Prevent sending second WWW-Authenticate header
Overrides \Sabre\DAV\Auth\Backend\AbstractBearer::challenge to prevent sending a second WWW-Authenticate header which is standard-compliant but most DAV clients simply fail hard. Fixes https://github.com/nextcloud/server/issues/5088 Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
This commit is contained in:
parent
4c56414cab
commit
913758dc28
|
@ -25,6 +25,8 @@ use OCP\IRequest;
|
||||||
use OCP\ISession;
|
use OCP\ISession;
|
||||||
use OCP\IUserSession;
|
use OCP\IUserSession;
|
||||||
use Sabre\DAV\Auth\Backend\AbstractBearer;
|
use Sabre\DAV\Auth\Backend\AbstractBearer;
|
||||||
|
use Sabre\HTTP\RequestInterface;
|
||||||
|
use Sabre\HTTP\ResponseInterface;
|
||||||
|
|
||||||
class BearerAuth extends AbstractBearer {
|
class BearerAuth extends AbstractBearer {
|
||||||
/** @var IUserSession */
|
/** @var IUserSession */
|
||||||
|
@ -77,4 +79,16 @@ class BearerAuth extends AbstractBearer {
|
||||||
|
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \Sabre\DAV\Auth\Backend\AbstractBearer::challenge sets an WWW-Authenticate
|
||||||
|
* header which some DAV clients can't handle. Thus we override this function
|
||||||
|
* and make it simply return a 401.
|
||||||
|
*
|
||||||
|
* @param RequestInterface $request
|
||||||
|
* @param ResponseInterface $response
|
||||||
|
*/
|
||||||
|
public function challenge(RequestInterface $request, ResponseInterface $response) {
|
||||||
|
$response->setStatus(401);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -21,9 +21,6 @@
|
||||||
|
|
||||||
namespace OCA\DAV\Tests\unit\Connector\Sabre;
|
namespace OCA\DAV\Tests\unit\Connector\Sabre;
|
||||||
|
|
||||||
use OC\Authentication\TwoFactorAuth\Manager;
|
|
||||||
use OC\Security\Bruteforce\Throttler;
|
|
||||||
use OC\User\Session;
|
|
||||||
use OCA\DAV\Connector\Sabre\BearerAuth;
|
use OCA\DAV\Connector\Sabre\BearerAuth;
|
||||||
use OCP\IRequest;
|
use OCP\IRequest;
|
||||||
use OCP\ISession;
|
use OCP\ISession;
|
||||||
|
@ -85,4 +82,13 @@ class BearerAuthTest extends TestCase {
|
||||||
|
|
||||||
$this->assertSame('principals/users/admin', $this->bearerAuth->validateBearerToken('Token'));
|
$this->assertSame('principals/users/admin', $this->bearerAuth->validateBearerToken('Token'));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public function testChallenge() {
|
||||||
|
/** @var \PHPUnit_Framework_MockObject_MockObject|RequestInterface $request */
|
||||||
|
$request = $this->createMock(RequestInterface::class);
|
||||||
|
/** @var \PHPUnit_Framework_MockObject_MockObject|ResponseInterface $response */
|
||||||
|
$response = $this->createMock(ResponseInterface::class);
|
||||||
|
$result = $this->bearerAuth->challenge($request, $response);
|
||||||
|
$this->assertEmpty($result);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -8,7 +8,7 @@ Feature: webdav-related
|
||||||
Then the HTTP status code should be "401"
|
Then the HTTP status code should be "401"
|
||||||
And there are no duplicate headers
|
And there are no duplicate headers
|
||||||
And The following headers should be set
|
And The following headers should be set
|
||||||
|WWW-Authenticate|Basic realm="Nextcloud", Bearer realm="Nextcloud"|
|
|WWW-Authenticate|Basic realm="Nextcloud"|
|
||||||
|
|
||||||
Scenario: Unauthenticated call new dav path
|
Scenario: Unauthenticated call new dav path
|
||||||
Given using new dav path
|
Given using new dav path
|
||||||
|
@ -16,7 +16,7 @@ Feature: webdav-related
|
||||||
Then the HTTP status code should be "401"
|
Then the HTTP status code should be "401"
|
||||||
And there are no duplicate headers
|
And there are no duplicate headers
|
||||||
And The following headers should be set
|
And The following headers should be set
|
||||||
|WWW-Authenticate|Bearer realm="Nextcloud", Basic realm="Nextcloud"|
|
|WWW-Authenticate|Basic realm="Nextcloud"|
|
||||||
|
|
||||||
Scenario: Moving a file
|
Scenario: Moving a file
|
||||||
Given using old dav path
|
Given using old dav path
|
||||||
|
|
Loading…
Reference in New Issue