Prevent sending second WWW-Authenticate header

Overrides \Sabre\DAV\Auth\Backend\AbstractBearer::challenge to prevent sending a second WWW-Authenticate header which is standard-compliant but most DAV clients simply fail hard.

Fixes https://github.com/nextcloud/server/issues/5088

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>

diff --git a/apps/dav/lib/Connector/Sabre/BearerAuth.php b/apps/dav/lib/Connector/Sabre/BearerAuth.php
index f0e0f389c33bb946d22e08295794a048f7e47c6b..b7fd9116f21997c953b95f2911aaf7ac6a8bd125 100644 (file)
--- a/apps/dav/lib/Connector/Sabre/BearerAuth.php
+++ b/apps/dav/lib/Connector/Sabre/BearerAuth.php
@@ -25,6 +25,8 @@ use OCP\IRequest;
 use OCP\ISession;
 use OCP\IUserSession;
 use Sabre\DAV\Auth\Backend\AbstractBearer;
+use Sabre\HTTP\RequestInterface;
+use Sabre\HTTP\ResponseInterface;
 
 class BearerAuth extends AbstractBearer {
        /** @var IUserSession */
@@ -77,4 +79,16 @@ class BearerAuth extends AbstractBearer {
 
                return false;
        }
+
+       /**
+        * \Sabre\DAV\Auth\Backend\AbstractBearer::challenge sets an WWW-Authenticate
+        * header which some DAV clients can't handle. Thus we override this function
+        * and make it simply return a 401.
+        *
+        * @param RequestInterface $request
+        * @param ResponseInterface $response
+        */
+       public function challenge(RequestInterface $request, ResponseInterface $response) {
+               $response->setStatus(401);
+       }
 }

diff --git a/apps/dav/tests/unit/Connector/Sabre/BearerAuthTest.php b/apps/dav/tests/unit/Connector/Sabre/BearerAuthTest.php
index 5eae75eb8e9ca1161ba157b1cef606fb33fa05cd..04bb035a635a818ccd2ca4f371deebf28b5380d5 100644 (file)
--- a/apps/dav/tests/unit/Connector/Sabre/BearerAuthTest.php
+++ b/apps/dav/tests/unit/Connector/Sabre/BearerAuthTest.php
@@ -21,9 +21,6 @@
 
 namespace OCA\DAV\Tests\unit\Connector\Sabre;
 
-use OC\Authentication\TwoFactorAuth\Manager;
-use OC\Security\Bruteforce\Throttler;
-use OC\User\Session;
 use OCA\DAV\Connector\Sabre\BearerAuth;
 use OCP\IRequest;
 use OCP\ISession;
@@ -85,4 +82,13 @@ class BearerAuthTest extends TestCase {
 
                $this->assertSame('principals/users/admin', $this->bearerAuth->validateBearerToken('Token'));
        }
+
+       public function testChallenge() {
+               /** @var \PHPUnit_Framework_MockObject_MockObject|RequestInterface $request */
+               $request = $this->createMock(RequestInterface::class);
+               /** @var \PHPUnit_Framework_MockObject_MockObject|ResponseInterface $response */
+               $response = $this->createMock(ResponseInterface::class);
+               $result = $this->bearerAuth->challenge($request, $response);
+               $this->assertEmpty($result);
+       }
 }

diff --git a/build/integration/features/webdav-related.feature b/build/integration/features/webdav-related.feature
index b4fd05113564fe1e609b88ff748e8d0cdde8c939..b8ed1c4a77872fd28fbf75648816f0bb8bbfaa5a 100644 (file)
--- a/build/integration/features/webdav-related.feature
+++ b/build/integration/features/webdav-related.feature
@@ -8,7 +8,7 @@ Feature: webdav-related
                Then the HTTP status code should be "401"
                And there are no duplicate headers
                And The following headers should be set
-                       |WWW-Authenticate|Basic realm="Nextcloud", Bearer realm="Nextcloud"|
+                       |WWW-Authenticate|Basic realm="Nextcloud"|
 
        Scenario: Unauthenticated call new dav path
                Given using new dav path
@@ -16,7 +16,7 @@ Feature: webdav-related
                Then the HTTP status code should be "401"
                And there are no duplicate headers
                And The following headers should be set
-                       |WWW-Authenticate|Bearer realm="Nextcloud", Basic realm="Nextcloud"|
+                       |WWW-Authenticate|Basic realm="Nextcloud"|
 
        Scenario: Moving a file
                Given using old dav path