Pyocclient and NC 13 don't error on false login

[tflidd]

Steps to reproduce

1. Get pyocclient
2. Try connect to your Nextcloud with wrong credentials

import owncloud
oc = owncloud.Client("https://example.org/nextcloud")
oc.login("non-existing-user", "randomPw")

Expected behaviour

Like for ownCloud, I expect a 401 authentication error.

Actual behaviour

Nothing, you can't tell if the login was successful or not.

The login()-procedure tries to gather the capabilities of the server, that is where the ownCloud server throws an error, Nextcloud just returns a result:

{'bruteforce': {'delay': '400'},
 'theming': {'background': 'https://example.org/nextcloud/core/img/background.png?v=3',
  'background-default': '1',
  'background-plain': None,
  'color': '#057BC9',
  'color-element': '#057BC9',
  'color-text': '#ffffff',
  'logo': 'https://example.org/nextcloud/core/img/logo.svg?v=3',
  'name': 'Nextcloud',
  'slogan': 'a safe home for all your data',
  'url': 'https://nextcloud.com'}}

Is there a reason why this information is available without authentication? It does not seem to include useful information for unauthenticated access like if federated sharing or something is supported.

Nextcloud version: NC 13.0.8

[kesselb]

Is that still happening? owncloud/pyocclient#222 there is a reports that it works with NC 15.

[tflidd]

Is that still happening? owncloud/pyocclient#222 there is a reports that it works with NC 15.

You can login but if you use wrong credentials, you don't get an error. It throws an 401 later, so you will know.

[kesselb]

server/core/Controller/OCSController.php

Lines 102 to 106 in 0eebff1

	if($this->userSession->isLoggedIn()) {
	$result['capabilities'] = $this->capabilitiesManager->getCapabilities();
	} else {
	$result['capabilities'] = $this->capabilitiesManager->getCapabilities(true);
	}

Looks intended.

cc @blizzz @rullzer is there anything we can do? I guess this needs to be fixed with pyocclient.

[tflidd]

We could check for the core entry in the response if a webdav-root is sent.

{'core': {'pollinterval': '60', 'webdav-root': 'remote.php/webdav'},

Would be nice if we could not just login as a user and also use it just to connect to shared folders (if shared by link).

[blizzz]

This should be fixed with pyocclient imho. It's better and more useful to avoid a hack for a strange behaviour of another client tool, especially when it is open source. The capabilities endpoint is not an authentication source.

[tflidd]

It is not very active but I like to keep it open until we fixed this issue, even if it's in the pyocclient.

[tflidd]

I just looked at the request package in python. You set the username and password in a variable, to verify you must call something that requires authentication to verify if they are correct (e.g. github api: https://realpython.com/python-requests/#authentication). Do we have a suitable end point in Nextcloud to avoid using capabilities?

[kesselb]

https://github.com/owncloud/pyocclient/blob/b9e1f04cdbde74588e86f1bebb6144571d82966c/owncloud/owncloud.py#L353-L361

Into the blue: We could call list here (which emits a propfind). This should fail due the wrong credentials.