Requests against some /ocs endpoints return empty body and invalidate the session if OAuth2 is enabled.

[jesmrec]

Request against some endpoints /ocs return empty body, making clients not to behave as expected.

This is happening in daily master from today with OAuth2 app enabled. OAuth2 app worked properly before and no more commits were added, so i guess this is not matter of OAuth2 app.

Some examples, all of them with daily master (2017-08-30), that are not reproducible with daily from 28th.

Requests like:

• /ocs/v1.php/cloud/user?format=json
• /ocs/v1.php/cloud/capabilities?format=json

returns empty body with OAuth2 enabled and correct response with OAuth2 disabled.

@SamuAlfageme also experience this effect using Desktop Client

(Suspicions related with #28457 ... )

[PVince81]

Do you have the exact queries ? Are these GET queries or OPTIONS ?

In curl format would be nice.

We have integration tests that use the OCS API or some things like sharing API and these passed, so it's likely not all OCS endpoints.

[jesmrec]

i have checked for GETs when session is already alive. Some examples:

• Android (get users)

curl <URL>/ocs/v1.php/cloud/user?format=json -H "OCS-APIREQUEST:true" -H "Authorization:Bearer <token OAuth2>" -H "User-Agent:Mozilla/5.0 (Android) ownCloud-android/2.4.0" -H "Host: <URL>"

• iOS (get capabilities)

curl <URL>/ocs/v1.php/cloud/capabilities?format=json -H "Host:<URL>" -H "Content-Type:application/x-www-form-urlencoded" -H "Accept:*/*" -H "Connection:keep-alive" -H "Proxy-Connection:keep-alive" -H "Accept-Encoding:gzip, deflate" -H "User-Agent:Mozilla/5.0 (iOS) ownCloud-iOS/3.6.2" -H "Accept-Language:en-ES;q=1, es-ES;q=0.9,pt-PT;q=0.8,en;q=0.7" -H "Authorization:Bearer <token OAutn2>" -H "OCS-APIREQUEST:true"

maybe more requests needed for getting tokens. I have those ones FTM.

Their relatives with Authorization:Basic work as expected.

[SamuAlfageme]

@PVince81 those are GETs, yup - e.g. request to get the user info and nope, not for all of them. (though as said in the title this only happens when OAuth app is enabled)

curl 'https://<server>/ocs/v1.php/cloud/user?format=json' \
    -H 'OCS-APIREQUEST: true' \
    -H 'Cookie: '$SESSION

Also, note how those empty-body replies also break the session: https://asciinema.org/a/fC0GpQkWjLMzFOtQt3COEYzeE

[SamuAlfageme]

hmmm.. here we go:

{
    "reqId":"HRV8IUEoQLTLg8gICU98",
    "level":3,"time":"2017-08-30T15:59:46+00:00",
    "remoteAddr":"<remote_address>",
    "user":"admin",
    "app":"PHP",
    "method":"GET",
    "url":"\/ocs\/v1.php\/cloud\/user",
    "message":"Undefined index: PHP_AUTH_USER at \/opt\/owncloud\/lib\/private\/AppFramework\/Middleware\/Security\/CORSMiddleware.php#99"
}

cc/ @noveens @PVince81 -> #28457 (comment)

[noveens]

@SamuAlfageme ,
I didn't even touch this code in the latest PR.
The error we're getting must be from somewhere else.

Also,
You're doing requests over OAuth2 authorization or basic(username:password)?

[jesmrec]

@noveens OAuth2. With basic auth the problem does not happen.

[noveens]

PR here:
#28864

[PVince81]

Fix was merged, please retry with tomorrow's daily master and reopen if the problem persists.

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.