2024-10-30 - Android Joplin Profiles NextCloud Issue

[CoffeeHT]

Operating system

Android

Joplin version

Joplin 3.0.8 (prod, android)

Desktop version info

No response

Current behaviour

Forked from https://discourse.joplinapp.org/t/2024-10-03-status-of-the-joplin-profiles-nextcloud-issue/41181/2?u=coffee

As has been known since September 2023, there is an issue between the Android app Joplin with multiple profiles and NextCloud.
There have already been several Discourse dialogues and #9283 about this.
Thanks to roman_r_m, it now seems clear how the problem can be solved in the code of the Android Joplin app.

I only did a quick check but it seemed that deleting cookies before every request has solved the issue. Someone still need to implement the fix properly, unfortunately I don't have the time to do it myself at this time.

https://discourse.joplinapp.org/t/nextcloud-sync-fails-on-all-but-the-default-profile/38515/18
https://discourse.joplinapp.org/t/nextcloud-sync-fails-on-all-but-the-default-profile/38515/30

Expected behaviour

Both profiles (A-user and B-user) can be easily connected to the same Joplin Android app. Switching between the profiles is possible without any problems.

Logs

No response

[personalizedrefrigerator]

I'm quoting a forum post that includes alternate reproduction steps:

I suspect there's some bug in how Joplin handles cookies on Android. I am seeing issues even without 2 profiles like this:

1. start with a clean state
2. enter nextcloud details and press "Check Synchronization Configuration"
3. now without leaving the screen change the details to another user on the same server
4. check configuration succeeds but when you try to actually sync NC returns "permission denied"

I think some cookie specific to a particular nextcloud account gets saved on step 2 and then incorrectly used for all subsequent steps for a different account.

Notes:

• So far, I've only attempted to reproduce the issue with different profiles associated with the same Nextcloud account. In particular, I most recently tested with an Android 12 emulator:
  • Nextcloud provider: thegood.cloud
  • Number of profiles: 2
  • Same account on both profiles.
  • Only 1-2 resources, 1-2 notes.
• It's possible for Nextcloud to use HTTP cookies for authentication:

  All requests need to provide authentication information, either as a Basic Auth header or by passing a set of valid session cookies.

• React Native's fetch documentation includes the following comment about cookie-based authentication:

  Cookie based authentication is currently unstable. You can view some of the issues raised here: Cookie based authentication issues aggregation facebook/react-native#23185

[CoffeeHT]

• different profiles associated with the same Nextcloud account

The problem occurs when different accounts are accessed on the same NextCloud instance.

I have a Nextcloud instance since 2023 just for analysing this issue:
https://nextcloud.joplin-android-profile-bug-2023.de

If you are interested in this test environment, I can give you the access data for the two users A-User and B-User in a PM.

[CoffeeHT]

My view of things - as of 2024-11-25

Joplin itself does not use cookies.

On Android, Joplin brings in the case of NextCloud / WebDAV an external software component ‘underlying network library’ that still sets at least one cookie when starting - see statement here.

NextCloud apparently also uses cookies, for example to enable Collabora to control the simultaneous editing of the same document by different accounts. To do this, the rights of a cookie owner and the rights of a WebDAV ID must somehow be logically linked.

When Joplin is completely restarted on Android, e.g. after a reboot of Android, a new cookie is presumably set by the ‘underlying network library’. Suppose Joplin is completely restarted with the rights of user A. The cookie generated by the ‘underlying network library’ by default is linked by NextCloud to the rights of the A user.

When Joplin is restarted after changing the Joplin profile – let's say to the B user profile – that software component will set no new cookie matching the rights of the newly selected B user ID. The cookie of the first A user remains. The rights of the A user's cookie do not match the rights of the B user in the file system. Therefore, an error occurs.

If this theory is correct, it should perhaps be sufficient for Joplin on Android, although it does not use cookies itself, to use a command to delete all active cookies - see statement here.

[personalizedrefrigerator]

I've created a test APK with a possible fix.

In this version, credentials: 'omit' is added as an option when fetching data from Nextcloud. This should prevent React Native from sending authentication cookies to Nextcloud and other WebDAV providers.

In reference to authentication, the Nextcloud documentation states (emphasis added):

All requests need to provide authentication information, either as a basic auth header or by passing a set of valid session cookies.
— https://docs.nextcloud.com/server/latest/developer_manual/client_apis/WebDAV/basic.html

Joplin includes an Authorization header with requests to WebDAV servers (a "basic auth header"), so, based on the line above, "valid session cookies" should not be necessary.