Nextcloud OCM compatibility

[MahdiBaghbani]

Tracking the Nextcloud status in this issue.

Related PR: nextcloud/server#39574

[MahdiBaghbani]

Nextcloud still doesn't include token in a PROPFIND and we reach a blocker after:

[Thu Aug 24 11:56:40.820664 2023] [php:notice] [pid 1320] [client 172.25.0.11:58738] GetSentShareByToken
[Thu Aug 24 11:56:40.820769 2023] [php:notice] [pid 1320] [client 172.25.0.11:58738] share provider getSentShareByToken ''
[Thu Aug 24 11:56:40.821712 2023] [php:notice] [pid 1320] [client 172.25.0.11:58738] sent share not found by token ''
172.25.0.11 - - [24/Aug/2023:11:56:40 +0000] "POST /index.php/apps/sciencemesh/~nobody/api/ocm/GetSentShareByToken HTTP/1.1" 503 6527 "-" "Go-http-client/1.1"

[ArtificialOwl]

Not sure I see the relation with #39574

[glpatcern]

@MahdiBaghbani can you please add more context and how we reproduce this?

@ArtificialOwl the relation is with the original issue: we need to prove that Nextcloud as a client is able to access an OCM share by only using OCM-compliant operations (e.g., the PROPFIND must include the shared secret as username, and an empty password) against a non-Nextcloud server.

[ArtificialOwl]

i'll have a look, I thought your compatibility issues were only on the discovery endpoint

[glpatcern]

I had linked the full list in my submission of the original issue (not on a PC now to be able to post it here too)

[ArtificialOwl]

can I still get details on how to reproduce the issue on this app ?

[MahdiBaghbani]

Today I couldn't do it, I'll make a detailed report in the coming week.

[MahdiBaghbani]

I've checked the logs again, Nextcloud doesn't include a Token.
@glpatcern Since it is relayed by Reva I think you can find relevant logs on Reva's side if my logs aren't enough.

Successful scenario:

owncloud2 requesting the shared file:

172.18.0.3 - - [28/Aug/2023:06:25:46 +0000] "POST /index.php/apps/files_sharing/api/externalShares HTTP/1.1" 200 1044 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/116.0"
172.18.0.3 - - [28/Aug/2023:06:25:48 +0000] "PROPFIND /remote.php/dav/files/marie/ HTTP/1.1" 207 2827 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/116.0"
172.18.0.3 - - [28/Aug/2023:06:25:48 +0000] "GET /index.php/avatar/marie/28 HTTP/1.1" 200 1121 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/116.0"
172.18.0.3 - - [28/Aug/2023:06:25:48 +0000] "GET /core/img/filetypes/folder-shared.svg HTTP/1.1" 200 1814 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/116.0"
172.18.0.3 - - [28/Aug/2023:06:25:48 +0000] "GET /index.php/apps/files/ajax/getstoragestats.php?dir=%2F HTTP/1.1" 200 898 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/116.0"

owncloud1 receiving:

172.18.0.11 - - [28/Aug/2023:06:25:46 +0000] "POST /index.php/apps/sciencemesh/~5wpHmFGTDz0cd8xxSUoGU1jNfdXuKU3J/api/auth/Authenticate HTTP/1.1" 200 2761 "-" "Go-http-client/1.1"
172.18.0.11 - - [28/Aug/2023:06:25:46 +0000] "POST /index.php/apps/sciencemesh/~nobody/api/ocm/GetSentShareByToken HTTP/1.1" 200 1583 "-" "Go-http-client/1.1"
172.18.0.11 - - [28/Aug/2023:06:25:46 +0000] "POST /index.php/apps/sciencemesh/~nobody/api/ocm/GetSentShareByToken HTTP/1.1" 200 1579 "-" "Go-http-client/1.1"
172.18.0.11 - - [28/Aug/2023:06:25:46 +0000] "POST /index.php/apps/sciencemesh/~unauthenticated/api/user/GetUser HTTP/1.1" 200 1176 "-" "Go-http-client/1.1"
172.18.0.11 - - [28/Aug/2023:06:25:46 +0000] "POST /index.php/apps/sciencemesh/~einstein/api/user/GetUserByClaim HTTP/1.1" 200 1174 "-" "Go-http-client/1.1"
172.18.0.11 - - [28/Aug/2023:06:25:46 +0000] "POST /index.php/apps/sciencemesh/~einstein/api/storage/CreateHome HTTP/1.1" 200 1032 "-" "Go-http-client/1.1"
172.18.0.11 - - [28/Aug/2023:06:25:46 +0000] "POST /index.php/apps/sciencemesh/~einstein/api/storage/GetMD HTTP/1.1" 200 1604 "-" "Go-http-client/1.1"
172.18.0.11 - - [28/Aug/2023:06:25:46 +0000] "POST /index.php/apps/sciencemesh/~einstein/api/storage/GetMD HTTP/1.1" 200 1604 "-" "Go-http-client/1.1"
172.18.0.11 - - [28/Aug/2023:06:25:46 +0000] "POST /index.php/apps/sciencemesh/~einstein/api/storage/GetMD HTTP/1.1" 200 1594 "-" "Go-http-client/1.1"
[Mon Aug 28 06:25:46.645774 2023] [php7:notice] [pid 1316] [client 172.18.0.11:54492] Authenticate
[Mon Aug 28 06:25:46.646462 2023] [php7:notice] [pid 1316] [client 172.18.0.11:54492] share provider getSentShareByToken '5wpHmFGTDz0cd8xxSUoGU1jNfdXuKU3J'
[Mon Aug 28 06:25:46.646956 2023] [php7:notice] [pid 1316] [client 172.18.0.11:54492] found sent share 1 by token '5wpHmFGTDz0cd8xxSUoGU1jNfdXuKU3J'

Nextcloud scenario:

nextcloud2 requesting the share:

172.19.0.3 - - [28/Aug/2023:06:37:32 +0000] "POST /index.php/apps/files_sharing/api/externalShares HTTP/1.1" 200 1164 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/116.0"
172.19.0.3 - - [28/Aug/2023:06:37:32 +0000] "PROPFIND /remote.php/dav/files/marie/ HTTP/1.1" 207 1552 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/116.0"
172.19.0.3 - - [28/Aug/2023:06:37:33 +0000] "GET /index.php/apps/files/api/v1/stats?dir=%2F HTTP/1.1" 200 966 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/116.0"

nextcloud1 receiving the request:

[Mon Aug 28 06:37:33.213204 2023] [php:notice] [pid 124] [client 172.19.0.11:60748] GetSentShareByToken
[Mon Aug 28 06:37:33.213284 2023] [php:notice] [pid 124] [client 172.19.0.11:60748] share provider getSentShareByToken ''
[Mon Aug 28 06:37:33.214169 2023] [php:notice] [pid 124] [client 172.19.0.11:60748] sent share not found by token ''
172.19.0.11 - - [28/Aug/2023:06:37:33 +0000] "POST /index.php/apps/sciencemesh/~nobody/api/ocm/GetSentShareByToken HTTP/1.1" 503 6523 "-" "Go-http-client/1.1"

reva on nextcloud1 side:

2023-08-28 06:37:32.776 INF ../../workspace/reva/internal/http/interceptors/auth/auth.go:175 > skipping auth check for: /ocm/notifications pid=1260 pkg=http traceid=d9b8f7f55d389cb16249d5e4d875ad08
2023-08-28 06:37:32.776 DBG ../../workspace/reva/pkg/rhttp/rhttp.go:268 > http routing: url=ocm pid=1260 pkg=http
2023-08-28 06:37:32.776 DBG ../../workspace/reva/internal/http/services/ocmd/ocm.go:112 > ocm routing path=/notifications pid=1260 pkg=http traceid=d9b8f7f55d389cb16249d5e4d875ad08
2023-08-28 06:37:32.776 DBG ../../workspace/reva/internal/http/services/ocmd/notifications.go:82 > Received OCM notification: {"notificationType":"SHARE_ACCEPTED","resourceType":"file","providerId":"1","notification":{"sharedSecret":"VrsdQt2Ko2JWTBaVkQUajZB3QDkGuwvD","message":"Recipient accept the share"}} pid=1260 pkg=http traceid=d9b8f7f55d389cb16249d5e4d875ad08
2023-08-28 06:37:32.776 INF ../../workspace/reva/internal/http/interceptors/log/log.go:101 > processed http request host=172.19.0.10 method=POST pid=1260 pkg=http status=201 traceid=d9b8f7f55d389cb16249d5e4d875ad08 uri=/ocm/notifications
2023-08-28 06:37:32.776 TRC ../../workspace/reva/internal/http/interceptors/log/log.go:108 > http end="28/Aug/2023:06:37:32 +0000" host=172.19.0.10 method=POST pid=1260 pkg=http proto=HTTP/1.1 req_headers={"Accept-Encoding":["gzip"],"Content-Length":["182"],"Content-Type":["application/json"],"Traceparent":["00-d9b8f7f55d389cb16249d5e4d875ad08-5c9bf72be5fb702f-01"],"User-Agent":["Nextcloud Server Crawler"]} res_headers={"Vary":["Origin"]} size=0 start="28/Aug/2023:06:37:32 +0000" status=201 time_ns=660969 traceid=d9b8f7f55d389cb16249d5e4d875ad08 uri=/ocm/notifications



2023-08-28 06:37:33.099 INF ../../workspace/reva/pkg/ocm/share/repository/nextcloud/nextcloud.go:449 > am.do https://nextcloud1.docker/index.php/apps/sciencemesh/~nobody/api/ocm/GetSentShareByToken {"Spec":{"Token":""}} pid=1260 traceid=e8e61a08a4203a6869ea7dabd3593caa



2023-08-28 06:37:33.243 WRN ../../workspace/reva/internal/http/interceptors/log/log.go:101 > processed http request host=172.19.0.10 method=PROPFIND pid=1260 pkg=http status=401 traceid=6fbe207aa327aa76448d4b53b731a66b uri=/remote.php/dav/ocm/
2023-08-28 06:37:33.243 TRC ../../workspace/reva/internal/http/interceptors/log/log.go:108 > http end="28/Aug/2023:06:37:33 +0000" host=172.19.0.10 method=PROPFIND pid=1260 pkg=http proto=HTTP/2.0 req_headers={"Accept":["*/*"],"Content-Length":["382"],"Content-Type":["application/xml"],"Depth":["0"],"Traceparent":["00-6fbe207aa327aa76448d4b53b731a66b-fd7c5a641e766af4-01"],"User-Agent":["sabre-dav/4.4.0 (http://sabre.io/)"]} res_headers={"Access-Control-Allow-Origin":["*"],"Content-Security-Policy":["default-src 'none';"],"Strict-Transport-Security":["max-age=63072000"],"Vary":["Origin"],"X-Content-Type-Options":["nosniff"],"X-Download-Options":["noopen"],"X-Frame-Options":["SAMEORIGIN"],"X-Permitted-Cross-Domain-Policies":["none"],"X-Robots-Tag":["none"],"X-Xss-Protection":["1; mode=block"]} size=0 start="28/Aug/2023:06:37:33 +0000" status=401 time_ns=147057383 traceid=6fbe207aa327aa76448d4b53b731a66b uri=/remote.php/dav/ocm/



2023-08-28 06:37:33.467 WRN ../../workspace/reva/internal/http/interceptors/log/log.go:101 > processed http request host=172.19.0.10 method=POST pid=1260 pkg=http status=401 traceid=4948fb405f59db2cd9a7f5a6e10e9e5e uri=/index.php/apps/files_sharing/shareinfo?t=VrsdQt2Ko2JWTBaVkQUajZB3QDkGuwvD
2023-08-28 06:37:33.467 TRC ../../workspace/reva/internal/http/interceptors/log/log.go:108 > http end="28/Aug/2023:06:37:33 +0000" host=172.19.0.10 method=POST pid=1260 pkg=http proto=HTTP/1.1 req_headers={"Accept-Encoding":["gzip"],"Content-Length":["17"],"Content-Type":["application/x-www-form-urlencoded"],"User-Agent":["Nextcloud Server Crawler"]} res_headers={"Vary":["Origin"],"Www-Authenticate":["Basic realm=\"revanextcloud1.docker\"","Bearer realm=\"revanextcloud1.docker\""]} size=0 start="28/Aug/2023:06:37:33 +0000" status=401 time_ns=260810 traceid=4948fb405f59db2cd9a7f5a6e10e9e5e uri=/index.php/apps/files_sharing/shareinfo?t=VrsdQt2Ko2JWTBaVkQUajZB3QDkGuwvD

[glpatcern]

@ArtificialOwl I understand it's not easy to follow those logs, and also running this app with the required infra does involve a bit of tinkering.

A way for you to analyze what happens is to look at the traffic generated by Nextcloud as client, i.e. all the calls where the User Agent is Nextcloud Server Crawler. Out of the last post here - and as reported in the original submission - Nextcloud is doing the following calls (which you could validate in your own Nextcloud-to-Nextcloud test):

GET /ocm-provider              # OK
POST /ocm/notifications        # OK but you should proceed whichever the return code. We return 201 anyway
GET /status.php                # NOT OK
PROPFIND /remote.php/dav/ocm   # NOT OK: the token or shared secret is missing
POST /index.php/apps/files_sharing/shareinfo?t=VrsdQt2Ko2JWTBaVkQUajZB3QDkGuwvD    # a fall-back to some Nextcloud-specific discovery?

The last two calls are a deal breaker:

1. The PROPFIND should have the shared secret either as username or in the path, as per OCM specs. Incidentally, I could not reproduce this one, in the sense that with my test this call is totally missing.
2. The last call seems a fall-back if something else fails - quoting myself from [Bug]: accessing OCM federated shares does not seem to be compliant to OCM specs nextcloud/server#39001: "in which case does Nextcloud fall back to querying the remote end for share info by issuing a POST /index.php/apps/files_sharing/shareinfo, which is a Nextcloud-specific endpoint and not an OCM one?"

I guess that when you test against a second Nextcloud server, somehow the connection works thanks to the fall-back or other mechanism, but ultimately without respecting the OCM spec. To validate that the access follows the specs you really have to trace the requests served by the remote server.

[ArtificialOwl]

Is there some details so I can easily reproduce your issue ?
Do I need reva ? revad ? Which configuration should I use ?
Do I need any specific app installed on nextcloud ?

I cannot find enough information in reva's documentation to have it running for nextcloud

Maybe we can arrange a call ?

[glpatcern]

@ArtificialOwl would you be able to trace the HTTP traffic served by Nextcloud ?

All details you need are in my previous comment: any HTTP request different from the OK ones above is a violation of the OCM protocol. You don't need Reva, it would be cumbersome for you to set it up properly to test such scenario, and you ought to be able to understand that your server respects the protocol even when connecting to another Nextcloud - you could e.g. temporarily disable the /index.php/apps/files_sharing/shareinfo endpoint and see that accessing an OCM share would fail on it.

In principle we could arrange a call but in first approximation you should be able to get some logs without any additional info. As an alternative to a call I could offer you an OCM share served by CERNBox (Reva), which does respect the OCM protocol and does NOT offer the /index.php/apps/files_sharing/shareinfo endpoint. We could do that over Gitter if you want - I would essentially create a share and send you the shared secret.

[ArtificialOwl]

I have setup 2 nextcloud on differents server, to helps with the logs, the requests and their origin IPs.
Freshly installed nextcloud, patched with nextcloud/server#39574.

From my point of view, it fits the OCM API defined as v1.0 and the sharedSecret is transferred in the protocol entry.

• instance1 have a file, sharing it to remote instance2:

logs from instance2:
instance1 - - [05/Sep/2023:01:41:53 +0000] "GET /ocm-provider/ HTTP/1.1" 200 221
instance1 - - [05/Sep/2023:01:41:54 +0000] "POST /index.php/ocm/shares HTTP/1.1" 201 31

• when share is accepted on instance2:

logs from instance1:
instance2 - - [05/Sep/2023:01:42:34 +0000] "GET /ocm-provider/ HTTP/1.1" 200 221
instance2 - - [05/Sep/2023:01:42:34 +0000] "POST /index.php/ocm/notifications HTTP/1.1" 201 2
instance2 - - [05/Sep/2023:01:42:34 +0000] "GET /ocm-provider/ HTTP/1.1" 200 221
instance2 - - [05/Sep/2023:01:42:34 +0000] "PROPFIND /public.php/webdav/ HTTP/1.1" 401 305
instance2 - 85WuzDZtNbr4UlC [05/Sep/2023:01:42:34 +0000] "PROPFIND /public.php/webdav/ HTTP/1.1" 207 779
instance2 - - [05/Sep/2023:01:42:35 +0000] "GET /ocm-provider/ HTTP/1.1" 200 221

If you want to arrange a call, please send me an invitation at [email protected] (any day, after 11:30 AM, UTC+2)

[glpatcern]

Hello Maxence, thanks for this check. Have you got a chance to test the share I sent you by email?

We will double check that we're running the top of the branch from nextcloud/server#39574.

[glpatcern]

The behavior we observe, compared to your logs from instance2, is that we don't get the second PROPFIND with the sharedSecret.

In fact, why do you execute a first PROPFIND with no secret, which is doomed to fail with 401? As per your logs:

instance2 - - [05/Sep/2023:01:42:34 +0000] "PROPFIND /public.php/webdav/ HTTP/1.1" 401 305

This seems like a redundant call, only the second one is the proper OCM-compliant call.

[ArtificialOwl]

Hello,

I have received your mail, but I think the main purpose of OCM is to provide, during the creation of a share between instances, a discovery service that set an endpoint to manage the exchange of information about the way to access (protocol, here webdav + token) the shared document.

What is happening after the exchange of the token is not supposed to be related to OCM, right ?

[glpatcern]

From a user perspective, the access to the remote share must be part of the package. Otherwise, how do we ensure interoperability?

The OCM specs do include, on top of the discovery service (the /ocm-provider endpoint), also what to do for the access (PROPFIND http://<token>:@<remote-host>/<discovered-path>). And this is what Nextcloud does, except that earlier it is also doing another PROPFIND without token, which is doomed to fail - and for some yet unknown reason, when the server is not Nextcloud, the correct PROPFIND with the token never arrives.

Can we please address this?

[ArtificialOwl]

The PROPFIND from your logs returns a 207, which might explain why the second request with token is not sent.
I will have a look to the reason of this first request without token, however I need some help from your side, as I need a way to reproduce the issue and understand why there is not even a request on /ocm-provider in your logs ...

The best would be a fully configured reva, would it be on your servers, or a working docker I can run on mine.

[MahdiBaghbani]

Hi @ArtificialOwl, I think that PROPFIND with 207 is not what we are looking at here. I guess that's instance2 doing a call to itself. please correct me if I'm mistaken.

As you have said:

when the share is accepted on instance2:

logs from instance1:
instance2 - - [05/Sep/2023:01:42:34 +0000] "GET /ocm-provider/ HTTP/1.1" 200 221
instance2 - - [05/Sep/2023:01:42:34 +0000] "POST /index.php/ocm/notifications HTTP/1.1" 201 2
instance2 - - [05/Sep/2023:01:42:34 +0000] "GET /ocm-provider/ HTTP/1.1" 200 221
instance2 - - [05/Sep/2023:01:42:34 +0000] "PROPFIND /public.php/webdav/ HTTP/1.1" 401 305
instance2 - 85WuzDZtNbr4UlC [05/Sep/2023:01:42:34 +0000] "PROPFIND /public.php/webdav/ HTTP/1.1" 207 779
instance2 - - [05/Sep/2023:01:42:35 +0000] "GET /ocm-provider/ HTTP/1.1" 200 221

On NC -> Reva

processed http request host=172.19.0.10 method=PROPFIND pid=1260 pkg=http status=401 traceid=6fbe207aa327aa76448d4b53b731a66b uri=/remote.php/dav/ocm/
http end="28/Aug/2023:06:37:33 +0000" host=172.19.0.10 method=PROPFIND pid=1260 pkg=http proto=HTTP/2.0 req_headers={"Accept":["*/*"],"Content-Length":["382"],"Content-Type":["application/xml"],"Depth":["0"],"Traceparent":["00-6fbe207aa327aa76448d4b53b731a66b-fd7c5a641e766af4-01"],"User-Agent":["sabre-dav/4.4.0 (http://sabre.io/)"]} res_headers={"Access-Control-Allow-Origin":["*"],"Content-Security-Policy":["default-src 'none';"],"Strict-Transport-Security":["max-age=63072000"],"Vary":["Origin"],"X-Content-Type-Options":["nosniff"],"X-Download-Options":["noopen"],"X-Frame-Options":["SAMEORIGIN"],"X-Permitted-Cross-Domain-Policies":["none"],"X-Robots-Tag":["none"],"X-Xss-Protection":["1; mode=block"]} size=0 start="28/Aug/2023:06:37:33 +0000" status=401 time_ns=147057383 traceid=6fbe207aa327aa76448d4b53b731a66b uri=/remote.php/dav/ocm/



processed http request host=172.19.0.10 method=POST pid=1260 pkg=http status=401 traceid=4948fb405f59db2cd9a7f5a6e10e9e5e uri=/index.php/apps/files_sharing/shareinfo?t=VrsdQt2Ko2JWTBaVkQUajZB3QDkGuwvD
http end="28/Aug/2023:06:37:33 +0000" host=172.19.0.10 method=POST pid=1260 pkg=http proto=HTTP/1.1 req_headers={"Accept-Encoding":["gzip"],"Content-Length":["17"],"Content-Type":["application/x-www-form-urlencoded"],"User-Agent":["Nextcloud Server Crawler"]} res_headers={"Vary":["Origin"],"Www-Authenticate":["Basic realm=\"revanextcloud1.docker\"","Bearer realm=\"revanextcloud1.docker\""]} size=0 start="28/Aug/2023:06:37:33 +0000" status=401 time_ns=260810 traceid=4948fb405f59db2cd9a7f5a6e10e9e5e uri=/index.php/apps/files_sharing/shareinfo?t=VrsdQt2Ko2JWTBaVkQUajZB3QDkGuwvD

you see that after first 401, unile NC->NC it doesn't retry with a PROPFIND + Secret and goes straight into /index.php/apps/files_sharing/shareinfo?t=VrsdQt2Ko2JWTBaVkQUajZB3QDkGuwvD

[glpatcern]

The best would be a fully configured reva, would it be on your servers, or a working docker I can run on mine.

That's why I have sent you a share on a live system, https://sm1.cernbox.cern.ch, where you can test the scenario

[glpatcern]

On NC -> Reva

To better show what happens when accessing Reva as remote, as the logs are not very clear, this is what Nextcloud executes:

"PROPFIND /remote.php/dav/ocm/" 401
"POST /index.php/apps/files_sharing/shareinfo?t=VrsdQt2Ko2JWTBaVkQUajZB3QDkGuwvD"  401

The first is the "useless" PROPFIND without token, which also fails for Nextcloud. The path is correctly extracted from /ocm-provider, all right there.
The second is the Nextcloud-specific endpoint, which obviously fails for Reva.

The PROPFIND that returns 207 in your logs is the correct one, with the token, except that it is never called by Nextcloud.

The questions are still:

1. why a PROPFIND that is doomed to fail with 401?
2. in which conditions does Nextcloud fall back to the non-OCM-compliant endpoint /.../shareinfo ?

[ArtificialOwl]

The questions are still:

1. why a PROPFIND that is doomed to fail with 401?

This is coming from the auth digest defined in RFC2617 that we usually set for our curl request. I will see if this is considered safe enough by other engineers to set the auth as basic only when running those specific requests

2. in which conditions does Nextcloud fall back to the non-OCM-compliant endpoint `/.../shareinfo` ?

It called when it seems that the share is not available/deleted and that the remote host have a /status.php (considered as owncloud/nextcloud)

I will make a new patch that will remove the non-auth request on the webdav so you can run more tests.
In the meanwhile, can you tell me which version of Nextcloud is used for your test ?

[ArtificialOwl]

So, I added a new commit 8436359babe37542e59c0de2089be8a1cf6d896e to nextcloud/server#39574 that should remove the first PROPFIND

please keep me updated of your new tests

[glpatcern]

As also discussed by email, I confirm that worked, and I could see successful calls in my server logs. Hopefully using basic auth straight for the PROPFIND is ok as anyway that's how it ends up working - so it's as safe as the previous implementation.

I have one more comment though: now that a federated share was established, I see that Nextcloud probes my server at /ocm-provider every minute. What is that for? what happens if a remote server is down during e.g. 1h for a scheduled downtime? IMHO it seems excessive to probe all remote servers (or even all remote shares?) at that high rate.

[ArtificialOwl]

My browser was open on the shared folder, and no cache is set. usually result from ocm-provider is cached for about 24h

[glpatcern]

ok, good to know. Meanwhile we tested NC from the top of your branch and I confirm it worked.

[glpatcern]

@MahdiBaghbani there is a residual issue with uploads in this scenario, but I believe this is on us and to be tracked separately. I'm closing this issue now.