Nextcloud version: 12.0.1
Operating system and version: Ubuntu 16.04
What am I trying to do:
Our remote support team can run scripts at our clients. What we want to do is run a tool that creates a log file (and zips it) and upload that to our Nextcloud installation. To do so I created a new directory “test” and created a shared link which allows uploading of files (no read permissions).
The issue you are facing:
Following the process of a file upload through the proxyservice Burp Suite I noticed the web interface uses a PUT request to place a file in the directory through webdav. Now I am trying to replicate the request in our script with curl with the following command:
"curl -T logfile.zip https://nextcloud.example.com/public.php/webdav/test/logfile.zip".
Which gives me an error about the authentication:
"No 'Authorization: Basic' header found."
After checking my captured request I noticed it includes both a requesttoken and an Authorization Basic header. Reading the server reply I noticed it sends a requesttoken upon loading the shared URL:
"<head data-requesttoken="3rYm[...]XmvX8g=">".
That solved 1 part of the requirements, however since the script will run on untrusted pc’s owned by customers we do not want to send a username/password for basic authentication. Searching on Google resulted in this Github thread explaining the requesttoken should be used as the password of the basic authentication. But no matter how I try to set the requesttoken as part of the Authorization header the server keeps replying with either
"No 'Authorization: Basic' header found."
or
"Username or password was incorrect, No 'Authorization: Bearer' header found."
The output of your Nextcloud log in Admin > Logging:
Warning core Login failed: 'DDxH8o4riP5hy1swONqDNanwqzqd8FiVmu6d8UAAxH4=' (Remote IP: 'xx.xx.xx.xx')