401 No 'Authorization: Basic' header found. when syncing contacts FROM ios TO nextcloud

Hi,

I just setup a new instance of nc17 using the example provided here:
[https://github.com/nextcloud/docker/tree/master/.examples/docker-compose/with-nginx-proxy-self-signed-ssl/mariadb/fpm](http://Docker-Compose Examples)
Also the contacts app 3.1.6

I slightly variated the docker files to reuse my existing macvlan network and the shared postgres instance. I am using a self signed certificate. The clients are a windows pc (files) and two ios 13 devices (calendar and contacts). Almost everything is working fine:
Syncing files wwith IOS and windows desktop apps
Syncing calendar entries from and to clients
Syncing contacts FROM nextcloud TO clients

However syncing contacts FROM ios TO nextcloud does not work and I can’t find out what the reason for this is. The Nextcloud log shows the following error:

{"reqId":"qxIo5FK7RtIIwI2othjf","level":0,"time":"2019-10-29T18:58:09+00:00","remoteAddr":"192.168.1.132","user":"--","app":"webdav","method":"PROPFIND","url":"\/remote.php\/dav\/addressbooks\/users\/kinl99\/","message":{"Exception":"Sabre\\DAV\\Exception\\NotAuthenticated","Message":"No public access to this resource., No 'Authorization: Basic' header found. Either the client didn't send one, or the server is misconfigured, No 'Authorization: Bearer' header found. Either the client didn't send one, or the server is mis-configured, No 'Authorization: Basic' header found. Either the client didn't send one, or the server is misconfigured","Code":0,"Trace":[{"function":"beforeMethod","class":"Sabre\\DAV\\Auth\\Plugin","type":"->","args":[{"absoluteUrl":"http:\/\/nextcloud\/remote.php\/dav\/addressbooks\/users\/kinl99\/","__class__":"Sabre\\HTTP\\Request"},{"__class__":"Sabre\\HTTP\\Response"}]},{"file":"\/var\/www\/html\/3rdparty\/sabre\/event\/lib\/EventEmitterTrait.php","line":105,"function":"call_user_func_array","args":[[{"autoRequireLogin":true,"__class__":"Sabre\\DAV\\Auth\\Plugin"},"beforeMethod"],[{"absoluteUrl":"http:\/\/nextcloud\/remote.php\/dav\/addressbooks\/users\/kinl99\/","__class__":"Sabre\\HTTP\\Request"},{"__class__":"Sabre\\HTTP\\Response"}]]},{"file":"\/var\/www\/html\/3rdparty\/sabre\/dav\/lib\/DAV\/Server.php","line":466,"function":"emit","class":"Sabre\\Event\\EventEmitter","type":"->","args":["beforeMethod",[{"absoluteUrl":"http:\/\/nextcloud\/remote.php\/dav\/addressbooks\/users\/kinl99\/","__class__":"Sabre\\HTTP\\Request"},{"__class__":"Sabre\\HTTP\\Response"}]]},{"file":"\/var\/www\/html\/3rdparty\/sabre\/dav\/lib\/DAV\/Server.php","line":254,"function":"invokeMethod","class":"Sabre\\DAV\\Server","type":"->","args":[{"absoluteUrl":"http:\/\/nextcloud\/remote.php\/dav\/addressbooks\/users\/kinl99\/","__class__":"Sabre\\HTTP\\Request"},{"__class__":"Sabre\\HTTP\\Response"}]},{"file":"\/var\/www\/html\/apps\/dav\/lib\/Server.php","line":317,"function":"exec","class":"Sabre\\DAV\\Server","type":"->","args":[]},{"file":"\/var\/www\/html\/apps\/dav\/appinfo\/v2\/remote.php","line":35,"function":"exec","class":"OCA\\DAV\\Server","type":"->","args":[]},{"file":"\/var\/www\/html\/remote.php","line":163,"args":["\/var\/www\/html\/apps\/dav\/appinfo\/v2\/remote.php"],"function":"require_once"}],"File":"\/var\/www\/html\/3rdparty\/sabre\/dav\/lib\/DAV\/Auth\/Plugin.php","Line":168,"CustomMessage":"--"},"userAgent":"iOS\/13.1.3 (17A878) dataaccessd\/1.0","version":"17.0.0.9"}

Any idea what is wrong?

Regards and
Thanks a lot! :hugs:

At first I must admin, that I’m personally not using iOS anymore. That behavior sounds really strange. Due to the fact that contacts are synced from Nextcloud to the phone I would assume that you’ve correctly set-up an app-specific password and that the general access is given.
Have you checked in which VCard format the contacts are available on your phone and on Nextcloud? As far as I remember Nextcloud requires VCARD 3.0 records.

This URL looks as it has directly been copied from the web gui to the device, although iOS devices are requiring a different “principal” syntax, as described here.

Let me add, that I’ve just checked the code in apps/dav/lib/DAV/PublicAuth.php, which contains the mentioned text string “No public access to this resource.”. In this file you can find commends the following comment which seems to underpins my assumption:

     * The returned value must be one of the following
     *
     * [true, "principals/username"]
     * [false, "reason for failure"]

The account URL from the troubleshooting guide has been automatically set. If I check the account settings in IOS it’s exactly the url referenced from the troubleshooting guide. Is there maybe a guide that explains how to debug such issues?

I tested contact sync with a complete new contact that I created on the phone using just the email/phone fields. But if IOS 13 is creating valid vcard 3.0 files, I don’t have a clue…

What is this app-specific password you are talking about? Anything I need to set inside the contacts app? I didn’t read anything about such a thing in the docs/my googlefu results so far…

What does that mean in detail? Can you please show us the used URL here.

App-specific passwords should be set-up for applications to remove the binding to the default login, which might be secured by e.g. a second factor. It allows to use individual passwords on different devices so that it’s easier to lock it down, if a device get lost.
You find it under Settings > Personal > Security.

IOS Settings

After setting an app-specific password contact sync from ios to nextcloud worked and the 401s are gone. Thanks for the advice. I’m a bit confused though as there wasn’t any association with the contact app, I guess this refers to an external app using the nextcloud resources?

On top, somehow password auth using the IOS client app stopped working at some point, But thanks to the app-specific password with the QR code I was able to revive my ios app again.

The Contacts app uses many basic functions from the Nextcloud server core, like e.g. authentication, and therefore it might be possible that not all messages are directly pointing to the root-cause of the problem :wink: