feat(dav): accept bearer access tokens on webdav endpoints

enriquepablo · mickenordin · commit 977beac3c5a0 · 2026-05-28T14:04:39.000+02:00
Signed-off-by: Micke Nordin &lt;kano@sunet.se&gt;
Signed-off-by: Enrique Pérez Arnaud &lt;enrique@cazalla.net&gt;
diff --git a/apps/dav/appinfo/v1/caldav.php b/apps/dav/appinfo/v1/caldav.php
@@ -18,6 +18,7 @@
 use OCA\DAV\CalDAV\Validation\CalDavValidatePlugin;
 use OCA\DAV\Connector\LegacyDAVACL;
 use OCA\DAV\Connector\Sabre\Auth;
+use OCA\DAV\Connector\Sabre\BearerAuth;
 use OCA\DAV\Connector\Sabre\ExceptionLoggerPlugin;
 use OCA\DAV\Connector\Sabre\MaintenancePlugin;
 use OCA\DAV\Connector\Sabre\Principal;
@@ -47,6 +48,12 @@
 	Server::get(IThrottler::class),
 	'principals/'
 );
+$bearerAuthBackend = new BearerAuth(
+	Server::get(IUserSession::class),
+	Server::get(ISession::class),
+	Server::get(IRequest::class),
+	Server::get(IConfig::class),
+);
 $principalBackend = new Principal(
 	Server::get(IUserManager::class),
 	Server::get(IGroupManager::class),
@@ -108,7 +115,9 @@
 
 // Add plugins
 $server->addPlugin(new MaintenancePlugin(Server::get(IConfig::class), $davL10n));
-$server->addPlugin(new \Sabre\DAV\Auth\Plugin($authBackend));
+$authPlugin = new \Sabre\DAV\Auth\Plugin($authBackend);
+$authPlugin->addBackend($bearerAuthBackend);
+$server->addPlugin($authPlugin);
 $server->addPlugin(new \Sabre\CalDAV\Plugin());
 
 $server->addPlugin(new LegacyDAVACL());
diff --git a/apps/dav/appinfo/v1/carddav.php b/apps/dav/appinfo/v1/carddav.php
@@ -17,6 +17,7 @@
 use OCA\DAV\CardDAV\Validation\CardDavValidatePlugin;
 use OCA\DAV\Connector\LegacyDAVACL;
 use OCA\DAV\Connector\Sabre\Auth;
+use OCA\DAV\Connector\Sabre\BearerAuth;
 use OCA\DAV\Connector\Sabre\ExceptionLoggerPlugin;
 use OCA\DAV\Connector\Sabre\MaintenancePlugin;
 use OCA\DAV\Connector\Sabre\Principal;
@@ -44,6 +45,12 @@
 	Server::get(IThrottler::class),
 	'principals/'
 );
+$bearerAuthBackend = new BearerAuth(
+	Server::get(IUserSession::class),
+	Server::get(ISession::class),
+	Server::get(IRequest::class),
+	Server::get(IConfig::class),
+);
 $principalBackend = new Principal(
 	Server::get(IUserManager::class),
 	Server::get(IGroupManager::class),
@@ -90,7 +97,9 @@
 $server->setBaseUri($baseuri);
 // Add plugins
 $server->addPlugin(new MaintenancePlugin(Server::get(IConfig::class), Server::get(IL10nFactory::class)->get('dav')));
-$server->addPlugin(new \Sabre\DAV\Auth\Plugin($authBackend));
+$authPlugin = new \Sabre\DAV\Auth\Plugin($authBackend);
+$authPlugin->addBackend($bearerAuthBackend);
+$server->addPlugin($authPlugin);
 $server->addPlugin(new Plugin());
 
 $server->addPlugin(new LegacyDAVACL());
diff --git a/apps/dav/appinfo/v1/publicwebdav.php b/apps/dav/appinfo/v1/publicwebdav.php
@@ -9,6 +9,7 @@
 use OC\Files\Storage\Wrapper\DirPermissionsMask;
 use OC\Files\View;
 use OCA\DAV\Connector\LegacyPublicAuth;
+use OCA\DAV\Connector\Sabre\BearerAuth;
 use OCA\DAV\Connector\Sabre\ServerFactory;
 use OCA\DAV\Files\Sharing\FilesDropPlugin;
 use OCA\DAV\Files\Sharing\PublicLinkCheckPlugin;
@@ -49,7 +50,14 @@
 	Server::get(ISession::class),
 	Server::get(IThrottler::class)
 );
+$bearerAuthBackend = new BearerAuth(
+	Server::get(IUserSession::class),
+	Server::get(ISession::class),
+	Server::get(IRequest::class),
+	Server::get(IConfig::class),
+);
 $authPlugin = new \Sabre\DAV\Auth\Plugin($authBackend);
+$authPlugin->addBackend($bearerAuthBackend);
 
 /** @var IEventDispatcher $eventDispatcher */
 $eventDispatcher = Server::get(IEventDispatcher::class);
@@ -80,6 +88,7 @@
 	$authPlugin,
 	function (\Sabre\DAV\Server $server) use (
 		$authBackend,
+		$bearerAuthBackend,
 		$linkCheckPlugin,
 		$filesDropPlugin
 	) {
@@ -90,8 +99,11 @@ function (\Sabre\DAV\Server $server) use (
 			// this is what is thrown when trying to access a non-existing share
 			throw new \Sabre\DAV\Exception\NotAuthenticated();
 		}
-
-		$share = $authBackend->getShare();
+		try {
+			$share = $authBackend->getShare();
+		} catch (AssertionError $e) {
+			$share = $bearerAuthBackend->getShare();
+		}
 		$isReadable = $share->getPermissions() & Constants::PERMISSION_READ;
 		$fileId = $share->getNodeId();
 
diff --git a/apps/dav/appinfo/v2/publicremote.php b/apps/dav/appinfo/v2/publicremote.php
@@ -8,6 +8,7 @@
 use OC\Files\Filesystem;
 use OC\Files\Storage\Wrapper\DirPermissionsMask;
 use OC\Files\View;
+use OCA\DAV\Connector\Sabre\BearerAuth;
 use OCA\DAV\Connector\Sabre\PublicAuth;
 use OCA\DAV\Connector\Sabre\ServerFactory;
 use OCA\DAV\Files\Sharing\FilesDropPlugin;
@@ -65,7 +66,14 @@
 	Server::get(LoggerInterface::class),
 	Server::get(IURLGenerator::class),
 );
+$bearerAuthBackend = new BearerAuth(
+	Server::get(IUserSession::class),
+	$session,
+	$request,
+	Server::get(IConfig::class),
+);
 $authPlugin = new \Sabre\DAV\Auth\Plugin($authBackend);
+$authPlugin->addBackend($bearerAuthBackend);
 
 $l10nFactory = Server::get(IFactory::class);
 $serverFactory = new ServerFactory(
@@ -86,7 +94,7 @@
 $filesDropPlugin = new FilesDropPlugin();
 
 /** @var string $baseuri defined in public.php */
-$server = $serverFactory->createServer(true, $baseuri, $requestUri, $authPlugin, function (\Sabre\DAV\Server $server) use ($baseuri, $requestUri, $authBackend, $linkCheckPlugin, $filesDropPlugin) {
+$server = $serverFactory->createServer(true, $baseuri, $requestUri, $authPlugin, function (\Sabre\DAV\Server $server) use ($baseuri, $requestUri, $authBackend, $bearerAuthBackend, $linkCheckPlugin, $filesDropPlugin) {
 	// GET must be allowed for e.g. showing images and allowing Zip downloads
 	if ($server->httpRequest->getMethod() !== 'GET') {
 		// If this is *not* a GET request we only allow access to public DAV from AJAX or when Server2Server is allowed
@@ -98,7 +106,11 @@
 		}
 	}
 
-	$share = $authBackend->getShare();
+	try {
+		$share = $authBackend->getShare();
+	} catch (NotFound $e) {
+		$share = $bearerAuthBackend->getShare();
+	}
 	$isReadable = $share->getPermissions() & Constants::PERMISSION_READ;
 	$fileId = $share->getNodeId();
 
diff --git a/apps/dav/lib/Connector/Sabre/BearerAuth.php b/apps/dav/lib/Connector/Sabre/BearerAuth.php
@@ -12,6 +12,9 @@
 use OCP\IRequest;
 use OCP\ISession;
 use OCP\IUserSession;
+use OCP\Server;
+use OCP\Share\IManager;
+use OCP\Share\IShare;
 use Sabre\DAV\Auth\Backend\AbstractBearer;
 use Sabre\HTTP\RequestInterface;
 use Sabre\HTTP\ResponseInterface;
@@ -23,6 +26,7 @@ public function __construct(
 		private IRequest $request,
 		private IConfig $config,
 		private string $principalPrefix = 'principals/users/',
+		private string $token = '',
 	) {
 		// setup realm
 		$defaults = new Defaults();
@@ -41,6 +45,15 @@ private function setupUserFs($userId) {
 	#[\Override]
 	public function validateBearerToken($bearerToken) {
 		\OC_Util::setupFS();
+		$this->token = $bearerToken;
+
+		// public.php sets incognito mode for anonymous share access, which makes
+		// Session::getUser() return null and consequently Session::isLoggedIn()
+		// return false even after a successful token login. Disable it here so
+		// the logged-in user is visible for the rest of the request. If the
+		// bearer token is invalid and Sabre falls back to one of the public
+		// auth backends, that backend will re-enable incognito mode itself.
+		\OC_User::setIncognitoMode(false);
 
 		if (!$this->userSession->isLoggedIn()) {
 			$this->userSession->tryTokenLogin($this->request);
@@ -52,6 +65,12 @@ public function validateBearerToken($bearerToken) {
 		return false;
 	}
 
+	public function getShare(): IShare {
+		$shareManager = Server::get(IManager::class);
+		$share = $shareManager->getShareByToken($this->token);
+		return $share;
+	}
+
 	/**
 	 * \Sabre\DAV\Auth\Backend\AbstractBearer::challenge sets an WWW-Authenticate
 	 * header which some DAV clients can't handle. Thus we override this function
