Hello,
I upgraded from OC 10.0.7 to OC 10.0.8. Since then, basic authentication seems not to be working as expected any more - nor does the app password function, when OAuth2 is not supported by the client application.
Up to 10.0.7, the mobile application successfully exchanged data with OC, sending the basic auth info with every request.
OC 10.0.7 would respond with the content as requested PLUS an oc_sessionPassphrase.
Since 10.0.8, this oc_sessionPassphrase seems to be required for any content-call.
As an alternative, I set up an App password and used it together with my username. But I still cannot get Owncloud to respond with the data (I checked the basic auth header, it really contained the app password).
Any ideas on that? Is there a way to reestablish the basic auth behavior OC used to have?
Thanks a lot in advance.
Stefan
Steps to reproduce
- log on to the OC GUI using the username
- create an app password
- provide that app password in combination with the username used
- try to receive the notes
Expected behaviour
Owncloud should return the notes, since the app password should be enough
Actual behaviour
Owncloud responds with the oc_passphrase but does not return the content requested
Server configuration
Operating system:
Ubuntu 16.04 / Raspberry Jessie
Web server:
Apache2
Database:
MySQL
PHP version:
Ubuntu: PHP 7.0.30-0ubuntu0.16.04.1 (cli) ( NTS )
Raspberry: PHP 5.6.36-0+deb8u1 (cli) (built: Jun 26 2018 22:52:39)
ownCloud version: (see ownCloud admin page)
ownCloud 10.0.8 (stable)
Updated from an older ownCloud or fresh install:
updated from 10.0.7 (stable)
Where did you install ownCloud from:
Owncloud’s Ubuntu Repos
Signing status (ownCloud 9.0 and above):
dont know
Login as admin user into your ownCloud and access
http://example.com/index.php/settings/integrity/failed
paste the results into https://gist.github.com/ and puth the link here.
The content of config/config.php:
Log in to the web-UI with an administrator account and click on
'admin' -> 'Generate Config Report' -> 'Download ownCloud config report'
This report includes the config.php settings, the list of activated apps
and other details in a well sanitized form.
or
If you have access to your command line run e.g.:
sudo -u www-data php occ config:list system
from within your ownCloud installation folder
*ATTENTION:* Do not post your config.php file in public as is. Please use one of the above
methods whenever possible. Both, the generated reports from the web-ui and from occ config:list
consistently remove sensitive data. You still may want to review the report before sending.
If done manually then it is critical for your own privacy to dilligently
remove *all* host names, passwords, usernames, salts and other credentials before posting.
You should assume that attackers find such information and will use them against your systems.
see https://gist.github.com/stefan-schilling/0902dd1507641850454f3b8730e78071
List of activated apps:
If you have access to your command line run e.g.:
sudo -u www-data php occ app:list
from within your ownCloud installation folder.
Enabled:
- comments: 0.3.0
- configreport: 0.1.1
- dav: 0.3.2
- federatedfilesharing: 0.3.1
- federation: 0.1.0
- files: 1.5.1
- files_external: 0.7.1
- files_sharing: 0.10.1
- files_trashbin: 0.9.1
- files_versions: 1.3.0
- files_videoplayer: 0.9.8
- firstrunwizard: 1.1
- market: 0.2.4
- notes: 2.0.2
- notifications: 0.3.3
- provisioning_api: 0.5.0
- systemtags: 0.3.0
- updatenotification: 0.2.1
Disabled: - encryption
- external
- theme-example
- user_external
Are you using external storage, if yes which one: local/smb/sftp/…
no
Are you using encryption: yes/no
no
Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/…
no
Client configuration
Browser:
nextcloud-notes/0.16.1 (Android)
Operating system:
Android 7
Logs
Web server error log
nothing relevant here: HTTP Status code 200 is returned
ownCloud log (data/owncloud.log)
nothing reported
Wireshark log (1st call using Postman, requesting oc_passphrase)
GET /owncloud/index.php/apps/notes/api/v0.2/notes HTTP/1.1
Host: 192.168.178.30
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36
Cache-Control: no-cache
Authorization: Basic c3RlZmFuOkZPVVFXLVFDU0FVLVdPWkpLLU9URUxY
Postman-Token: 5b1baeff-b2c7-2c6d-5996-8bff0e615f68
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7
HTTP/1.1 200 OK
Date: Tue, 03 Jul 2018 16:02:17 GMT
Server: Apache/2.4.18 (Ubuntu)
Set-Cookie: octta7j2xedi=7koualce3qu7t0783src2ntb85; path=/owncloud; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: oc_sessionPassphrase=ib7g76I67gCd2qd%2BcW616H%2BFFqS1uLFZUjPN6li0ylquK9XzNqlyp40atKAPZGCGelps2LXvC3SCUOEy97T2JRceqqctD1N6VJQeICyyA32oU2SEF02DOBKZC3E2Qmuk; path=/owncloud; HttpOnly
Content-Security-Policy: default-src 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'
Set-Cookie: octta7j2xedi=bklalbi2kpat9s7senlf186583; path=/owncloud; HttpOnly
Content-Length: 2
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Robots-Tag: none
X-Frame-Options: SAMEORIGIN
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/json; charset=utf-8
[]
Wireshark log (2nd call using Postman, content being returned)
GET /owncloud/ocs/v2.php/apps/notifications/api/v1/notifications?format=json HTTP/1.1
Host: 192.168.178.30
Connection: keep-alive
Accept: */*
requesttoken: MxwLEGZCEwtBbgECAlNELxUQfiJxDBI+ISEXODI5SyE=:IZlzIuTb68kcP+wEgJIh44+jwn8AXZreLRu2gV6smoo=
DNT: 1
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 OPR/54.0.2952.41
OCS-APIREQUEST: true
Accept-Encoding: gzip, deflate
Accept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: oc_sessionPassphrase=RKCX796HGL%2B7Vlb6vugdc9xvuKYNHReg3pivBH%2Bixw7o1V3p0%2FbFI%2Bhoa83PnA4hEQ4Ca51iZUV%2FY4EGLqPomWSnU%2BA3EMYU3vCyAGjfXEDLITL80jZMq6J7Gb%2FEAWte; ocygaynly7kz=4mqj0b34fopg988iv5ufd969i7; octta7j2xedi=kidjhnq79bmk85uffvct2dqp94
If-None-Match: d751713988987e9331980363e24189ce
HTTP/1.1 200 OK
Date: Tue, 03 Jul 2018 16:02:17 GMT
Server: Apache/2.4.18 (Ubuntu)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Content-Security-Policy: default-src 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'
ETag: d751713988987e9331980363e24189ce
Content-Length: 108
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Robots-Tag: none
X-Frame-Options: SAMEORIGIN
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/json; charset=utf-8
{"ocs":{"meta":{"status":"ok","statuscode":200,"message":null,"totalitems":"","itemsperpage":""},"data":[]}}
Wireshark log (call using Notes app with the app password, no subsequent call expected / done)
GET /owncloud/index.php/apps/notes/api/v0.2/notes HTTP/1.1
Authorization: Basic c3RlZmFuOkZPVVFXLVFDU0FVLVdPWkpLLU9URUxY
Connection: Close
User-Agent: nextcloud-notes/0.16.1 (Android)
Host: 192.168.178.30
Accept-Encoding: gzip
HTTP/1.1 200 OK
Date: Tue, 03 Jul 2018 15:28:26 GMT
Server: Apache/2.4.18 (Ubuntu)
Set-Cookie: octta7j2xedi=liro6097oh7m73rfbp270pfef6; path=/owncloud; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: oc_sessionPassphrase=mTxRhQGrsiTO0CSsjvAqodoiZ5AVFdWwjLgiu9GNtWi7uUwN13O5es%2BaAMOcI48hi83g5ZIuWqCZ4L%2FtCtZl3zUGSRSzDEHDsF%2FWYiPjw%2FEOubYH7oQnHKhoYBFw00qU; path=/owncloud; HttpOnly
Content-Security-Policy: default-src 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'
Set-Cookie: octta7j2xedi=ub07anli5r9q8p4s54d8ioo4v4; path=/owncloud; HttpOnly
Content-Length: 2
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Robots-Tag: none
X-Frame-Options: SAMEORIGIN
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
Connection: close
Content-Type: application/json; charset=utf-8
[]