Merge pull request #40782 from nextcloud/fix/auth-ext-strg

2 files changed, 6 insertions, 3 deletions

diff --git a/apps/files_external/lib/Controller/ApiController.php b/apps/files_external/lib/Controller/ApiController.php
index 5a62a19e3cb..163d403dc2c 100644
--- a/apps/files_external/lib/Controller/ApiController.php
+++ b/apps/files_external/lib/Controller/ApiController.php
@@ -126,6 +126,7 @@ class ApiController extends OCSController {
 
 	/**
 	 * @NoAdminRequired
+	 * @NoCSRFRequired
 	 *
 	 * Ask for credentials using a browser's native basic auth prompt
 	 * Then returns it if provided
diff --git a/apps/files_external/src/actions/enterCredentialsAction.ts b/apps/files_external/src/actions/enterCredentialsAction.ts
index eeb2f5f8793..162a359f488 100644
--- a/apps/files_external/src/actions/enterCredentialsAction.ts
+++ b/apps/files_external/src/actions/enterCredentialsAction.ts
@@ -75,11 +75,13 @@ export const action = new FileAction({
 
 	async exec(node: Node) {
 		// always resolve auth request, we'll process the data afterwards
-		const response = await axios.get(generateOcsUrl('/apps/files_external/api/v1/auth'), {
-			validateStatus: () => true,
+		// Using fetch as axios have integrated auth handling and X-Requested-With header
+		const response = await fetch(generateOcsUrl('/apps/files_external/api/v1/auth'), {
+			headers: new Headers({ Accept: 'application/json' }),
+			credentials: 'include',
 		})
 
-		const data = (response?.data || {}) as OCSAuthResponse
+		const data = (await response?.json() || {}) as OCSAuthResponse
 		if (data.ocs.data.user && data.ocs.data.password) {
 			const configResponse = await axios.put(generateUrl('apps/files_external/userglobalstorages/{id}', node.attributes), {
 				backendOptions: data.ocs.data,