diffuse icon indicating copy to clipboard operation
diffuse copied to clipboard

Published 20 hours ago verified publisher icon icidasset

Diffuse doesn't send authentication to apache webdav server after PROPFIND

Open ST-Saint opened this issue 1 year ago • 9 comments

OS: Archlinux Kernel: 6.4.1 Arch: amd64 Apache version: 2.4.57 Diffuse version: 0.8.2

AuthType: Digest

CORS config

  Header always set Access-Control-Allow-Origin *
  Header always set Access-Control-Allow-Headers *
  Header always set Access-Control-Expose-Headers *
  Header always set Access-Control-Allow-Methods *

Wireshark log: (diffuse auth + cadaver auth) wireshark.zip

ST-Saint avatar Oct 02 '23 03:10 ST-Saint

Thanks for creating an issue! Not entirely sure I'm reading these logs correctly, but it seems like your Apache WebDAV server is requiring authorisation on OPTION requests. This is something web browser don't support, see https://stackoverflow.com/a/52072116 for more info on that.

Is that the case? Or did I misinterpret the logs? Also just to be sure, check if the service worker is running or isn't bypassed.

icidasset avatar Oct 02 '23 08:10 icidasset

interesting... I tried Firefox and Chrome, and both of them use GET. cadaver uses OPTIONS but also attaches authorization but diffuse cannot add authorization within the OPTIONS request.

I thought since I have Header always set Access-Control-Allow-Methods * it already allows OPTIONS without auth. Do you know what else have to configure to allow that?

ST-Saint avatar Oct 02 '23 09:10 ST-Saint

diffuse cannot add authorization within the OPTIONS request.

Yeah, things living a web browser, like Diffuse, can't do that. Various other tools, besides browsers, may implement CORS, but often not entirely according to the spec, so "small" issues like this pop up.

I thought since I have Header always set Access-Control-Allow-Methods * it already allows OPTIONS without auth

It doesn't no, that just says which HTTP methods your browser allows when encountering a CORS request from the browser.

Do you know what else have to configure to allow that?

Hmm.. I think you should enable auth for all HTTP methods except OPTIONS. I'm not super familiar with Apache but I imagine you have something like this?

<Directory ...>
  Dav On
  AuthStuff ...
</Directory>

And maybe you can do something like this:

<Directory ...>
  Dav On
  <LimitExcept OPTIONS>
    AuthStuff ...
  </LimitExcept>
</Directory>

https://httpd.apache.org/docs/current/mod/core.html#limitexcept The Apache WebDAV docs also do this: (see first full example) https://httpd.apache.org/docs/2.4/mod/mod_dav.html#page-header

icidasset avatar Oct 02 '23 09:10 icidasset

Thanks for the pointer, exempting OPTIONS allows diffuse to connect to WebDAV now

<Directory "/home/y/WebDAV/WebDAV">
  DAV On
  AllowOverride None
  Options Indexes FollowSymLinks
  Require all granted

  <LimitExcept OPTIONS>
    Require user y
    AuthType Digest
    AuthName "webdav"
    AuthUserFile /etc/httpd/conf/passwd
  </LimitExcept>

  Header always set Access-Control-Allow-Origin *
  Header always set Access-Control-Allow-Headers *
  Header always set Access-Control-Expose-Headers *
  Header always set Access-Control-Allow-Methods *
</Directory>

Yet I still got this error: 'I can't play this track because your browser didn't recognize it' when playing a song image

seems the response never contains the audio request: image response: image

any idea about this?

ST-Saint avatar Oct 02 '23 19:10 ST-Saint

You're looking at the OPTIONS request, it's normal that this response is empty. In the case of browsers, the OPTIONS request serves as a preflight request in CORS. It's letting the browser know (through the response headers) which methods, origins and headers are allowed through CORS. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/OPTIONS for more info.

Can you send me the wireshark logs for that part?

Guess I should try it out myself just to be sure. How difficult is it to set up an Apache server nowadays?

By the way, any reason your using Apache specifically to set up a WebDAV server?

icidasset avatar Oct 04 '23 14:10 icidasset

wireshark.zip Thanks for your help.

Actually there is no particular reason, but I had an apache webdav set up years ago and I want to reuse it if possible

ST-Saint avatar Oct 08 '23 21:10 ST-Saint

Hey again, sorry for the late response, I was sick for quite a while. It seems that there are only OPTION requests in the wireshark logs, so yeah it's normal the response is empty.

Hard to say what otherwise could be the exact issue.

I'll give this a try myself at some point when I find some time.

icidasset avatar Oct 30 '23 14:10 icidasset

Finally found some time to try this out. Looks like the issue is that Apache uses a different XML namespace for the propstats:

<D:href>/music/</D:href>
<D:propstat>
<D:prop>
<lp1:resourcetype><D:collection/></lp1:resourcetype>

(Apache version: Apache/2.4.58 (Unix))

lp1:resourcetype should be D:resourcetype No clue why Apache changes the namespace here 🤔 That's why Diffuse connects but doesn't show any music. It uses the root namespace and disregards other namespaces.

This is config I used:

<Directory "/Users/steven/Music/">
    DAV On
    #AllowOverride None
    Options Indexes FollowSymLinks
    Require all granted

    <LimitExcept OPTIONS>
	AuthType Basic
    	AuthUserFile /opt/homebrew/var/users.password.basic
    	Require valid-user
    </LimitExcept>

    Header always set Access-Control-Allow-Origin "*"
    Header always set Access-Control-Allow-Headers "*"
    Header always set Access-Control-Expose-Headers "*"
    Header always set Access-Control-Allow-Methods "*"
</Directory>

Diffuse requires basic auth for web dav to work. Not sure if browsers support other auth methods ...

icidasset avatar Jan 24 '24 14:01 icidasset

Hmm, my issue seems to be different than yours, because I guess in your case Diffuse did list the music, you just couldn't play it right?

icidasset avatar Jan 24 '24 14:01 icidasset