Nextcloud version (using AIO): 29.0.2
Operating system and version: Rocky Linux 9.4
Before I did much deeper into the source code, I wanted to see if perhaps any expert Nextcloud devs know anything right off the top of their heads about this phenomenon. Barring this tiny but frustrating quirk, Nextcloud is working very well for us.
The all-things-WebDAV endpoint is https://myserver.com/remote.php/dav/.... My current deploy sees WebDAV traffic to this exact endpoint from three sources: the Nextcloud web portal itself (e.g. https://myserver.com/apps/contacts), Thunderbird, Roundcube, and an Android Phone.
When a request goes out from inside the Nextcloud portal, it contains the HTTP header field requesttoken: ... and the round trip takes 100ms.
When a request goes out from Thunderbird or Roundcube, it contains the HTTP header field Authorization: Basic ... and the round trip takes 600-800ms.
I haven’t dug into Android yet to see what the HTTP message looks.
600-800ms is a lot for a mundane request and while it doesn’t make WebDAV usage unbearable, it’s noticeably slow. My theory here is that because those WebDAV messages bearing the Authorization Basic header field contain a username and password, the entire authentication flow has to run for each and every single one of those messages. Since I’m using LDAP to manage users on this deploy, these messages are suffering from the combined latency of proxying the credentials to LDAP and awaiting authentication on the LDAP server itself.
All that said:
- Is this theory correct?
- If it isn’t, what are other possible offenders?
- If it is, how can I make external clients not use the Authorization Basic header field? Shouldn’t there be support for Authorization Bearer?