Merge pull request #5372 from nextcloud/we-shall-monkey-patch-auth-headers-for-clients-that-dont-follow-specs

MorrisJobke · web-flow · commit e7b5c5c268da · 2017-06-13T12:36:31.000-05:00
Prevent sending second WWW-Authenticate header
diff --git a/apps/dav/lib/Connector/Sabre/BearerAuth.php b/apps/dav/lib/Connector/Sabre/BearerAuth.php
@@ -25,6 +25,8 @@
 use OCP\ISession;
 use OCP\IUserSession;
 use Sabre\DAV\Auth\Backend\AbstractBearer;
+use Sabre\HTTP\RequestInterface;
+use Sabre\HTTP\ResponseInterface;
 
 class BearerAuth extends AbstractBearer {
 	/** @var IUserSession */
@@ -77,4 +79,16 @@ public function validateBearerToken($bearerToken) {
 
 		return false;
 	}
+
+	/**
+	 * \Sabre\DAV\Auth\Backend\AbstractBearer::challenge sets an WWW-Authenticate
+	 * header which some DAV clients can't handle. Thus we override this function
+	 * and make it simply return a 401.
+	 *
+	 * @param RequestInterface $request
+	 * @param ResponseInterface $response
+	 */
+	public function challenge(RequestInterface $request, ResponseInterface $response) {
+		$response->setStatus(401);
+	}
 }
diff --git a/apps/dav/tests/unit/Connector/Sabre/BearerAuthTest.php b/apps/dav/tests/unit/Connector/Sabre/BearerAuthTest.php
@@ -21,9 +21,6 @@
 
 namespace OCA\DAV\Tests\unit\Connector\Sabre;
 
-use OC\Authentication\TwoFactorAuth\Manager;
-use OC\Security\Bruteforce\Throttler;
-use OC\User\Session;
 use OCA\DAV\Connector\Sabre\BearerAuth;
 use OCP\IRequest;
 use OCP\ISession;
@@ -85,4 +82,13 @@ public function testValidateBearerToken() {
 
 		$this->assertSame('principals/users/admin', $this->bearerAuth->validateBearerToken('Token'));
 	}
+
+	public function testChallenge() {
+		/** @var \PHPUnit_Framework_MockObject_MockObject|RequestInterface $request */
+		$request = $this->createMock(RequestInterface::class);
+		/** @var \PHPUnit_Framework_MockObject_MockObject|ResponseInterface $response */
+		$response = $this->createMock(ResponseInterface::class);
+		$result = $this->bearerAuth->challenge($request, $response);
+		$this->assertEmpty($result);
+	}
 }
diff --git a/build/integration/features/webdav-related.feature b/build/integration/features/webdav-related.feature
@@ -8,15 +8,15 @@ Feature: webdav-related
 		Then the HTTP status code should be "401"
 		And there are no duplicate headers
 		And The following headers should be set
-			|WWW-Authenticate|Basic realm="Nextcloud", Bearer realm="Nextcloud"|
+			|WWW-Authenticate|Basic realm="Nextcloud"|
 
 	Scenario: Unauthenticated call new dav path
 		Given using new dav path
 		When connecting to dav endpoint
 		Then the HTTP status code should be "401"
 		And there are no duplicate headers
 		And The following headers should be set
-			|WWW-Authenticate|Bearer realm="Nextcloud", Basic realm="Nextcloud"|
+			|WWW-Authenticate|Basic realm="Nextcloud"|
 
 	Scenario: Moving a file
 		Given using old dav path
