CSRF check not passed when creating folder using API

I have written an application to help me migrate thousands of files from another system into our Nextcloud.

This sometimes works, and sometimes I get CSRF check not passed. errors. These errors do not appear in my nextcloud.log, but are passed back to my application.

Here are the details of what I am sending and receiving:

Method: MKCOL, RequestUri: 'https://<my cloud server>/remote.php/dav/files/<user>/<folder1>/<folder2>'
{
  Authorization: Basic <auth string>
  OCS-APIRequest: true
  Accept: application/json
  Accept: text/html
  Accept: */*
  User-Agent: BasecampGatewayLive
}:
StatusCode: 401, ReasonPhrase: 'Unauthorized', Headers:
{
  Date: Thu, 16 Jan 2020 14:38:08 GMT
  Server: Apache/2.4.38
  Server: (Debian)
  Strict-Transport-Security: max-age=31536000; includeSubDomains
  Referrer-Policy: no-referrer
  X-Content-Type-Options: nosniff
  X-Download-Options: noopen
  X-Frame-Options: SAMEORIGIN
  X-Permitted-Cross-Domain-Policies: none
  X-Robots-Tag: none
  X-XSS-Protection: 1; mode=block
  Cache-Control: no-store, must-revalidate, no-cache
  Pragma: no-cache
  Content-Security-Policy: default-src 'none';
  Expires: Thu, 19 Nov 1981 08:52:00 GMT
  Content-Length: 222
  Content-Type: application/xml; charset=utf-8
}
<?xml version="1.0" encoding="utf-8"?>
<d:error xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns">
  <s:exception>Sabre\DAV\Exception\NotAuthenticated</s:exception>
  <s:message>CSRF check not passed.</s:message>
</d:error>

Can someone explain what I have to do to prevent this happening?

Note that I have removed individual user and folder names, and other info. The user and folder1 above exist. The authorisation string is OK (works elsewhere).

Are you able to provide a example how to reproduce? I’m not sure why the code takes this path for your request.

cc @rullzer any idea?

Thanks for getting back.

I guess I could write some code to reproduce the problem on our server. Of course, the code would then reveal the admin name and password on our server, which might not be a good idea. (The auth string contains the admin name and password.)

If I could find where the check happens, I could perhaps help debug it, but I don’t know that.

1 Like

I’ve been looking at the code, and requiresCSRFCheck is true for all POSTs.

So the question becomes what do I have to do in my code in order to pass the CSRF check? Is this documented anywhere?

I tried debugging this, printing a stack trace when this function is called - all that did was make php run out of memory.

Surely this function should not be called for API functions that have the login information in the authentication header?

Please, please, can someone tell me how to format my requests dso they PASS CSRF checks? I haven’t found ANY documentation on this so far!

That seems to be wrong yes.

PASS CSRF checks? I haven’t found ANY documentation on this so far!

As workaround I would try to tell the Nextcloud server that I’m a official client :wink: To debug this further could you validate that the request also fails with curl and if so share the curl command? Also Nextcloud’s “dav implementation” has some strange oddities like requiring cookies. It’s actually stateless but Nextcloud sometimes expects some cookies to be set.