[BUG] Webdav Storage Browser: No Files or Folders Found - On Nextcloud AIO Server

[chriswayg]

Preliminaries
I have ensured that:

• I am running the latest version of Strongbox on the App Store by searching for Strongbox and clicking into it to see the Update button (or not)
• I have performed a full restart of my device no matter how annoying that is

Versions
On macOS (please complete the following information):

• OS: macOS Sequoia 15.1

On iOS (please complete the following information):

• Device: iPhone 15 Pro
• OS: 18.1.1

Strongbox Version

• Version: Mobile ProVersion 1.60.26
• Version: Desktop ProVersion 1.60.26

Describe the bug
It's a reproducible bug. I have tested it on different standard installs of Nexcloud (including Digital Ocean Nextcloud AIO) and on different macOS user accounts as well as different Mac computers. I have also deleted and reinstalled Nextcloud.

As soon as I try to add a Keepass database from a second user from the same Nextcloud Webdav server with a second Webdav connection, it fails as shown below. If I start with UserC, then UserA will fail. If I start with UserA, then UserC will fail.

I can add multiple Keepass databases for the same user, with the same Webdav connection and it works. But a second (and third, ...) Webdav connection connecting to different users on the same Nextcloud server always fails as described below with "No Files or Folders Found"!

To Reproduce
When trying to add an existing database on Strongbox for macOS as well as on Strongbox for iOS, the storage browser does not show any files. I have confirmed that the Webdav connection works properly with other apps. Please help fix this, as I have been trying to get this working for hours! As a result, I cannot connect to the Keepass database for another user.

I am also using an almost identical connection with another username (UserC) on the same Nextcloud server successfully on Strongbox (macOS & iOS).

Here is what I see on the desktop for UserA:

• Database Manager - Add Existing - Webdav - Select Webdav
• I select my Webdav connection for that user

On iOS it additionally shows: "No Files or Folders Found"!

What I expect to see can be seen with the Webdav connection to UserC:

The connection for UserC (working) looks basically identical to UserA (not showing any file):

Test Connection & Save shows no errors. No other errors are shown.

I have tested and confirmed that my Webdav connection to Nextcloud works reliably on Keepass2Android and CloudMounter for macOS! All files and folders are shown correctly in these apps.

TOTP is disabled and I have tried with both the main passwords and the relevant app password.

No error is shown in the Nextcloud logs either.

---

I tried numerous variations and combinations of webdav paths:

The official pattern provided by the Nexcloud UI is:

https://my.server.net/remote.php/dav/files/userc
https://my.server.net/remote.php/dav/files/usera

This pattern produced the results above, with no folders shown for the second user (usera in this case).

The following type of paths are accepted by Nextcloud and lead to the correct folder when using CloudMounter on macOS:

1. Short general path
   https://my.server.net/remote.php/webdav

Strongbox opens the wrong folder for UserC, even though it is authenticating for UserA, while CloudMounter opens the correct folder

2. Added username

https://my.server.net/remote.php/dav/files/userc
https://[email protected]/remote.php/dav/files/usera

No Files or Folders shown in Strongbox

3. Added username and password

https://my.server.net/remote.php/dav/files/userc
https://usera:[email protected]/remote.php/dav/files/usera

Not a safe configuration. Still no Files or Folders shown in Strongbox.

4. Various invalid paths

https://my.server.net/remote.php/dav
https://my.server.net/remote.php/dav/files/
https://my.server.net/remote.php/dav/files/usera/sdata
https://my.server.net/remote.php/dav/files/usera/sdata/usera.kbdx

All of these either list the wrong folders, cause errors or are rejected by Strongbox Webdav Connections Manager as well as by CloudMounter.

My conclusion is, that Strongbox has some serious bugs in its implementation of the Webdav protocol.

---

Expected behavior
That I can create Webdav connections for User A, B,... without errors. That the webdav file-browser will show the files belonging to the second and third user on the same Nextcloud server.

Screenshots & Recordings
See here: https://www.reddit.com/r/strongbox/comments/1hcgi04/webdav_storage_browser_no_files_or_folders_found/

Additional context
The reply by Strongbox Mark was:

Hi u/ChrisWayg, you're right this is a bug. You're running into an known issue with multiple users pointing to the same host. The library we are using is a little old and relies on an older Apple technology for http connections. The problem lies therein. The underlying library does not support multiple users on the same host.

There is a workaround that might help you and that is to use your hosts file or DNS configuration to give the server a different name/alias. Once the name is different the library stores the credentials separately and you can use multiple users.

I'm not sure if you have access to the DNS config and could add an alias for the host, or if you can do this at the hosts level on your device.

Other than that, this is on our radar but it's we haven't been able to schedule time to fix.

[chriswayg]

In the meantime, I gave up on using Nextcloud with Strongbox. I initially tested Nginx with the Webdav module and multiple subdomains, and it works with Strongbox even with all users on one subdomain.

I eventually decided on WsgiDAV behind a Nginx reverse proxy, as WsgiDAV has a more complete implementation of WebDAV standards. This is what I am using now with multiple users on one subdomain with their own folder paths:

https://webdav.mysite.net/usera
https://webdav.mysite.net/userb
https://webdav.mysite.net/userc

This works fine with Strongbox on macOS and iOS.

[strongbox-mark]

Thanks @chriswayg - That's sort of unexpected that that would work, I would have assumed it would have the same problem, since the library we use only stores one set of credentials per host and the host you are using looks the same... But I'll take the win for now... We still need to upgrade that WebDAV library. See #120

[chriswayg]

I had searched for related bugs here repeatedly, but the title of bug #120 is so developer focused that I did not see it as anything relating to my issue.

Also the issue I was able to reproduce on multiple installations of Nextcloud seems to manifest in a different manner. I never encountered the issue when using the Nginx WebDAV module, even with all Keepass databases from different users on one subdomain. Same with WsgiDAV direct and also behind a Nginx reverse proxy. No problems with multiple databases for multiple users on the same subdomain.

Therefore it seems to me, that the use of NSURLConnection causes problems specifically with NextCloud, which has some WebDAV peculiarities. NextCloud did not do very well in the Litmus WebDAV test suite (neither did the Nginx Module, though) and it is less responsive than other WebDAV servers.

Therefore, I would like to request, that you would mention the limitations with NextCloud WebDAV (with multiple users) in your documentation, until this will finally be fixed by having a more standards compliant WebDAV client inside Strongbox using NSURLSession. (The only workaround with Nextcloud is to place all databases under one user, which I find quite risky.)

Providing a list of confirmed working WebDAV servers would also be helpful, as testing a WebDAV server with a possibly buggy client can be incredibly time consuming.

I would recommend WsgiDAV, which is maybe not as easy to configure and setup as a self-hosted instance of NextCloud, but it is suitable for users that mainly want a cost effective self-hosted WebDAV server, which does not need much resources. (I have not tested Apache with the WebDAV module with Strongbox, as I am personally more familiar with Nginx and generally prefer it over Apache.)

[strongbox-mark]

Thanks @chriswayg - We'll need to test some of these setups, we're hoping to improve the webdav feature in the next few months, so fingers crossed it will work everywhere then.