[Bug?] Zotero does not send password to some WebDAV servers

vmok87scxg
Error report 1839218295

When I try to set up WebDAV sync I see the error: [JavaScript Error: "The WebDAV server did not accept the username and password you entered. Please check your file sync settings or contact your WebDAV server administrator."]


On my web server, this request has been logged without an authorization header:

PROPFIND /remote.php/dav/spaces/03802235-e3a0-4e0c-8ffb-d0d480d29665$467d8181-ab7c-4e00-ad8e-33e8495fdf2f/Mechanisms/!Program%20Data/zotero/ HTTP/1.0
Host: ******
Connection: close
Content-Length: 66
user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
accept: */*
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
content-type: text/xml; charset=utf-8
depth: 0


Meanwhile, another client (Rclone) is able to authenticate with my WebDAV server:

PROPFIND /remote.php/dav/spaces/03802235-e3a0-4e0c-8ffb-d0d480d29665$467d8181-ab7c-4e00-ad8e-33e8495fdf2f/Mechanisms/%21Program%20Data/nonexistent/ HTTP/1.0
Host: ******
Connection: close
Content-Length: 308
user-agent: rclone/1.68.2
authorization: Basic ****
depth: 1
accept-encoding: gzip


I can give you test credentials on this server, although this bug appears to be Zotero deciding to not send the credentials in the place.
  • dstillman
    edited March 4, 2025
    We'd want to see a Debug ID for a Verify Server attempt and/or a sync attempt that fails, but if the request requires credentials, the server needs to respond with 401 and WWW-Authenticate.
  • vmok87scxg
    The debug ID is D474190366.

    Yes, my server behaves as required: 401 and WWW-Authenticate.
  • dstillman
    Yes, if you can send test credentials to support@zotero.org with a link to this thread, that would be helpful.

    Your server isn't behaving like most WebDAV servers. We make an OPTIONS request to determine if a URL is a WebDAV path, and generally WebDAV servers put those behind authentication, because not all paths are WebDAV paths and they don't want to reveal what's a valid path to an unauthenticated user. But your server is returning 204 for any URL, existing or not.

    But a 401 with WWW-Authenticate in response to a PROPFIND should also trigger authentication, so we'd want to look into why that's not happening.
  • vmok87scxg
    I sent the email with test server information.
  • dstillman
    The server is responding with www-authenticate: Bearer realm="[domain]", charset="UTF-8", which is for OAuth clients. It needs to advertise itself as supporting Basic or Digest auth.
  • vmok87scxg
    edited March 6, 2025
    You are right about my server behavior.

    But is it necessary for Zotero to perform a two-step "smart" initialization for WebDAV? By two-step, I mean first attempting to connect without any credential, then only if authentication is required, send the credentials using the type detected in the first step.

    Most clients ask the user to specify the credentials with its type (basic/digest/OAuth/etc). The client would only perform one request with the credentials. This seems least error-prone.

    Clients which support interactive setup usually do not ask for credentials until they see www-authenticate from the server.
  • dstillman
    Zotero is based on Firefox, and Firefox's HTTP stack won't send credentials until the server prompts for them. This is generally considered more secure than sending them with the initial request.
    Most clients ask the user to specify the credentials with its type (basic/digest/OAuth/etc).
    I don't think that's true at all. I think "most" user-facing WebDAV clients — not developer tools like curl — ask for a URL, a username, and a password, and they use either Basic or Digest authentication in response to a server challenge. The vast majority of Zotero users using WebDAV have no idea what Basic or Digest authentication are. (One could argue that Digest authentication is pointless in the age of ubiquitous HTTPS and that clients given a username/password should try Basic preemptively, but it's absurd to expect end users to specify this.)

    In any case, this is unlikely to change on our end, so you should fix your server to issue a proper WWW-Authenticate for Basic Auth.
  • vmok87scxg
    Yes, the server should announce all authentication methods it supports. I will report this to the developers of my WebDAV server, ownCloud Infinite Scale.

    It is understandable for Zotero to only support Basic and Digest. However, it is also a fact that more and more providers, including my own selfhosted services, are OAuth-native. This will become a real issue in the foreseeable future. Users then might find it absurd to enter a user name and password in an (untrustworthy) third-party client; instead, they might expect a web login and authorization flow.
Sign In or Register to comment.