fix error when using CORS with no auth credentials #26852

korelstar · 2021-05-01T13:56:26Z

When using an ApiController with CORS annotation, basic authentication is required. However, currently the following exception occurs when a request does not contain any authentication:

Argument 1 passed to OCP\User\Events\BeforeUserLoggedInEvent::__construct() must be of the type string, null given, called in /home/owncloud/nextcloud/lib/private/Server.php on line 577

0.  /home/owncloud/nextcloud/lib/private/Server.php - line 577:
    OCP\User\Events\BeforeUserLoggedInEvent->__construct("*** sensiti ... *", "*** sensiti ... *")

1.  <<closure>>
    OC\Server->OC\{closure}("*** sensiti ... *")

2.  /home/owncloud/nextcloud/lib/private/Hooks/EmitterTrait.php - line 107:
    call_user_func_array(Closure {}, [ "*** sensi ... "])

3.  /home/owncloud/nextcloud/lib/private/Hooks/PublicEmitter.php - line 41:
    OC\Hooks\BasicEmitter->emit("\\OC\\User", "preLogin", [ "*** sensi ... "])

4.  /home/owncloud/nextcloud/lib/private/User/Session.php - line 444:
    OC\Hooks\PublicEmitter->emit("\\OC\\User", "preLogin", [ "*** sensi ... "])

5.  /home/owncloud/nextcloud/lib/private/AppFramework/Middleware/Security/CORSMiddleware.php - line 93:
    OC\User\Session->logClientIn("*** sensiti ... *")

6.  /home/owncloud/nextcloud/lib/private/AppFramework/Middleware/MiddlewareDispatcher.php - line 98:
    OC\AppFramework\Middleware\Security\CORSMiddleware->beforeController(OCA\Notes\Co ... {}, "index")

7.  /home/owncloud/nextcloud/lib/private/AppFramework/Http/Dispatcher.php - line 119:
    OC\AppFramework\Middleware\MiddlewareDispatcher->beforeController(OCA\Notes\Co ... {}, "index")

8.  /home/owncloud/nextcloud/lib/private/AppFramework/App.php - line 157:
    OC\AppFramework\Http\Dispatcher->dispatch(OCA\Notes\Co ... {}, "index")

9.  /home/owncloud/nextcloud/lib/private/Route/Router.php - line 302:
    OC\AppFramework\App::main("OCA\\Notes\ ... r", "index", OC\AppFramew ... {}, { apiVersion ... "})

10. /home/owncloud/nextcloud/lib/base.php - line 993:
    OC\Route\Router->match("/apps/notes/api/v1/notes")

11. /home/owncloud/nextcloud/index.php - line 37:
    OC::handleRequest()

In consultation with @nickvergessen , this PR fixes this by checking if $user and $pass are not null before trying to login.

Furthermore, I fixed an Undefined index error for PHP_AUTH_USER and PHP_AUTH_PW.

I suggest backporting this to the stable branches.

lib/private/AppFramework/Middleware/Security/CORSMiddleware.php

korelstar · 2021-05-15T18:44:09Z

ping for review @rullzer @ChristophWurst @LukasReschke @kesselb

korelstar · 2021-05-19T08:12:24Z

I suggest to Backport this to stable20 and stable21. Can we do this?

nickvergessen · 2021-05-19T09:25:52Z

/backport to stable21

nickvergessen · 2021-05-19T09:25:57Z

/backport to stable20

korelstar requested review from rullzer, nickvergessen, LukasReschke and ChristophWurst May 1, 2021 13:56

nickvergessen approved these changes May 1, 2021

View reviewed changes

lib/private/AppFramework/Middleware/Security/CORSMiddleware.php Show resolved Hide resolved

lib/private/AppFramework/Middleware/Security/CORSMiddleware.php Show resolved Hide resolved

gary-kim added 3. to review Waiting for reviews bug labels May 1, 2021

nickvergessen approved these changes May 3, 2021

View reviewed changes

nickvergessen requested a review from kesselb May 3, 2021 08:00

fix error when using CORS with no auth credentials

b38e867

korelstar force-pushed the fix-noauth-cors branch from 1533634 to b38e867 Compare May 18, 2021 05:12

LukasReschke approved these changes May 18, 2021

View reviewed changes

LukasReschke added 4. to release Ready to be released and/or waiting for tests to finish and removed 3. to review Waiting for reviews labels May 18, 2021

korelstar added this to the Nextcloud 22 milestone May 18, 2021

nickvergessen merged commit 4a02726 into master May 19, 2021

nickvergessen deleted the fix-noauth-cors branch May 19, 2021 07:51

backportbot-nextcloud bot added the backport-request label May 19, 2021

This was referenced May 19, 2021

[stable20] fix error when using CORS with no auth credentials #27027

Merged

[stable21] fix error when using CORS with no auth credentials #27028

Merged

backportbot-nextcloud bot removed the backport-request label May 19, 2021

szaimen mentioned this pull request May 27, 2021

CORS without Basic auth header results in HTTP 500 #11307

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix error when using CORS with no auth credentials #26852

fix error when using CORS with no auth credentials #26852

korelstar commented May 1, 2021

korelstar commented May 15, 2021

korelstar commented May 19, 2021

nickvergessen commented May 19, 2021

nickvergessen commented May 19, 2021

fix error when using CORS with no auth credentials #26852

fix error when using CORS with no auth credentials #26852

Conversation

korelstar commented May 1, 2021

korelstar commented May 15, 2021

korelstar commented May 19, 2021

nickvergessen commented May 19, 2021

nickvergessen commented May 19, 2021