Nextcloud version: 12.0.1
Operating system and version: Ubuntu 16.04
What am I trying to do:
Our remote support team can run scripts at our clients. What we want to do is run a tool that creates a log file (and zips it) and upload that to our Nextcloud installation. To do so I created a new directory “test” and created a shared link which allows uploading of files (no read permissions).
The issue you are facing:
Following the process of a file upload through the proxyservice Burp Suite I noticed the web interface uses a PUT request to place a file in the directory through webdav. Now I am trying to replicate the request in our script with curl with the following command:
After checking my captured request I noticed it includes both a requesttoken and an Authorization Basic header. Reading the server reply I noticed it sends a requesttoken upon loading the shared URL:
"<head data-requesttoken="3rYm[...]XmvX8g=">".
That solved 1 part of the requirements, however since the script will run on untrusted pc’s owned by customers we do not want to send a username/password for basic authentication. Searching on Google resulted in this Github thread explaining the requesttoken should be used as the password of the basic authentication. But no matter how I try to set the requesttoken as part of the Authorization header the server keeps replying with either
"No 'Authorization: Basic' header found."
or
"Username or password was incorrect, No 'Authorization: Bearer' header found."
The output of your Nextcloud log in Admin > Logging:
It seems like we are requesting a similar feature, with the minor difference that the files we need to upload are only a few kB in size. This means installing a Nextcloud client (or portable one) to our customers is a huge overhead and the need to pause/resume uploads is almost non-existent.
As the Github link in my precious post indicates it should be possible with the current setup to upload files to the webdav with the requesttoken, I just can’t seem to get it working.
I partially solved the issue by using the public.php webdav instead of remote.php changing this error:
"Username or password was incorrect, No 'Authorization: Bearer' header found."
I managed to succeed in uploading files through my own custom script by adding the “X-Request-With” header. This makes the final curl command something like:
-u is the parameter for the “Authorization: Basic” header where the username is the final part of the share link created by nextcloud. This makes sure the file gets uploaded to the correct directory.
Here is what is returned by curl.
Do I have something misconfigured? Regular (user/password) uploads work fine.
I am a little above my head here, and could use some help tracking this down further.