2FY4EGLqPomWSnU%2BA3EMYU3vCyAGjfXEDLITL80jZMq6J7Gb%2FEAWte; ocygaynly7kz=4mqj0b34fopg988iv5ufd969i7; octta7j2xedi=kidjhnq79bmk85uffvct2dqp94
If-None-Match: d751713988987e9331980363e24189ce

HTTP/1.1 200 OK
Date: Tue, 03 Jul 2018 16:02:17 GMT
Server: Apache/2.4.18 (Ubuntu)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Content-Security-Policy: default-src 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'
ETag: d751713988987e9331980363e24189ce
Content-Length: 108
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Robots-Tag: none
X-Frame-Options: SAMEORIGIN
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/json; charset=utf-8

{"ocs":{"meta":{"status":"ok","statuscode":200,"message":null,"totalitems":"","itemsperpage":""},"data":[]}}

Wireshark log (call using Notes app with the app password, no subsequent call expected / done)

GET /owncloud/index.php/apps/notes/api/v0.2/notes HTTP/1.1
Authorization: Basic c3RlZmFuOkZPVVFXLVFDU0FVLVdPWkpLLU9URUxY
Connection: Close
User-Agent: nextcloud-notes/0.16.1 (Android)
Host: 192.168.178.30
Accept-Encoding: gzip

HTTP/1.1 200 OK
Date: Tue, 03 Jul 2018 15:28:26 GMT
Server: Apache/2.4.18 (Ubuntu)
Set-Cookie: octta7j2xedi=liro6097oh7m73rfbp270pfef6; path=/owncloud; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: oc_sessionPassphrase=mTxRhQGrsiTO0CSsjvAqodoiZ5AVFdWwjLgiu9GNtWi7uUwN13O5es%2BaAMOcI48hi83g5ZIuWqCZ4L%2FtCtZl3zUGSRSzDEHDsF%2FWYiPjw%2FEOubYH7oQnHKhoYBFw00qU; path=/owncloud; HttpOnly
Content-Security-Policy: default-src 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'
Set-Cookie: octta7j2xedi=ub07anli5r9q8p4s54d8ioo4v4; path=/owncloud; HttpOnly
Content-Length: 2
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Robots-Tag: none
X-Frame-Options: SAMEORIGIN
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
Connection: close
Content-Type: application/json; charset=utf-8

[]

#2

There is already a bug report for this:

But thanks for the information, that the bug came up after 10.0.7. So I’ll downgrade to this version first.


#3

Hello Alfred,
thanks for your reply.
No, I don’t think, that this is a dup.
Matthias talks about the Notes app saving contents to the wrong space and cannot retrieve it afterwards.
That is not the case on my side.
Please have a look at the Wireshark logs provided, especially the 2 concerning the Postmap call.
OC does not return contents on the first call, but every consecutive call returns the contents, as long as the oc_passphrase is part of the header.

That’s something completely different.

Stefan


#4

Hey, if something changes between a version of a software i always had the best luck trying the bugtrackers of the software rather then a user support forum like this is.

I just scrolled through some lists on the ownCloud bugtracker and stumbled over the following issue below, could it be possible that this is the one @alfredb trying to point you at?


#5

Hey Tom,

you’re right, this look like my problem.
Actually, I searched for something alike, but I used terms such as “app password” “OAuth2” and/or “(Nextcloud) Notes”.

But thank you, I would like to link it to the one given by you … I just hope, it’s alright as it is now.

Have a good day.

Stefan


#6

Hey, i think i also just had “luck” finding the issue. :slightly_smiling_face:

I havn’t used any search terms and just open https://github.com/owncloud/core/issues and had seen that issue in the overview. Every search term in can think of probably would not have lead me to the issue.


#7

This issue has been fixed in 2.0.4 - https://github.com/owncloud/notes/releases/tag/v2.0.4