-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OC 8 + HTTP Basic Auth + File upload = "Token expired, please reload page" Re-Appeared!! #14469
Comments
Where do you authenticate against? Which endpoint? If you take a look at the source to you see something like |
Just at this moment I found the line: lib/base.php: if (!self::checkUpgrade(false) When inserting the "HERE" lines, file uploading works... when deleting them again (as is in origin) the error appears.... Anyway... with this little hack, everything works again... |
@LukasReschke : Just now saw your answer... The HTTP Basic Auth is against LDAP, the same one, which is configured in OC8 |
Yes, there is a "data-requesttoken" in the head-tag and it has a value... doesn't matter, if the lines are inserted to lib/base.php or not... |
Against which endpoint are you authenticating? – How does the login request look like? |
what do u mean with "endpoint"? |
How do you login? What are the exact steps that you follow to authenticate? |
1.) Enter the URL |
@blizzz When looking at the custom patch in #14469 (comment) it looks to me like LDAP is not yet initialized in that state and thus it does not work? - Would it make sense to initialize the |
Found this out: WITH my changes: So it seems, WITHOUT my changes, the requesttoken is renewed at each and every request even it is in the same session. This explains, why the upload fails, as the AJAX request for the upload includes the first token (to stay with the first example: "AAAAAA", checked that in Firebug), whereas the new token "BBBBBB" is the valid one... |
@LukasReschke OC_User::isLoggedIn() does not interact with user backends, only with the user session (which checks $_SESSION). |
Sure. But it does also a query to |
@LukasReschke oh, i have seen that spot. This explains why it works. Then yes, we'd need to load auth-apps earlier. |
In earlier versions we loaded the apps already there: Line 328 in 87345f8
|
Let me put it somewhere on top of base.php – I doubt that there are cases where it is uneeded? |
Public (guest) pages? |
I think even then it makes sense to load them in case user list has to get loaded somehow? |
I doubt… But you never know. We'd be on the safe side. |
Did a quick test with @LukasReschke 's comment about this: Line 328 in 87345f8
I added these "HERE" lines to lib/private/user.php:
as it obviously was in the earlier version. Then I reverted my change to "lib/base.php" so it is the original one now Witht that file uploading works, too |
Thanks for veryfying @t0mcat1337 |
The current code path may trigger situations where the LDAP application is not yet loaded and thus problems with the authentication appeared. In previous versions of ownCloud the authentication mechanism manually loaded these apps which is why this affects ownCloud 8 and master only for my knowledge. (certainly not 6, maybe 7) Backport to 8 might be something to consider. Fixes #14469
I created a somewhat cleaner patch in #14471 - @t0mcat1337 could you test this and report back whether it works on the PR as well? |
And what was to expect... the requesttoken remains the same in all requests, too... |
@LukasReschke : As I have to leave work now I can test the patch during the next few hours... anyway thx a lot for this REALLY quick assistance ;) |
Sure. Thanks for testing and reporting issues back and your investigation (especially that you tried some patches yourself, that is far more than the usual bug reporter does). Helped a lot to understand the issue 😄 If you stumble upon any other bug please don't hesitate to file an issue. (though this is authentication related and more urgent than some little tiny nitpick :)) |
The current code path may trigger situations where the LDAP application is not yet loaded and thus problems with the authentication appeared. In previous versions of ownCloud the authentication mechanism manually loaded these apps which is why this affects ownCloud 8 and master only for my knowledge. (certainly not 6, maybe 7) Backport to 8 might be something to consider. Fixes #14469
Patch will be include within 8.0.1 - thanks for reporting issues back. |
Hi everybody,
just updated to the last stable OC 8 and this Bug from OC 6.x / OC7.0.x reappeared:
1.) After logging in with Apache's Basic Auth the user is correctly logged in to OC
2.) Uploading a file fails, the progress bar completely gets filled but then this message appears:
"Token expired, please reload page"
and the file isn't there.
Exactly the same behaviour was described in
#4574
and
#7852
In OC6/7.0x the solution from #4574 always worked. But as the code structure has heavily changed I coultn't find the correct file / line to try, if this still would work.
Any hints?
Thx in advance!
The text was updated successfully, but these errors were encountered: