Access Forbidden Invalid Request with Android app [solved]

ℹ️ Support
1

Nextcloud version 14.0.5 (installed from Snap)
Operating system and version Ubuntu 18.04
Apache or nginx version 2.4.29
PHP version 7.2+60ubunt

The issue you are facing: When setting up the Android app I get:

Access Forbidden
Invalid Request

Is this the first time you’ve seen this error? It’s always happened from the first time I tried to connect the Nextcloud Android app to my server

Steps to replicate it:

  1. Start Nextcloud app
  2. Login using username/password
  3. Provide the TOTP key from Google Authenticator (my Nextcloud has MFA enabled)
  4. Click ‘Grant Access’

The output of your Nextcloud log in Admin > Logging:

|Error|PHP|include(): Failed opening 'State token does not match' for inclusion (include_path='/snap/nextcloud/10791/htdocs/3rdparty/pear/archive_tar:/snap/nextcloud/10791/htdocs/3rdparty/pear/console_getopt:/snap/nextcloud/10791/htdocs/3rdparty/pear/pear-core-minimal/src:/snap/nextcloud/10791/htdocs/3rdparty/pear/pear_exception:/snap/nextcloud/current/htdocs/apps:/var/snap/nextcloud/current/nextcloud/extra-apps') at /snap/nextcloud/10791/htdocs/lib/private/Template/Base.php#179|2019-01-17T07:44:44+1100|
|---|---|---|---|
|Error|PHP|include(State token does not match): failed to open stream: No such file or directory at /snap/nextcloud/10791/htdocs/lib/private/Template/Base.php#179|2019-01-17T07:44:44+1100|
|Error|PHP|include(): Failed opening 'State token does not match' for inclusion (include_path='/snap/nextcloud/10791/htdocs/3rdparty/pear/archive_tar:/snap/nextcloud/10791/htdocs/3rdparty/pear/console_getopt:/snap/nextcloud/10791/htdocs/3rdparty/pear/pear-core-minimal/src:/snap/nextcloud/10791/htdocs/3rdparty/pear/pear_exception:/snap/nextcloud/current/htdocs/apps:/var/snap/nextcloud/current/nextcloud/extra-apps') at /snap/nextcloud/10791/htdocs/lib/private/Template/Base.php#179|2019-01-17T07:44:44+1100|
|Error|PHP|include(State token does not match): failed to open stream: No such file or directory at /snap/nextcloud/10791/htdocs/lib/private/Template/Base.php#179|2019-01-17T07:44:44+1100|

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

<?php
$CONFIG = array (
  'apps_paths' => 
  array (
    0 => 
    array (
      'path' => '/snap/nextcloud/current/htdocs/apps',
      'url' => '/apps',
      'writable' => false,
    ),
    1 => 
    array (
      'path' => '/var/snap/nextcloud/current/nextcloud/extra-apps',
      'url' => '/extra-apps',
      'writable' => true,
    ),
  ),
  'supportedDatabases' => 
  array (
    0 => 'mysql',
  ),
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'memcache.local' => '\\OC\\Memcache\\Redis',
  'redis' => 
  array (
    'host' => '/tmp/sockets/redis.sock',
    'port' => 0,
  ),
  'passwordsalt' => '1234',
  'secret' => '1234',
  'trusted_domains' => 
  array (
    0 => 'localhost',
    1 => 'cloud.timsstuff.eu',
  ),
  'datadirectory' => '/var/snap/nextcloud/common/nextcloud/data',
  'overwrite.cli.url' => 'http://localhost',
  'dbtype' => 'mysql',
  'version' => '14.0.5.2',
  'dbname' => 'nextcloud',
  'dbhost' => 'localhost:/tmp/sockets/mysql.sock',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'nextcloud',
  'dbpassword' => '1234',
  'installed' => true,
  'instanceid' => '1234',
  'loglevel' => 2,
  'maintenance' => false,
);

The output of your Apache/nginx/system log in /var/log/____:
(nothing from today)

2

Nextcloud sits behind a reverse proxy, this is the Apache config for it:

<VirtualHost *:80>
    ServerName cloud.example.com

    # Automatic redirect to https, see https://wiki.apache.org/httpd/RedirectSSL
    Redirect / https://cloud.example.com/
</VirtualHost>

<VirtualHost *:443>
    ServerName cloud.example.com

    SSLEngine on

    ProxyPreserveHost On
    ProxyPass / http://127.0.0.1:40080/
    ProxyPassReverse / http://127.0.0.1:40080/

    # Fix the HTTP Authorization header so the Android app can login (https://github.com/nextcloud/server/issues/8956)
    RewriteEngine On
    RewriteCond %{HTTP:Authorization} ^(.*)
    RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]

    # SSL certificate from Let's Encrypt
    SSLCertificateFile  /etc/letsencrypt/live/cloud.example.com/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/cloud.example.com/privkey.pem

    #   Server Certificate Chain:
    #   Point SSLCertificateChainFile at a file containing the
    #   concatenation of PEM encoded CA certificates which form the
    #   certificate chain for the server certificate. Alternatively
    #   the referenced file can be the same as SSLCertificateFile
    #   when the CA certificates are directly appended to the server
    #   certificate for convinience.
    SSLCertificateChainFile /etc/letsencrypt/live/cloud.example.com/fullchain.pem

</VirtualHost>
3

Turns out I just needed to restart the apache2 service that runs the reverse proxy (systemctl restart apache2) after adding these lines to the config. I’d done systemctl reload apache2 but apparently that’s not enough