[Bug]: Files shared via Public Share Links no longer accessible (HTTP 401)

[koelle25]

⚠️ This issue respects the following points: ⚠️

• This is a bug, not a question or a configuration/webserver/proxy issue.
• This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
• Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
• I agree to follow Nextcloud's Code of Conduct.

Bug description

When trying to access files via a share link they cannot be opened anymore. In the developer console there are multiple errors:

It's not because of HTTP/3, I also tried with HTTP/2, same behaviour. Also the error message regarding the text app also seems unrelated, I also tried with with it disabled but same behaviour again.

The bug seems to be existing since upgrade to Nextcloud 28 (28.0.1 actually). I'm now on 28.0.2 but bug is still there.

Steps to reproduce

1. Share a file/folder
2. Open the link
3. Be sad because you cannot see the latest cute pictures of your grandchildren

Dateien.-.Kolle.s.Cloud.Mozilla.Firefox.2024-02-02.13-11-12.video-converter.com.mp4

Expected behavior

I can access the shared file(s) via the public link.

Installation method

Community Docker image

Nextcloud Server version

28

Operating system

Debian/Ubuntu

PHP engine version

PHP 8.2

Web server

Nginx

Database engine version

MariaDB

Is this bug present after an update or on a fresh install?

Upgraded to a MAJOR version (ex. 22 to 23)

Are you using the Nextcloud Server Encryption module?

None

What user-backends are you using?

• Default user-backend (database)
• LDAP/ Active Directory
• SSO - SAML
• Other

Configuration report

{
    "system": {
        "memcache.local": "\\OC\\Memcache\\APCu",
        "memcache.distributed": "\\OC\\Memcache\\Redis",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 6379
        },
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "192.168.1.3:8443",
            "cloud.kevinkoellmann.de"
        ],
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "28.0.2.5",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "skeletondirectory": "",
        "knowledgebaseenabled": false,
        "mail_smtpmode": "smtp",
        "mail_sendmailmode": "smtp",
        "mail_smtpauth": 1,
        "mail_smtpauthtype": "LOGIN",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "587",
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "maintenance": false,
        "maintenance_window_start": 1,
        "theme": "",
        "loglevel": 2,
        "ldapIgnoreNamingRules": false,
        "ldapProviderFactory": "OCA\\User_LDAP\\LDAPProviderFactory",
        "blacklisted_files": [],
        "overwrite.cli.url": "https:\/\/cloud.kevinkoellmann.de",
        "app_install_overwrite": [
            "polls",
            "ocsms",
            "forms",
            "contacts",
            "keeporsweep",
            "files_fulltextsearch",
            "files_fulltextsearch_tesseract",
            "files_readmemd",
            "files_trackdownloads",
            "impersonate",
            "richdocuments",
            "twofactor_admin"
        ],
        "allow_local_remote_servers": true,
        "updater.release.channel": "stable",
        "default_phone_region": "DE",
        "mysql.utf8mb4": true,
        "filelocking.enabled": "true",
        "memories.exiftool": "\/config\/www\/nextcloud\/apps\/memories\/bin-ext\/exiftool-amd64-musl",
        "memories.vod.path": "\/config\/www\/nextcloud\/apps\/memories\/bin-ext\/go-vod-amd64",
        "memories.vod.ffmpeg": "\/usr\/bin\/ffmpeg",
        "memories.vod.ffprobe": "\/usr\/bin\/ffprobe",
        "enabledPreviewProviders": [
            "OC\\Preview\\Image"
        ],
        "upgrade.disable-web": true
    }
}

List of activated Apps

Enabled:
  - activity: 2.20.0
  - admin_audit: 1.18.0
  - bookmarks: 13.1.3
  - calendar: 4.6.4
  - cloud_federation_api: 1.11.0
  - comments: 1.18.0
  - contacts: 5.5.1
  - contactsinteraction: 1.9.0
  - cookbook: 0.11.0
  - dav: 1.29.1
  - federatedfilesharing: 1.18.0
  - files: 2.0.0
  - files_fulltextsearch: 28.0.0
  - files_pdfviewer: 2.9.0
  - files_reminders: 1.1.0
  - files_sharing: 1.20.0
  - files_trashbin: 1.18.0
  - files_versions: 1.21.0
  - forms: 4.0.0
  - fulltextsearch: 28.0.0
  - fulltextsearch_elasticsearch: 28.0.0
  - groupfolders: 16.0.3
  - impersonate: 1.15.0
  - keeporsweep: 0.3.0
  - logreader: 2.13.0
  - lookup_server_connector: 1.16.0
  - mail: 3.5.5
  - notes: 4.9.2
  - notifications: 2.16.0
  - oauth2: 1.16.3
  - password_policy: 1.18.0
  - photos: 2.4.0
  - polls: 6.0.1
  - previewgenerator: 5.4.0
  - privacy: 1.12.0
  - provisioning_api: 1.18.0
  - quota_warning: 1.18.0
  - recommendations: 2.0.0
  - related_resources: 1.3.0
  - richdocuments: 8.3.1
  - serverinfo: 1.18.0
  - settings: 1.10.1
  - support: 1.11.0
  - survey_client: 1.16.0
  - systemtags: 1.18.0
  - tasks: 0.15.0
  - text: 3.9.1
  - theming: 2.3.0
  - twofactor_admin: 4.4.0
  - twofactor_backupcodes: 1.17.0
  - twofactor_email: 2.7.4
  - twofactor_nextcloud_notification: 3.8.0
  - twofactor_totp: 10.0.0-beta.2
  - twofactor_webauthn: 1.3.2
  - viewer: 2.2.0
  - workflowengine: 2.10.0

Nextcloud Signing status

No errors have been found.

Nextcloud Logs

No relevant nextcloud server log entries.

Additional info

NGINX access.log entries regarding the problem:

172.71.99.144 - - [02/Feb/2024:13:26:59 +0100] "GET /s/eKEY5qyDNG98ex2?dir=undefined&openfile=581238 HTTP/2.0" 200 9484 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0"
172.71.99.143 - eKEY5qyDNG98ex2 [02/Feb/2024:13:27:00 +0100] "PROPFIND /public.php/webdav/ HTTP/2.0" 207 116632 "https://cloud.kevinkoellmann.de/s/eKEY5qyDNG98ex2?dir=undefined&openfile=581238" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0"
172.71.99.144 - - [02/Feb/2024:13:27:01 +0100] "GET /apps/files_sharing/publicpreview/eKEY5qyDNG98ex2?fileId=581238&file=%2F20230929_204910_955_IMG_0001.JPG&c=aed8663c35273fea5acf01e75e5da561&x=250&y=250 HTTP/2.0" 404 2 "https://cloud.kevinkoellmann.de/s/eKEY5qyDNG98ex2?dir=undefined&openfile=581238" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0"
172.71.99.144 - eKEY5qyDNG98ex2 [02/Feb/2024:13:27:04 +0100] "PROPFIND /public.php/webdav/20230929_204910_955_IMG_0001.JPG HTTP/2.0" 401 189 "https://cloud.kevinkoellmann.de/s/eKEY5qyDNG98ex2?dir=undefined&openfile=581238" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0"

[koelle25]

I had the chance to test in another 28.0.2 instance, and there it is working without a problem...

Does someone here in the community maybe have some tip, where to start checking? I'm using lscr.io/linuxserver/nextcloud:28.0.2 image.

[koelle25]

I have create a topic in the Nextcloud help forum:
https://help.nextcloud.com/t/401-when-trying-to-access-files-from-public-share-links/180662

Should I close this issue here? I cannot really determine if it's a bug or not...

[joshtrichards]

I'm unable to reproduce this behavior.

Those CSP errors should not be occurring. I don't have those errors.

Your browser console Network tab may offer more clues, such as if being blocked by a browser extension or something.

[AsamK]

I see the same behavior, files on a public share link cannot be opened, and the network tab shows a 401 response.
I think this is related to the issue #42200 and only occurs when the isOutgoingServer2serverShareEnabled setting is disabled. In this case the server checks if the X-Requested-With header contains XMLHttpRequest, if not it responds with 401.

The share app only sets this header for the PROPFIND of the folder, but not for the PROPFIND of a file, that's triggered when clicking on it.

[szaimen]

Cc @nextcloud/server-frontend

[skjnldsv]

I had the chance to test in another 28.0.2 instance, and there it is working without a problem...

Because it was fixed for 28.0.2....

[AsamK]

No this is not fixed in 28.0.2 . As I wrote above, the issue here is that the webdav app doesn't set the X-Requested-With header at all when sending the PROPFIND request for a single file.

@koelle25 can you check if the other nextcloud instance that doesn't have this issue, has the server to server share option enabled?

[koelle25]

I am almost sure it has, but I will check it and also my private instance for this setting. Am 4. Februar 2024 10:00:13 UTC schrieb Sebastian Scheibner ***@***.***>:

…

No this is not fixed in 28.0.2 . As I wrote above, the issue here is that the webdav app doesn't set the X-Requested-With header at all when sending the PROPFIND request for a single file. @koelle25 can you check if the other nextcloud instance that doesn't have this issue, has the server to server share option enabled? -- Reply to this email directly or view it on GitHub: #43287 (comment) You are receiving this because you were mentioned. Message ID: ***@***.***>

[realies]

As aforementioned, enabling isOutgoingServer2serverShareEnabled fixes the bug;

Publicly shared links should not depend on isOutgoingServer2serverShareEnabled.

[koelle25]

Yes indeed, I can confirm this. The other instance has isOutgoingServer2serverShareEnabled enabled and link sharing is working without problems.
After enabling this setting on my private instance it is working, too.

@skjnldsv Please re-open this issue

[tgurr]

Sad to find this bug and seeing it is still closed after days of users reporting that it is still valid and I also just got reports from users not being able to open files where office/richdocuments comes into play for folders shared via public shares and it behaves just like op demonstrates in the video in the initial bugreport with the spinner cycling. The instances are on 28.0.2 as well and we disabled the isOutgoingServer2serverShareEnabled option workaround once we upgraded our instances to 28.0.2. Enabling the option workaround again also makes richdocuments/office work again.

NOTE: Interestingly (at least in my case) this only affects files opened from within a public folder share, if the single file is shared instead it works.

Please re-open this issue.

Browser console log

[vitormfgoncalves]

I also have this issue. Sending a link with documents that dont open as expected is embarassing, and enabling isOutgoingServer2serverShareEnabled is not an option in many cases.
I assume this was closed because someone said that enabling the option fixes the issue... It does not!
Enabling it is a workarround, not a fix. It clearly is a BUG.
Please reopen this issue.

[koelle25]

/reopen @nextcloud/server-frontend @joshtrichards @szaimen @skjnldsv

[skjnldsv]

/reopen @nextcloud/server-frontend @joshtrichards @szaimen @skjnldsv

Nope, 28.0.3 is fixed for me

[koelle25]

Can you point us to the resolving PR/Commit? I cannot find anything related to this issue in the Pre-Release Notes...

[skjnldsv]

@koelle25 you're right, I was heading a different direction, thanks for pushing back 👍
nextcloud/viewer#2178

[skjnldsv]

Addressed, release is tomorrow