Allow accessing public shares with CORS #5
Comments
Don't you have logs in your Nextcloud admin console? Something like https://nx904.your-storageshare.de/settings/admin/logging |
where are you making this request? In a browser on your http://localhost:15755 webpage? |
curl hasn't the same restrictions as a web-browser |
Are you using web assembly to run the fetch? I've no idea what the browser restrictions are in that case... |
|
@pbek Thanks for the quick response! Logs are just empty, even with an admin account - hosting restrictions. For the questions:
I've also found a (hacky) workaround; the app I'm building (https://github.com/pojntfx/growlapse) uses a Go agent to export IoT image data to a WebDAV share, and I'm then trying to visualize this data with a WASM frontend. Using read-only guest users I was able to just share access to a guest user and have functionally the same effect (read-only access to a directory from the browser): https://github.com/pojntfx/growlapse/blob/main/docs/backend_nextcloud.md. A working version of my hacky workaround (using a read-only guest user; trying to access /; see the "Network" tab of your browser for the successful request): https://pojntfx.github.io/growlapse/?webDAVPassword=Growlapse&webDAVURL=https%3A%2F%2Fnx904.your-storageshare.de%2Fremote.php%2Fdav%2Ffiles%2Ffelix.pojtinger%40gmail.com%2F&webDAVUsername=felix.pojtinger%40gmail.com |
|
Like I said, I've no idea how CORS is handled inside WASM in a browser. And did you try the example from https://github.com/digital-blueprint/webapppassword#example? It also uses |
|
After all CORS is something your web browser enforces, not the Nextcloud server. webapppassword only attempts to set some headers (hoping that hetzner doesn't override them, you should see those preflight requests in your web inspector) that tells your browser that it is ok to let the request through when it is coming from a certain origin. |
|
CORS inside WASM is the same as CORS w/o WASM, it simply binds to the DOM API - there should be no difference, any manually executing the request yields the same error. The command above is from the developer tools, not manually constructed by me - it's the request that Chrome sends. Removing the headers doesn't change anything, as you've already pointed out. The example you've given doesn't allow me to specify a user manually, but rather seems to use OAuth, which is not how the public share API works (Nextcloud wants the ID of the share as the username and no password) |
then what do you see in the network log of your browser? there should be response headers with |
username/password in https://github.com/digital-blueprint/webapppassword/blob/master/docs/example/index.html#L100 |
Thanks; setting it there doesn't seem to fix it though: const webdavUrl = "https://nx904.your-storageshare.de/public.php/webdav";
const headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa("wWfAA3sMSoyfgJB" + ":"));
fetch(webdavUrl + "/", {
method: 'PROPFIND',
cache: 'no-cache',
headers: headers
})
Using the plain example works of course, but the WebDAV URL returned by the app is https://nx904.your-storageshare.de/remote.php/dav/files/felix.pojtinger--administrator/ which is of course not the public share one wants to access. Pasting davs://[email protected]/public.php/webdav into Nautilus' address field and using an empty password works and returns the read-only share. |
|
What are the response and request headers of those two red requests? |
|
For the first one:
For the second one:
|
|
You don't get the response headers... They are supposed to look like:
|
|
Maybe you want to |
|
Thanks - just tried it out! Same result ("Access to fetch at 'http://localhost:8081/public.php/webdav/' from origin 'http://localhost:5000' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled."). Is this app set up to handle public shares? Basic auth and accessing them from |
|
I've haven't researched if public shares are handled differently. Maybe you can find a different hook (like in https://github.com/digital-blueprint/webapppassword/blob/master/lib/Connector/Sabre/CorsPlugin.php#L33) for public shares. |
|
I'll try my best! Haven't written PHP before so I'll see how it goes :) |
|
If all goes well you just need to write one line after https://github.com/digital-blueprint/webapppassword/blob/master/lib/Connector/Sabre/CorsPlugin.php#L33 to execute Good luck, have fun! 🥳 |
|
And you can develop directly with the docker container provided in https://github.com/digital-blueprint/webapppassword/tree/master/docker. ;) |
|
Alright, I've been able to set up the dev environment - |
|
Did you also check if https://github.com/digital-blueprint/webapppassword/blob/master/lib/Connector/Sabre/CorsPlugin.php#L58 is really executed for your request? |
|
I put an |
Explain the Problem
I'm trying to access a public WebDAV share as described in https://docs.nextcloud.com/server/20/user_manual/en/files/access_webdav.html#accessing-public-shares-over-webdav.
Steps to Reproduce
http://localhost:15755,http://localhost:15755/fetchrequest with hash of share as username:It works using plain
curl:System Information
Contents of nextcloud/data/nextcloud.log
Paste output here(No access to logs, hosted by Hetzner)
Contents of Browser Error Console
Read http://ggnome.com/wiki/Using_The_Browser_Error_Console if you are unsure what to put here
The text was updated successfully, but these errors were encountered: