Login with iOS client 6.2.2, 6.2.3 and server 31.0.0 RC2 does not work

📱 Desktop & mobile clients
, , , ,
1

Yesterday I noticed I was logged out in iOS app. When I tried to log in again, it didn’t work.

What I do in iOS app:

  • Enter instance address on the first login screen
  • Embedded browser opens
  • I authenticate there by entering login and password (on subsequent tries it is already authenticated, possibly by cookie)
  • “Account access” page appears, I press “Grant access”
  • “Account connected” page appears with text “Your client should now be connected! You can close this window.”
  • If I open Personal settings → Security in Nextcloud web interface, I see that new token appeared: Nextcloud/6.2.2 (it.twsweb.Nextcloud; build:3; iOS 18.1.1) Alamofire/5.10.2
  • I close embedded browser in iOS app by pressing “Done” in top left corner
  • First login screen appears again with spinning indicator in URL bar, it stays spinning without continuing to the next stage

By recording http requests, I see the following:

  • GET /status.php, response is ok
  • POST /index.php/login/v2, response is ok with body:
    {
    "poll": {
        "token": "osv7x7IRHb6mM0lKdwmOT0wJzpME9F4EbO8LaVMAGMLNPUuFv8DoC2xgd4Ax9Epl0CmhW93eTcJfrbfhCkTUP6TVW8m5imqEgmjfhan0zP5jEWswkYgBuqfAsvvKd4sf",
        "endpoint": "http://(...hostname...)/index.php/login/v2/poll"
    },
    "login": "http://(...hostname...)/index.php/login/v2/flow/TfmGtEBWxZER9jQf5g1cSpFDko88LRlTqAnMwtkXW5MM6KZjyGjHqAeezfhYf27ovI53zk0751oN71OE7k1gPi70VNVHzHp0o9B4CfyHLdGfsJooUoYriLaAnKInd8v3"
}
  • POST /index.php/login/v2/poll?token=osv7x7IRHb6mM0lKdwmOT0wJzpME9F4EbO8LaVMAGMLNPUuFv8DoC2xgd4Ax9Epl0CmhW93eTcJfrbfhCkTUP6TVW8m5imqEgmjfhan0zP5jEWswkYgBuqfAsvvKd4sf, response is 404 with [] body

This poll request continues periodically during browser login session, with the same request and response.

Then, the following requests are made by embedded web browser, not a client itself:

  • GET /index.php/login/v2/flow/TfmGtEBWxZER9jQf5g1cSpFDko88LRlTqAnMwtkXW5MM6KZjyGjHqAeezfhYf27ovI53zk0751oN71OE7k1gPi70VNVHzHp0o9B4CfyHLdGfsJooUoYriLaAnKInd8v3 HTTP/1.1
    • response is redirect to /nextcloud/index.php/login/v2/flow?user=&direct=0 with Set-Cookie: ocgqsrv0aj8b=0hj6krko7aurgvdg89ev8oqt3l; path=/nextcloud; HttpOnly; SameSite=Lax
  • GET /index.php/login/v2/flow?user=&direct=0 HTTP/1.1 - 200 OK, login and password page
  • POST /index.php/login/v2/grant - 200 OK, “Account connected, you can close this window” page.
    • Form data:
    requesttoken: 3N5MqEDtiZPHJu2RXn8EVjOKb3qMmGnqZO9NxoV+kcs=:mIglnDeY4LiKSbeoJkhvLnD9OzG14jmkHKZ4j8A18KA=
stateToken:   az5y9RpDCYkYy0Lr0ucgBhTJnT5844eBBAcweIQ4MJJwe7RoLqhpPR3DMAkkyUuw

Here browser window is closed, the following requests are made by client itself:

  • GET /ocs/v2.php/cloud/user with Authorization: Basic
    Response is 401 Unauthorized with body: \
    {
    "ocs": {
        "meta": {
            "status": "failure",
            "statuscode": 997,
            "message": "Current user is not logged in"
        },
        "data": []
    }
}
  • POST /index.php/login/v2/poll?token=osv7x7IRHb6mM0lKdwmOT0wJzpME9F4EbO8LaVMAGMLNPUuFv8DoC2xgd4Ax9Epl0CmhW93eTcJfrbfhCkTUP6TVW8m5imqEgmjfhan0zP5jEWswkYgBuqfAsvvKd4sf continues periodically, with no further requests, with 404 response

No errors in server log.

Recently, iOS client 6.2.3 was released, tried it, the same behavior, except that it uses external Safari instead of built-in web browser to log in.

Update: updated to 31.0.0 RC2, having the same behavior

2

Logging in with app passwords also does not work.

  • Create app password at index.php/user/security in web browser
  • It shows:
    • Login: test
    • Password: HQmTE-DGQQR-aTzES-xxrbt-FX9Zf
    • QR code with encoded string: nc://login/user:test&password:HQmTE-DGQQR-aTzES-xxrbt-FX9Zf&server:http://zubat.local:8083/nextcloud
  • Scan QR code with iOS app
  • App shows “Current user is not logged in”

Server 31.0.0 beta 5, iOS client 6.2.3

Full request:

GET /nextcloud/ocs/v2.php/cloud/user HTTP/1.1
Host: zubat.local:8083
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: br;q=1.0, gzip;q=0.9, deflate;q=0.8
Connection: keep-alive
Accept: application/json
User-Agent: Mozilla/5.0 (iOS) Nextcloud-iOS/6.2.3
Authorization: Basic dGVzdDpIUW1URS1ER1FRUi1hVHpFUy14eHJidC1GWDlaZg==
OCS-APIRequest: true
Accept-Language: en-RU;q=1.0, ru-RU;q=0.9


HTTP/1.1 401 Unauthorized
Date: Wed, 22 Jan 2025 09:19:36 GMT
Server: Apache/2.4.62 (Unix) mod_fcgid/2.3.9
X-Powered-By: PHP/8.3.15
Referrer-Policy: no-referrer
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
X-XSS-Protection: 1; mode=block
X-Request-Id: XbPRAq5rhBpCt2nlM9Ng
Cache-Control: no-cache, no-store, must-revalidate
Content-Security-Policy: default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none'
Feature-Policy: autoplay 'none';camera 'none';fullscreen 'none';geolocation 'none';microphone 'none';payment 'none'
X-Robots-Tag: noindex, nofollow
Set-Cookie: oc_sessionPassphrase=yXiExRghElCGdSCpndM3eSNgc6ahvohyDpqGr1QSIoRoYWTkrDGTd%2BWa3HSwy6MgqEX3k1tijLGK%2BIr80gmHtdHCShqdnfgJQ84czEq8v3JBZ5ejtMNFtS0pvbQmPgNs; path=/nextcloud; HttpOnly; SameSite=Lax
Set-Cookie: nc_sameSiteCookielax=true; path=/nextcloud; httponly;expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax
Set-Cookie: nc_sameSiteCookiestrict=true; path=/nextcloud; httponly;expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict
Set-Cookie: ocgqsrv0aj8b=slim93tc9vf78841npg7dpmgr0; path=/nextcloud; HttpOnly; SameSite=Lax
Content-Length: 106
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/json; charset=utf-8

{"ocs":{"meta":{"status":"failure","statuscode":997,"message":"Current user is not logged in"},"data":[]}}

But authenticating with the same app password in webdav works:

PROPFIND /nextcloud/remote.php/dav/files/test/ HTTP/1.1
User-Agent: cadaver/0.26 neon/0.34.0
Connection: TE
TE: trailers
Host: zubat.local:8083
Depth: 1
Content-Length: 288
Content-Type: application/xml
Authorization: Basic dGVzdDpIUW1URS1ER1FRUi1hVHpFUy14eHJidC1GWDlaZg==

<?xml version="1.0" encoding="utf-8"?>
<propfind xmlns="DAV:"><prop>
<getcontentlength xmlns="DAV:"/>
<getlastmodified xmlns="DAV:"/>
<executable xmlns="http://apache.org/dav/props/"/>
<resourcetype xmlns="DAV:"/>
<checked-in xmlns="DAV:"/>
<checked-out xmlns="DAV:"/>
</prop></propfind>

HTTP/1.1 207 Multi-Status
Date: Wed, 22 Jan 2025 09:46:29 GMT
Server: Apache/2.4.62 (Unix) mod_fcgid/2.3.9
X-Powered-By: PHP/8.3.15
Referrer-Policy: no-referrer
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
X-Robots-Tag: noindex, nofollow
X-XSS-Protection: 1; mode=block
Content-Security-Policy: default-src 'none';
Vary: Brief,Prefer
DAV: 1, 3, extended-mkcol, access-control, calendarserver-principal-property-search, nc-paginate, nextcloud-checksum-update, nc-calendar-search, nc-enable-birthday-calendar
X-Request-Id: jaNsGYXnjmJyWaWnTbtf
X-Debug-Token: jaNsGYXnjmJyWaWnTbtf
Set-Cookie: oc_sessionPassphrase=%2FURk1%2FEtF3f8OGGeWkP5pV1UHTyeQhkGImlhyxF3gXvj00RFpZPesehQr429qKGQBrbCeCbxyhxJoPAYt0bszv5DBXVpbZlOAZsjSGAfVU85hHfHiUPHLOgxOWUg7%2FW1; path=/nextcloud; HttpOnly; SameSite=Lax
Set-Cookie: nc_sameSiteCookielax=true; path=/nextcloud; httponly;expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax
Set-Cookie: nc_sameSiteCookiestrict=true; path=/nextcloud; httponly;expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict
Set-Cookie: ocgqsrv0aj8b=fvneq6n3vvfpcjin90dolip2b7; path=/nextcloud; HttpOnly; SameSite=Lax
Transfer-Encoding: chunked
Content-Type: application/xml; charset=utf-8

<?xml version="1.0"?>
<d:multistatus xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns" xmlns:oc="http://owncloud.org/ns" xmlns:nc="http://nextcloud.org/ns"><d:response><d:href>/nextcloud/remote.php/dav/files/test/</d:href><d:propstat><d:prop><d:getlastmodified>Wed, 22 Jan 2025 09:13:07 GMT</d:getlastmodified><d:resourcetype><d:collection/></d:resourcetype></d:prop><d:status>HTTP/1.1 200 OK</d:status></d:propstat><d:propstat><d:prop><d:getcontentlength/><x1:executable xmlns:x1="http://apache.org/dav/props/"/><d:checked-in/><d:checked-out/></d:prop><d:status>HTTP/1.1 404 Not Found</d:status></d:propstat></d:response><d:response><d:href>/nextcloud/remote.php/dav/files/test/Documents/</d:href><d:propstat><d:prop><d:getlastmodified>Wed, 22 Jan 2025 09:13:05 GMT</d:getlastmodified><d:resourcetype><d:collection/></d:resourcetype></d:prop><d:status>HTTP/1.1 200 OK</d:status></d:propstat><d:propstat><d:prop><d:getcontentlength/><x1:executable xmlns:x1="http://apache.org/dav/props/"/><d:checked-in/><d:checked-out/></d:prop><d:status>HTTP/1.1 404 Not Found</d:status></d:propstat></d:response><d:response><d:href>/nextcloud/remote.php/dav/files/test/Nextcloud%20Manual.pdf</d:href><d:propstat><d:prop><d:getcontentlength>12975698</d:getcontentlength><d:getlastmodified>Wed, 22 Jan 2025 09:13:05 GMT</d:getlastmodified><d:resourcetype/></d:prop><d:status>HTTP/1.1 200 OK</d:status></d:propstat><d:propstat><d:prop><x1:executable xmlns:x1="http://apache.org/dav/props/"/><d:checked-in/><d:checked-out/></d:prop><d:status>HTTP/1.1 404 Not Found</d:status></d:propstat></d:response><d:response><d:href>/nextcloud/remote.php/dav/files/test/Nextcloud%20intro.mp4</d:href><d:propstat><d:prop><d:getcontentlength>3963036</d:getcontentlength><d:getlastmodified>Wed, 22 Jan 2025 09:13:06 GMT</d:getlastmodified><d:resourcetype/></d:prop><d:status>HTTP/1.1 200 OK</d:status></d:propstat><d:propstat><d:prop><x1:executable xmlns:x1="http://apache.org/dav/props/"/><d:checked-in/><d:checked-out/></d:prop><d:status>HTTP/1.1 404 Not Found</d:status></d:propstat></d:response><d:response><d:href>/nextcloud/remote.php/dav/files/test/Nextcloud.png</d:href><d:propstat><d:prop><d:getcontentlength>50598</d:getcontentlength><d:getlastmodified>Wed, 22 Jan 2025 09:13:05 GMT</d:getlastmodified><d:resourcetype/></d:prop><d:status>HTTP/1.1 200 OK</d:status></d:propstat><d:propstat><d:prop><x1:executable xmlns:x1="http://apache.org/dav/props/"/><d:checked-in/><d:checked-out/></d:prop><d:status>HTTP/1.1 404 Not Found</d:status></d:propstat></d:response><d:response><d:href>/nextcloud/remote.php/dav/files/test/Photos/</d:href><d:propstat><d:prop><d:getlastmodified>Wed, 22 Jan 2025 09:13:07 GMT</d:getlastmodified><d:resourcetype><d:collection/></d:resourcetype></d:prop><d:status>HTTP/1.1 200 OK</d:status></d:propstat><d:propstat><d:prop><d:getcontentlength/><x1:executable xmlns:x1="http://apache.org/dav/props/"/><d:checked-in/><d:checked-out/></d:prop><d:status>HTTP/1.1 404 Not Found</d:status></d:propstat></d:response><d:response><d:href>/nextcloud/remote.php/dav/files/test/Readme.md</d:href><d:propstat><d:prop><d:getcontentlength>197</d:getcontentlength><d:getlastmodified>Wed, 22 Jan 2025 09:13:06 GMT</d:getlastmodified><d:resourcetype/></d:prop><d:status>HTTP/1.1 200 OK</d:status></d:propstat><d:propstat><d:prop><x1:executable xmlns:x1="http://apache.org/dav/props/"/><d:checked-in/><d:checked-out/></d:prop><d:status>HTTP/1.1 404 Not Found</d:status></d:propstat></d:response><d:response><d:href>/nextcloud/remote.php/dav/files/test/Reasons%20to%20use%20Nextcloud.pdf</d:href><d:propstat><d:prop><d:getcontentlength>976625</d:getcontentlength><d:getlastmodified>Wed, 22 Jan 2025 09:13:06 GMT</d:getlastmodified><d:resourcetype/></d:prop><d:status>HTTP/1.1 200 OK</d:status></d:propstat><d:propstat><d:prop><x1:executable xmlns:x1="http://apache.org/dav/props/"/><d:checked-in/><d:checked-out/></d:prop><d:status>HTTP/1.1 404 Not Found</d:status></d:propstat></d:response><d:response><d:href>/nextcloud/remote.php/dav/files/test/Templates/</d:href><d:propstat><d:prop><d:getlastmodified>Wed, 22 Jan 2025 09:13:06 GMT</d:getlastmodified><d:resourcetype><d:collection/></d:resourcetype></d:prop><d:status>HTTP/1.1 200 OK</d:status></d:propstat><d:propstat><d:prop><d:getcontentlength/><x1:executable xmlns:x1="http://apache.org/dav/props/"/><d:checked-in/><d:checked-out/></d:prop><d:status>HTTP/1.1 404 Not Found</d:status></d:propstat></d:response><d:response><d:href>/nextcloud/remote.php/dav/files/test/Templates%20credits.md</d:href><d:propstat><d:prop><d:getcontentlength>2403</d:getcontentlength><d:getlastmodified>Wed, 22 Jan 2025 09:13:06 GMT</d:getlastmodified><d:resourcetype/></d:prop><d:status>HTTP/1.1 200 OK</d:status></d:propstat><d:propstat><d:prop><x1:executable xmlns:x1="http://apache.org/dav/props/"/><d:checked-in/><d:checked-out/></d:prop><d:status>HTTP/1.1 404 Not Found</d:status></d:propstat></d:response></d:multistatus>

I see files in webdav client. Note that Authorization header value is the same in webdav and OCS v2 endpoint used by the Nextcloud iOS app.

3

Most OCS endpoints on my 31.0.0 RC2 installation do not accept application password with basic authentication:

/cloud/user used by iOS app for the first request after getting application password from QR code:

$ curl -u test:HQmTE-DGQQR-aTzES-xxrbt-FX9Zf http://zubat.local:8083/nextcloud/ocs/v2.php/cloud/user -H "OCS-APIRequest: true"
<?xml version="1.0"?>
<ocs>
 <meta>
  <status>failure</status>
  <statuscode>997</statuscode>
  <message>Current user is not logged in</message>
 </meta>
 <data/>
</ocs>

/cloud/users/USERNAME:

$ curl -u test:HQmTE-DGQQR-aTzES-xxrbt-FX9Zf http://zubat.local:8083/nextcloud/ocs/v1.php/cloud/users/test -H "OCS-APIRequest: true"
<?xml version="1.0"?>
<ocs>
 <meta>
  <status>failure</status>
  <statuscode>997</statuscode>
  <message>Current user is not logged in</message>
  <totalitems></totalitems>
  <itemsperpage></itemsperpage>
 </meta>
 <data/>
</ocs>

/apps/files_sharing/api/v1/shares:

$ curl -u test:HQmTE-DGQQR-aTzES-xxrbt-FX9Zf http://zubat.local:8083/nextcloud/ocs/v2.php/apps/files_sharing/api/v1/shares -H "OCS-APIRequest: true"
<?xml version="1.0"?>
<ocs>
 <meta>
  <status>failure</status>
  <statuscode>997</statuscode>
  <message>Current user is not logged in</message>
 </meta>
 <data/>
</ocs>

Capabilities endpoint /cloud/capabilities works, but seems that it works because it does not require authentication:

$ curl -u test:HQmTE-DGQQR-aTzES-xxrbt-FX9Zf http://zubat.local:8083/nextcloud/ocs/v1.php/cloud/capabilities -H "OCS-APIRequest: true"
<?xml version="1.0"?>
<ocs>
 <meta>
  <status>ok</status>
  <statuscode>100</statuscode>
  <message>OK</message>
  <totalitems></totalitems>
  <itemsperpage></itemsperpage>
 </meta>
 <data>
  <version>
   <major>31</major>
   <minor>0</minor>
   <micro>0</micro>
   <string>31.0.0 RC1</string>
...
 </data>
</ocs>

With the same result without -u

Update: updated for RC2, the same was for RC1

4

Hi @my_melody_93 - Looks like a thorough enough analysis to be worth reporting as a possible bug! Since v31 is in the final stages of the new release cycle, I encourage you to report formally via https://github.com/nextcloud/server/issues

Great analysis work!

5

Created issue: [Bug]: Can't login from iOS client app · Issue #50619 · nextcloud/server · GitHub

I reproduced this on fresh Nextcloud server install this time.

6

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.