OC 8 + HTTP Basic Auth + File upload = "Token expired, please reload page" Re-Appeared!!

[t0mcat1337]

Hi everybody,

just updated to the last stable OC 8 and this Bug from OC 6.x / OC7.0.x reappeared:

1.) After logging in with Apache's Basic Auth the user is correctly logged in to OC
2.) Uploading a file fails, the progress bar completely gets filled but then this message appears:
"Token expired, please reload page"
and the file isn't there.

Exactly the same behaviour was described in

#4574
and
#7852

In OC6/7.0x the solution from #4574 always worked. But as the code structure has heavily changed I coultn't find the correct file / line to try, if this still would work.

Any hints?

Thx in advance!

[LukasReschke]

Where do you authenticate against? Which endpoint? If you take a look at the source to you see something like data-requesttoken and does it has a value?

[t0mcat1337]

Just at this moment I found the line:

lib/base.php:

if (!self::checkUpgrade(false)
&& !$systemConfig->getValue('maintenance', false)
&& !\OCP\Util::needUpgrade()) {
// For logged-in users: Load everything
if(OC_User::isLoggedIn()) { <------------------ ??
OC_App::loadApps();
} else {
// For guests: Load only authentication, filesystem and logging
OC_App::loadApps(array('authentication'));
OC_App::loadApps(array('filesystem', 'logging'));
if (!OC_User::isLoggedIn()) { <------------------------------ HERE-------------------
\OC_User::tryBasicAuthLogin();
} <----------------------HERE ----------------------------------
}
}

When inserting the "HERE" lines, file uploading works... when deleting them again (as is in origin) the error appears....
But I don't really understand why this works as "OC_User::isLoggedIn" is already checked in the former outer if.... (the Line wirh "??")

Anyway... with this little hack, everything works again...

[t0mcat1337]

@LukasReschke : Just now saw your answer... The HTTP Basic Auth is against LDAP, the same one, which is configured in OC8

[t0mcat1337]

Yes, there is a "data-requesttoken" in the head-tag and it has a value... doesn't matter, if the lines are inserted to lib/base.php or not...

[LukasReschke]

Against which endpoint are you authenticating? – How does the login request look like?

[t0mcat1337]

what do u mean with "endpoint"?

[LukasReschke]

How do you login? What are the exact steps that you follow to authenticate?

[t0mcat1337]

1.) Enter the URL
2.) The HTTP Basic Auth window appears (as the Apache is configured to use HTTP Basic Auth for this URL)
3.) Enter my credentials as needed to authenticate against the LDAP Backend
4.) OC8 opens with the correct user

[LukasReschke]

@blizzz When looking at the custom patch in #14469 (comment) it looks to me like LDAP is not yet initialized in that state and thus it does not work? - Would it make sense to initialize the authentication apps before somewhere?

[t0mcat1337]

Found this out:
WITHOUT my changes in lib/base.php:
1.) Open OC8 -> requesttoken is, lets say "AAAAAAA"
2.) Change Directory by clicking on it -> requesttoken changes to, lets say "BBBBBBBB"

WITH my changes:
1.) Open OC8 -> requesttoken is, lets say "AAAAAAA"
2.) Change Directory by clicking on it -> requesttoken remains "AAAAAAA"

So it seems, WITHOUT my changes, the requesttoken is renewed at each and every request even it is in the same session. This explains, why the upload fails, as the AJAX request for the upload includes the first token (to stay with the first example: "AAAAAA", checked that in Firebug), whereas the new token "BBBBBB" is the valid one...

[blizzz]

@LukasReschke OC_User::isLoggedIn() does not interact with user backends, only with the user session (which checks $_SESSION).

[LukasReschke]

Sure. But it does also a query to \OC_User::userExists – let me try to get some LDAP setup again and verify this.

[blizzz]

@LukasReschke oh, i have seen that spot. This explains why it works. Then yes, we'd need to load auth-apps earlier.

[LukasReschke]

In earlier versions we loaded the apps already there:

core/lib/private/user.php

Line 328 in 87345f8

OC_App::loadApps(array('authentication'));

sigh

[LukasReschke]

Let me put it somewhere on top of base.php – I doubt that there are cases where it is uneeded?

[blizzz]

Public (guest) pages?

[LukasReschke]

I think even then it makes sense to load them in case user list has to get loaded somehow?

[blizzz]

I doubt… But you never know. We'd be on the safe side.

[t0mcat1337]

Did a quick test with @LukasReschke 's comment about this:

core/lib/private/user.php

Line 328 in 87345f8

OC_App::loadApps(array('authentication'));

I added these "HERE" lines to lib/private/user.php:

    public static function isLoggedIn() {
            if (\OC::$server->getSession()->get('user_id') !== null && self::$incognitoMode === false) {
                    OC_App::loadApps(array('authentication')); <--------------------------- HERE
                    self::setupBackends(); <------------------------- HERE
                    return self::userExists(\OC::$server->getSession()->get('user_id'));
            }

            return false;
    }

as it obviously was in the earlier version.

Then I reverted my change to "lib/base.php" so it is the original one now

Witht that file uploading works, too

[blizzz]

Thanks for veryfying @t0mcat1337

[LukasReschke]

I created a somewhat cleaner patch in #14471 - @t0mcat1337 could you test this and report back whether it works on the PR as well?

[t0mcat1337]

And what was to expect... the requesttoken remains the same in all requests, too...

[t0mcat1337]

@LukasReschke : As I have to leave work now I can test the patch during the next few hours... anyway thx a lot for this REALLY quick assistance ;)

[LukasReschke]

Sure. Thanks for testing and reporting issues back and your investigation (especially that you tried some patches yourself, that is far more than the usual bug reporter does). Helped a lot to understand the issue 😄

If you stumble upon any other bug please don't hesitate to file an issue. (though this is authentication related and more urgent than some little tiny nitpick :))

[LukasReschke]

Patch will be include within 8.0.1 - thanks for reporting issues back.