Prevent sending second WWW-Authenticate header

Overrides \Sabre\DAV\Auth\Backend\AbstractBearer::challenge to prevent sending a second WWW-Authenticate header which is standard-compliant but most DAV clients simply fail hard.

Fixes https://github.com/nextcloud/server/issues/5088

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
This commit is contained in:
Lukas Reschke 2017-06-13 13:51:33 +02:00
parent 4c56414cab
commit 913758dc28
No known key found for this signature in database
GPG Key ID: B9F6980CF6E759B1
3 changed files with 25 additions and 5 deletions

View File

@ -25,6 +25,8 @@ use OCP\IRequest;
use OCP\ISession; use OCP\ISession;
use OCP\IUserSession; use OCP\IUserSession;
use Sabre\DAV\Auth\Backend\AbstractBearer; use Sabre\DAV\Auth\Backend\AbstractBearer;
use Sabre\HTTP\RequestInterface;
use Sabre\HTTP\ResponseInterface;
class BearerAuth extends AbstractBearer { class BearerAuth extends AbstractBearer {
/** @var IUserSession */ /** @var IUserSession */
@ -77,4 +79,16 @@ class BearerAuth extends AbstractBearer {
return false; return false;
} }
/**
* \Sabre\DAV\Auth\Backend\AbstractBearer::challenge sets an WWW-Authenticate
* header which some DAV clients can't handle. Thus we override this function
* and make it simply return a 401.
*
* @param RequestInterface $request
* @param ResponseInterface $response
*/
public function challenge(RequestInterface $request, ResponseInterface $response) {
$response->setStatus(401);
}
} }

View File

@ -21,9 +21,6 @@
namespace OCA\DAV\Tests\unit\Connector\Sabre; namespace OCA\DAV\Tests\unit\Connector\Sabre;
use OC\Authentication\TwoFactorAuth\Manager;
use OC\Security\Bruteforce\Throttler;
use OC\User\Session;
use OCA\DAV\Connector\Sabre\BearerAuth; use OCA\DAV\Connector\Sabre\BearerAuth;
use OCP\IRequest; use OCP\IRequest;
use OCP\ISession; use OCP\ISession;
@ -85,4 +82,13 @@ class BearerAuthTest extends TestCase {
$this->assertSame('principals/users/admin', $this->bearerAuth->validateBearerToken('Token')); $this->assertSame('principals/users/admin', $this->bearerAuth->validateBearerToken('Token'));
} }
public function testChallenge() {
/** @var \PHPUnit_Framework_MockObject_MockObject|RequestInterface $request */
$request = $this->createMock(RequestInterface::class);
/** @var \PHPUnit_Framework_MockObject_MockObject|ResponseInterface $response */
$response = $this->createMock(ResponseInterface::class);
$result = $this->bearerAuth->challenge($request, $response);
$this->assertEmpty($result);
}
} }

View File

@ -8,7 +8,7 @@ Feature: webdav-related
Then the HTTP status code should be "401" Then the HTTP status code should be "401"
And there are no duplicate headers And there are no duplicate headers
And The following headers should be set And The following headers should be set
|WWW-Authenticate|Basic realm="Nextcloud", Bearer realm="Nextcloud"| |WWW-Authenticate|Basic realm="Nextcloud"|
Scenario: Unauthenticated call new dav path Scenario: Unauthenticated call new dav path
Given using new dav path Given using new dav path
@ -16,7 +16,7 @@ Feature: webdav-related
Then the HTTP status code should be "401" Then the HTTP status code should be "401"
And there are no duplicate headers And there are no duplicate headers
And The following headers should be set And The following headers should be set
|WWW-Authenticate|Bearer realm="Nextcloud", Basic realm="Nextcloud"| |WWW-Authenticate|Basic realm="Nextcloud"|
Scenario: Moving a file Scenario: Moving a file
Given using old dav path Given using old dav path