digital-blueprint / webapppassword Goto Github PK

Explain the Problem

i have problem with using share api . doument tells we should use /apps/webapppassword/api/v1/shares instead /ocs/v2.php/apps/files_sharing/api/v1/shares as far as i found out. when i use /apps/webapppassword/api/v1/shares OPTIONS request is ok but i got cors error on request itself (POST) and when i use /ocs/v2.php/apps/files_sharing/api/v1/shares i get method not allowed error on OPTIONS request.
currently im using webapppassword and i have no problem with webdav apis
im using these apis in same project . how to call share apis without cors error

Steps to Reproduce

this is my axios call

      const response = await axios.post(
          'http://nc.develop/apps/webapppassword/api/v1/shares',
          {
            path: 'welcome.txt',
            shareType: 0, // 3 represents "user" share type, change it based on your requirements
            shareWith: 'sina',
            permissions: 19,
            password: "admin",
            attributes:""
          },
          {
            headers:{
              "Authorization": "Bearer "+localStorage.getItem("access_token"),
              "authorization": "Bearer "+localStorage.getItem("access_token"),
            }
          }
      );

      console.log('Share created:', response.data);
    } catch (error) {
      console.error('Error creating share:', error.message);
    }

System Information

• WebAppPassword app version: 23.6.0
• Nextcloud version: 26.0.3
• PHP version: 8.1.2

Contents of nextcloud/data/nextcloud.log

nothing adds in log

Contents of Browser Error Console

Access to XMLHttpRequest at 'http://nextcloud_proxy_backend.develop/apps/webapppassword/api/v1/shares' from origin 'http://localhost:8080' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Explain the Problem

There is a related issue with pretty much the exact same problem, but it was last active a year ago, so I figured I open a new one. The files sharing API seems to be broken in Nextcloud Version 28 and 29 and throws CORS errors. Authorized file access is not affected and works as intended.

The files sharing API works fine in my local 26 version and it used to work in our production environment until we upgraded to v28. I'm not 100% sure however if our live Nextcloud was upgraded over time or all at once to v28 at some point, so there's a slight chance the breaking change might have been introduced in v27 instead.

Steps to Reproduce

I used the test suite that @aleixq has provided in the related issue about CORS errors in files sharing (https://gitlab.com/communia/nc-webapppassword-share-test).
I created the required test file and added the origin to both webdav access and files sharing in the settings.
The webdav access outputs directory metadata, the share test fails. The other 2 cases fail as expected.
In my local environment with NC 26, the share test passes.

Contents of nextcloud/data/nextcloud.log

{
"reqId":"IX66HIjeyKVHhi4y9ff7",
"level":3,"time":"2024-06-12T09:45:25+00:00",
"remoteAddr":"172.17.0.1",
"user":"--",
"app":"index",
"method":"OPTIONS",
"url":"/index.php/apps/webapppassword/api/v1/shares",
"message":"Cannot assign null to property OCA\\Files_Sharing\\Controller\\ShareAPIController::$currentUser of type string",
"userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36",
"version":"29.0.1.1",
"exception":{"Exception":"TypeError","Message":"Cannot assign null to property OCA\\Files_Sharing\\Controller\\ShareAPIController::$currentUser of type string","Code":0,"Trace":[{"function":"__construct","class":"OCA\\Files_Sharing\\Controller\\ShareAPIController","type":"->","args":["webapppassword",["OC\\AppFramework\\Http\\Request"],["OC\\Share20\\Manager"],["OC\\Group\\Manager"],["OC\\User\\Manager"],["OC\\Files\\Node\\LazyRoot"],["OC\\URLGenerator",["OC\\User\\Session"]],["OC\\L10N\\LazyL10N"],["OC\\AllConfig"],["OC\\App\\AppManager"],["OC\\AppFramework\\DependencyInjection\\DIContainer"],["OC\\UserStatus\\Manager"],["OC\\PreviewManager"],["OC\\DateTimeZone"],["OC\\AppFramework\\ScopedPsrLogger"],null]},{"file":"/var/www/html/lib/private/AppFramework/Utility/SimpleContainer.php","line":83,"function":"newInstanceArgs","class":"ReflectionClass","type":"->","args":[["webapppassword",["OC\\AppFramework\\Http\\Request"],["OC\\Share20\\Manager"],["OC\\Group\\Manager"],["OC\\User\\Manager"],"And 11 more entries, set log level to debug to see all entries"]]},{"file":"/var/www/html/lib/private/AppFramework/Utility/SimpleContainer.php","line":128,"function":"buildClass","class":"OC\\AppFramework\\Utility\\SimpleContainer","type":"->","args":[["ReflectionClass","OCA\\WebAppPassword\\Controller\\ShareAPIController"]]},{"file":"/var/www/html/lib/private/AppFramework/Utility/SimpleContainer.php","line":146,"function":"resolve","class":"OC\\AppFramework\\Utility\\SimpleContainer","type":"->","args":["OCA\\WebAppPassword\\Controller\\ShareAPIController"]},{"file":"/var/www/html/lib/private/AppFramework/DependencyInjection/DIContainer.php","line":470,"function":"query","class":"OC\\AppFramework\\Utility\\SimpleContainer","type":"->","args":["OCA\\WebAppPassword\\Controller\\ShareAPIController"]},{"file":"/var/www/html/lib/private/AppFramework/DependencyInjection/DIContainer.php","line":442,"function":"queryNoFallback","class":"OC\\AppFramework\\DependencyInjection\\DIContainer","type":"->","args":["OCA\\WebAppPassword\\Controller\\ShareAPIController"]},{"file":"/var/www/html/lib/private/AppFramework/App.php","line":163,"function":"query","class":"OC\\AppFramework\\DependencyInjection\\DIContainer","type":"->","args":["OCA\\WebAppPassword\\Controller\\ShareAPIController"]},{"file":"/var/www/html/lib/private/Route/Router.php","line":338,"function":"main","class":"OC\\AppFramework\\App","type":"::","args":["OCA\\WebAppPassword\\Controller\\ShareAPIController","preflightedCors",["OC\\AppFramework\\DependencyInjection\\DIContainer"],["webapppassword.shareapi.preflighted_cors"]]},{"file":"/var/www/html/lib/base.php","line":1050,"function":"match","class":"OC\\Route\\Router","type":"->","args":["/apps/webapppassword/api/v1/shares"]},{"file":"/var/www/html/index.php","line":49,"function":"handleRequest","class":"OC","type":"::","args":[]}],"File":"/var/www/html/apps/files_sharing/lib/Controller/ShareAPIController.php","Line":124,"message":"Cannot assign null to property OCA\\Files_Sharing\\Controller\\ShareAPIController::$currentUser of type string","exception":{},"CustomMessage":"Cannot assign null to property OCA\\Files_Sharing\\Controller\\ShareAPIController::$currentUser of type string"}}

Could you guys please check if this is reproducible on your end?

Thanks,
Dan

Explain the Problem

What problem did you encounter?
The log runs full with this message:
/appinfo/app.php is deprecated, use \OCP\AppFramework\Bootstrap\IBootstrap on the application class instead.

Steps to Reproduce

Explain what you did to encounter the issue

1. Install/ having installed webapppassword in nextcloud instance
2. Just look into the log of nextcloud instance with an admin account

System Information

• WebAppPassword app version: 23.12.0
• Nextcloud version: 28.0.1
• Cron type: Cron
• PHP version: 8.1.2
• Database and version: MariadB v20.6
• Browser and version: Firefox v120.0.1
• Distribution and version: Ubuntu 22.04 LTS

Contents of nextcloud/data/nextcloud.log

{"reqId":"qi8FChlGBRXpX15Q21m8","level":0,"time":"2023-12-27T13:31:03+00:00","remoteAddr":"","user":"--","app":"webapppassword","method":"","url":"--","message":"/appinfo/app.php is dep
recated, use \\OCP\\AppFramework\\Bootstrap\\IBootstrap on the application class instead.","userAgent":"--","version":"28.0.1.1","data":{"app":"webapppassword"}}

Contents of Browser Error Console

No need.

Once again as in #1 and #64 I think that search endpoint will be useful outside nextcloud. It uses this route:

/core/search provided by search controller
Otherwise is not possible to search from outside origin.

I want to use https://diffuse.sh to listen to music stored in my Nextcloud.

WebAppPassword is configured to allow diffuse.sh as an origin. But still the following error is shown in the browser:

Access to fetch at 'https://.../remote.php/dav/files/florian/Music/The%20Beatles/Live%20at%20the%20BBC/1-01%20Beatles%20Greetings%20(Spoken%20Word)%20%5BLive%20at%20the%20BBC%20For%20_The%20Public%20Ear_%203rd%20November%2C%201963%5D.m4a' from origin 'https://diffuse.sh' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Credentials' header in the response is '' which must be 'true' when the request's credentials mode is 'include'.

Hi,

when creating shares of existing files with your app, the requests will get rejected if the password does not conform to the corresponding NextCloud's password policy. In my case, I don't get an error message, the fetch just fails without any additional info.

It would be cool if you could integrate a route (e. g. /apps/webapppassword/api/v1/shares/validate-password) that queries the internal password_policy app's /validate endpoint and return that result. I used to do this in my internal Nextcloud app as well.

Here is an example request that I would send from a third-party website:

const result = await fetch(`${this.server}/index.php/apps/webapppassword/api/v1/shares/validate-password`, {
	method: 'POST',
	headers: {
		Authorization: `Bearer ${webAppPasswordToken}`,
		'Content-Type': 'application/json',
		'OCS-APIRequest': 'true',
	},
	body: JSON.stringify({ password: 'Taco' }),
})

Here is what I used to send in a Nextcloud app:

const result = await fetch(`${generateOcsUrl('apps/password_policy/api/v1/validate')}`, {
	method: 'POST',
	body: JSON.stringify({ password: 'Taco' }),
})

And the result would be something like this:

{
    "meta": {
        "status": "ok",
        "statuscode": 200,
        "message": "OK"
    },
    "data": {
        "passed": false,
        "reason": "Password is among the 1,000,000 most common ones. Please make it unique. Password needs to be at least 10 characters long. Password is present in compromised password list. Please choose a different password."
    }
}

Would that be possible?

Best regards,
Daniel

(migrated this issue from gitlab)

• User A logs into NC
• User B in the same session uses a file picker which depends on webapppassword
• User B gets access to files of A and is confused (not a security issue, every normal browser access would be possible)

Should we somehow give a (optional) username/loginName to WebAppPassword and if that doesn't match the current user then force a re-login?

Is that possible?

Explain the Problem

I'm trying to access a public WebDAV share as described in https://docs.nextcloud.com/server/20/user_manual/en/files/access_webdav.html#accessing-public-shares-over-webdav.

Steps to Reproduce

1. Add origins using web interface: http://localhost:15755,http://localhost:15755/
2. Make fetch request with hash of share as username:

fetch("https://nx904.your-storageshare.de/public.php/webdav/", {
  "headers": {
    "accept": "application/xml,text/xml",
    "authorization": "Basic cEZBOFBUd0NtSnlTVERqOg==",
    "content-type": "application/xml;charset=UTF-8",
    "depth": "1",
    "sec-ch-ua": "\" Not A;Brand\";v=\"99\", \"Chromium\";v=\"90\", \"Google Chrome\";v=\"90\"",
    "sec-ch-ua-mobile": "?0"
  },
  "referrer": "http://localhost:15755/",
  "referrerPolicy": "strict-origin-when-cross-origin",
  "body": "<d:propfind xmlns:d='DAV:'>\n\t\t\t<d:prop>\n\t\t\t\t<d:displayname/>\n\t\t\t\t<d:resourcetype/>\n\t\t\t\t<d:getcontentlength/>\n\t\t\t\t<d:getcontenttype/>\n\t\t\t\t<d:getetag/>\n\t\t\t\t<d:getlastmodified/>\n\t\t\t</d:prop>\n\t\t</d:propfind>",
  "method": "PROPFIND",
  "mode": "cors",
  "credentials": "include"
});

3. The request fails due to CORS:

Access to fetch at 'https://nx904.your-storageshare.de/public.php/webdav/' from origin 'http://localhost:15755' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
wasm_exec.js:399 PROPFIND https://nx904.your-storageshare.de/public.php/webdav/ net::ERR_FAILED

It works using plain curl:

$ curl 'https://nx904.your-storageshare.de/public.php/webdav/' \
>   -X 'PROPFIND' \
>   -H 'sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Google Chrome";v="90"' \
>   -H 'sec-ch-ua-mobile: ?0' \
>   -H 'authorization: Basic cEZBOFBUd0NtSnlTVERqOg==' \
>   -H 'content-type: application/xml;charset=UTF-8' \
>   -H 'accept: application/xml,text/xml' \
>   -H 'Referer: http://localhost:15755/' \
>   -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36' \
>   -H 'depth: 1' \
>   --data-raw $'<d:propfind xmlns:d=\'DAV:\'>\n\u0009\u0009\u0009<d:prop>\n\u0009\u0009\u0009\u0009<d:displayname/>\n\u0009\u0009\u0009\u0009<d:resourcetype/>\n\u0009\u0009\u0009\u0009<d:getcontentlength/>\n\u0009\u0009\u0009\u0009<d:getcontenttype/>\n\u0009\u0009\u0009\u0009<d:getetag/>\n\u0009\u0009\u0009\u0009<d:getlastmodified/>\n\u0009\u0009\u0009</d:prop>\n\u0009\u0009</d:propfind>' \
>   --compressed
<?xml version="1.0"?>
<d:multistatus xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns" xmlns:oc="http://owncloud.org/ns" xmlns:nc="http://nextcloud.org/ns"><d:response><d:href>/public.php/webdav/</d:href><d:propstat><d:prop><d:resourcetype><d:collection/></d:resourcetype><d:getetag>&quot;608923d732f31&quot;</d:getetag><d:getlastmodified>Wed, 28 Apr 2021 08:59:03 GMT</d:getlastmodified></d:prop><d:status>HTTP/1.1 200 OK</d:status></d:propstat><d:propstat><d:prop><d:displayname/><d:getcontentlength/><d:getcontenttype/></d:prop><d:status>HTTP/1.1 404 Not Found</d:status></d:propstat></d:response><d:response><d:href>/public.php/webdav/2021/</d:href><d:propstat><d:prop><d:resourcetype><d:collection/></d:resourcetype><d:getetag>&quot;608923d732f31&quot;</d:getetag><d:getlastmodified>Wed, 28 Apr 2021 08:59:03 GMT</d:getlastmodified></d:prop><d:status>HTTP/1.1 200 OK</d:status></d:propstat><d:propstat><d:prop><d:displayname/><d:getcontentlength/><d:getcontenttype/></d:prop><d:status>HTTP/1.1 404 Not Found</d:status></d:propstat></d:response></d:multistatus>

System Information

• WebAppPassword app version: 21.3.0
• Nextcloud version: 20.0.9
• Cron type: / (Hosted by Hetzner)
• PHP version: / (Hosted by Hetzner)
• Database and version: / (Hosted by Hetzner)
• Browser and version: Chrome 90, Firefox 88
• Distribution and version: Fedora Linux 34

Contents of nextcloud/data/nextcloud.log

Paste output here

(No access to logs, hosted by Hetzner)

Contents of Browser Error Console

Read http://ggnome.com/wiki/Using_The_Browser_Error_Console if you are unsure what to put here

Access to fetch at 'https://nx904.your-storageshare.de/public.php/webdav/' from origin 'http://localhost:15755' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
wasm_exec.js:399 PROPFIND https://nx904.your-storageshare.de/public.php/webdav/ net::ERR_FAILED

Hi, hoping documentation for the app can be clarified on security implications in using this app as mentioned on this thread. Thanks!

Related to #3 php8 was introduced in v21. 7.x will continue to be supported for now

It would be great to update the app for Nextcloud 29 before it is released.

We just had one user adding https://foo.bar.org/ into the config, which didn't work because of the trailing slash and the origin being https://foo.bar.org.

We should either:

• Validate the input somehow and show an error to the user, to make sure the origins are all in the correct format
• Or allow this specific case and strip trailing slashes

(I kinda prefer (1) because it covers more cases)

Somewhat related, I wonder if we support explicit ports like http://foo.bar.org:80 in that case ?

It would be great if common password managers would not fill out the admin form.

It would be nice to allow setting a friendlier name than the url + the user agent. This could be accomplished by adding an optional query param (for example session-name) and modifying this line to use that instead. I suppose there is a slight security issue if a malicious site were to try and imitate another site though. To remedy that I would suggest just prefixing the custom session name with App Password: or something. I would be willing to make a PR if you would accept it.

Explain the Problem

What problem did you encounter?
Error 500 when making api call for index.php/apps/ webapppassword/core/preview

Steps to Reproduce

Explain what you did to encounter the issue

1. api call using fetch with GET method in javascript using the following endpoint and parameters: 'index.php/apps/webapppassword/core/preview?fileId=###;

System Information

• WebAppPassword app version: 24.1.0
• Nextcloud version: 27.1.2
• Cron type: local
• PHP version: 8.2.11
• Database and version: mysql v11.2.2
• Browser and version: firefox 118.0.1
• Distribution and version: Client: Ubuntu Budgie 23.10, Server: Debian 12

Contents of nextcloud/data/nextcloud.log

	OC\AppFramework\Utility\QueryNotFoundException: Could not resolve OCA\WebAppPassword\Controller\PreviewController! Class "OCA\WebAppPassword\Controller\PreviewController" does not exist

    /var/www/html/lib/private/AppFramework/Utility/SimpleContainer.php - line 142:

    OC\AppFramework\Utility\SimpleContainer->resolve("OCA\\WebApp ... r")

    /var/www/html/lib/private/AppFramework/DependencyInjection/DIContainer.php - line 494:

    OC\AppFramework\Utility\SimpleContainer->query("OCA\\WebApp ... r")

    /var/www/html/lib/private/AppFramework/DependencyInjection/DIContainer.php - line 466:

    OC\AppFramework\DependencyInjection\DIContainer->queryNoFallback("OCA\\WebApp ... r")

    /var/www/html/lib/private/AppFramework/App.php - line 162:

    OC\AppFramework\DependencyInjection\DIContainer->query("OCA\\WebApp ... r")

    /var/www/html/lib/private/Route/Router.php - line 315:

    OC\AppFramework\App::main("OCA\\WebApp ... r", "preflightedCors", [ "OC\\AppFr ... "], [ "webapppas ... "])

    /var/www/html/lib/base.php - line 1068:

    OC\Route\Router->match("/apps/webap ... w")

    /var/www/html/index.php - line 36:

    OC::handleRequest()

Contents of Browser Error Console

Read http://ggnome.com/wiki/Using_The_Browser_Error_Console if you are unsure what to put here

XHROPTIONS
https://nextcloudserver.example/index.php/apps/webapppassword/core/preview?fileId=167981
CORS Preflight Did Not Succeed

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://nextcloudserver.example/index.php/apps/webapppassword/core/preview?fileId=167981. (Reason: CORS preflight response did not succeed). Status code: 500.

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://nextcloudserver.example/index.php/apps/webapppassword/core/preview?fileId=167981. (Reason: CORS request did not succeed). Status code: (null).

Hello,
Can you add the possibility to enabled CORS pour OCS Share API (https://docs.nextcloud.com/server/latest/developer_manual/client_apis/OCS/ocs-share-api.html) ? Webdav don't support sharing links...
Thanks ^^

@aleixq

With Nextcloud 29.0.2 the PHP API in the Nextcloud server got breaking changes that seems to break the whole app via ShareAPIController::createShare.

nextcloud/server@5dbb96f

When using WebAppPassword for creating temporary app passwords, this causes:

{
    "reqId": "MeFUfsLGC1ozQWskec9c",
    "level": 3,
    "time": "June 18, 2024 11:13:39",
    "remoteAddr": "10.13.128.116",
    "user": "--",
    "app": "PHP",
    "method": "GET",
    "url": "/index.php/apps/webapppassword?target-origin=https%3A%2F%2Fdbp-dev.tugraz.at%2Fapps%2Fsignature%2Fde%2Fqualified-pdf-upload",
    "message": "Declaration of OCA\\WebAppPassword\\Controller\\ShareAPIController::createShare(?string $path = null, ?int $permissions = null, int $shareType = -1, ?string $shareWith = null, string $publicUpload = 'false', string $password = '', ?string $sendPasswordByTalk = null, string $expireDate = '', string $note = '', string $label = '', ?string $attributes = null): OCP\\AppFramework\\Http\\DataResponse must be compatible with OCA\\Files_Sharing\\Controller\\ShareAPIController::createShare(?string $path = null, ?int $permissions = null, int $shareType = -1, ?string $shareWith = null, string $publicUpload = 'false', string $password = '', ?string $sendPasswordByTalk = null, ?string $expireDate = null, string $note = '', string $label = '', ?string $attributes = null): OCP\\AppFramework\\Http\\DataResponse at /home/nc/pers/apps/webapppassword/lib/Controller/ShareAPIController.php#34",
    "userAgent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36",
    "version": "29.0.2.2",
    "data": {
        "app": "PHP"
    }
}

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Awaiting Schedule

These updates are awaiting their schedule. Click on a checkbox to get an update now.

• chore(deps): lock file maintenance

Detected dependencies

• Check this box to trigger a request for Renovate to run again on this repository

Please add support. Thanks!

Once again as in #1 I think that preview endpoint will be useful outside nextcloud. It uses this route:

/core/preview provided by getPreviewByFileId
Otherwise is not possible to obtain the preview thumbnail from outside origin.