Authorization by bearer token fails on some servers (Floccus E019; HTTP status 405)

[joshqou]

Describe the bug

This is a formalisation of my comments in floccusaddon/floccus#2200
For effected floccus users, see: floccusaddon/floccus#2200 (comment)

Protected API requests to the bookmarks API will fail if a server-supplied bearer token is used and no other valid authorisation is presented (i.e: session cookies). This behaviour only appears to effect some Nextcloud installations.

This bug only manifested after upgrading to Nextcloud 31/32

Steps to Reproduce

1. Identify an effected Nextcloud server (as reported by @marcelklehr, this does not effect all installations)
2. Create a profile in Floccus to sync from the effected server
3. Floccus will immediately attempt to sync once the profile has been created
   3.1. Floccus will successfully lock the API using basic authorization
   3.2. Floccus will list the root folder of the user's bookmarks (GET /index.php/apps/bookmarks/public/rest/v2/folder?root=-1&layers=0
   3.3. Floccus will save the bearer token received from the server when it requested the contents of the root folder
   3.4. Floccus will make a subsequent request (may be another folder request, or something else) with the saved bearer token
   3.5. Bookmarks will not recognize the bearer token it supplied to the client, and if the client has no other valid authorisation such as cookies, will refuse to route the request to the bookmarks api, returning HTTP 405. (GET /index.php/apps/bookmarks/public/rest/v2/folder?root=12&layers=0)
4. Floccus will report E019: HTTP status 405. Failed GET request.

Known Effected Clients:

• Flatpak Ungoogled Chromium 146.0.7680.80 with Floccus 5.8.6
• macOS Ungoogled Chromium 146.0.7680.80 with Floccus 5.8.0

Uneffected Clients:

• iOS Floccus 5.8.6

Server Information

• OS: Fedora Server 42
• HTTP server: nginx 1.28.2
• Database: MariaDB 10.11.16
• PHP version: 8.4.19
• Nextcloud version: Nextcloud 32.0.6 (initially Nextcloud 26 via webinstall)
• Bookmarks app version: 16.1.3
• Nextcloud external user backend: user_oidc
• Activated Nextcloud Apps: see below
• Nextcloud configuration: see below

Activated Nextcloud Apps

Enabled:
  - activity: 5.0.0
  - admin_audit: 1.22.0
  - announcementcenter: 7.3.0
  - app_api: 32.0.0
  - bookmarks: 16.1.3
  - bruteforcesettings: 5.0.0
  - calendar: 6.2.1
  - cloud_federation_api: 1.16.0
  - comments: 1.22.0
  - contacts: 8.3.4
  - dav: 1.34.2
  - federatedfilesharing: 1.22.0
  - files: 2.4.0
  - files_downloadlimit: 5.0.0-dev.0
  - files_pdfviewer: 5.0.0
  - files_reminders: 1.5.0
  - files_sharing: 1.24.1
  - files_trashbin: 1.22.0
  - files_versions: 1.25.0
  - logreader: 5.0.0
  - lookup_server_connector: 1.20.0
  - nextcloud_announcements: 4.0.0
  - notes: 4.13.0
  - notifications: 5.0.0
  - oauth2: 1.20.0
  - password_policy: 4.0.0
  - passwords: 2026.2.20
  - photos: 5.0.0
  - privacy: 4.0.0
  - profile: 1.1.0
  - provisioning_api: 1.22.0
  - recommendations: 5.0.0
  - related_resources: 3.0.0
  - serverinfo: 4.0.0
  - settings: 1.15.1
  - spreed: 22.0.9
  - systemtags: 1.22.0
  - tasks: 0.17.1
  - theming: 2.7.0
  - twofactor_backupcodes: 1.21.0
  - updatenotification: 1.22.0
  - user_oidc: 5.0.2
  - user_status: 1.12.0
  - viewer: 5.0.0
  - workflowengine: 2.14.0

Nextcloud Configuration:

{
    "system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "***REMOVED SENSITIVE VALUE***"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "32.0.6.1",
        "overwrite.cli.url": "***REMOVED SENSITIVE VALUE***",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "defaultapp": "announcementcenter,files",
        "default_phone_region": "GB",
        "auth.webauthn.enabled": false,
        "lost_password_link": "disabled",
        "allow_local_remote_servers": true,
        "maintenance_window_start": 22,
        "mail_smtpmode": "smtp",
        "mail_sendmailmode": "smtp",
        "maintenance": false,
        "theme": "",
        "loglevel": 1,
        "app_install_overwrite": [
            "user_oidc"
        ]
    }
}

Logs

This issue does not generate any relevant errors or logs to nextcloud.log or to php.

Web Server Error Log

nextcloud_user [23/Mar/2026:21:48:54 +0000] "GET /ocs/v2.php/cloud/capabilities?format=json HTTP/1.1" 200 3407 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36"
nextcloud_user [23/Mar/2026:21:48:54 +0000] "POST /index.php/apps/bookmarks/public/rest/v2/lock HTTP/1.1" 200 206 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36"
nextcloud_user [23/Mar/2026:21:48:54 +0000] "GET /index.php/apps/bookmarks/public/rest/v2/folder?root=-1&layers=0 HTTP/1.1" 200 336 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36"
- [23/Mar/2026:21:48:55 +0000] "GET /index.php/apps/bookmarks/public/rest/v2/folder?root=12&layers=0 HTTP/1.1" 405 5 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36"
nextcloud_user [23/Mar/2026:21:48:55 +0000] "DELETE /index.php/apps/bookmarks/public/rest/v2/lock HTTP/1.1" 200 206 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36"
nextcloud_user [23/Mar/2026:21:49:11 +0000] "GET /ocs/v2.php/cloud/capabilities?format=json HTTP/1.1" 200 3407 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36"
nextcloud_user [23/Mar/2026:21:49:11 +0000] "POST /index.php/apps/bookmarks/public/rest/v2/lock HTTP/1.1" 200 207 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36"
nextcloud_user [23/Mar/2026:21:49:11 +0000] "GET /index.php/apps/bookmarks/public/rest/v2/folder?root=-1&layers=0 HTTP/1.1" 200 336 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36"
- [23/Mar/2026:21:49:11 +0000] "GET /index.php/apps/bookmarks/public/rest/v2/folder?root=12&layers=0 HTTP/1.1" 405 5 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36"
- [23/Mar/2026:21:49:11 +0000] "DELETE /index.php/apps/bookmarks/public/rest/v2/lock HTTP/1.1" 405 5 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36"
nextcloud_user [23/Mar/2026:21:49:12 +0000] "GET /ocs/v2.php/cloud/capabilities?format=json HTTP/1.1" 200 3407 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36"
nextcloud_user [23/Mar/2026:21:49:12 +0000] "POST /index.php/apps/bookmarks/public/rest/v2/lock HTTP/1.1" 423 328 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36"
nextcloud_user [23/Mar/2026:21:49:14 +0000] "GET /ocs/v2.php/cloud/capabilities?format=json HTTP/1.1" 200 3407 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36"

Nextcloud log (nextcloud/data/nextcloud.log)

{"reqId":"ryzRWnE8Qf9dLt58Y3e5","level":1,"time":"2026-03-23T21:54:00+00:00","remoteAddr":"***REMOVED SENSITIVE VALUE***","user":"nextcloud_user","app":"no app in context","method":"GET","url":"/ocs/v2.php/cloud/capabilities?format=json","scriptName":"/ocs/v2.php","message":"The user config key files/quota is not defined in the config lexicon","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36","version":"32.0.6.1","data":[]}
{"reqId":"fESx2EiMpIMqgbx795nm","level":1,"time":"2026-03-23T21:54:34+00:00","remoteAddr":"***REMOVED SENSITIVE VALUE***","user":"nextcloud_user","app":"no app in context","method":"GET","url":"/ocs/v2.php/cloud/capabilities?format=json","scriptName":"/ocs/v2.php","message":"The user config key files/quota is not defined in the config lexicon","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36","version":"32.0.6.1","data":[]}
{"reqId":"VaLt798qMfX2VWV88LyZ","level":1,"time":"2026-03-23T21:54:36+00:00","remoteAddr":"***REMOVED SENSITIVE VALUE***","user":"nextcloud_user","app":"no app in context","method":"GET","url":"/ocs/v2.php/cloud/capabilities?format=json","scriptName":"/ocs/v2.php","message":"The user config key files/quota is not defined in the config lexicon","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36","version":"32.0.6.1","data":[]}
{"reqId":"scuHTtG871bqkBdaizpS","level":1,"time":"2026-03-23T21:54:38+00:00","remoteAddr":"***REMOVED SENSITIVE VALUE***","user":"nextcloud_user","app":"no app in context","method":"GET","url":"/ocs/v2.php/cloud/capabilities?format=json","scriptName":"/ocs/v2.php","message":"The user config key files/quota is not defined in the config lexicon","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36","version":"32.0.6.1","data":[]}
{"reqId":"WjcTtbD736ET74pfNY0m","level":1,"time":"2026-03-23T21:54:38+00:00","remoteAddr":"***REMOVED SENSITIVE VALUE***","user":"nextcloud_user","app":"no app in context","method":"GET","url":"/ocs/v2.php/cloud/capabilities?format=json","scriptName":"/ocs/v2.php","message":"The user config key files/quota is not defined in the config lexicon","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36","version":"32.0.6.1","data":[]}

[github-actions]

Hello 👋

Thank you for taking the time to open this issue with the bookmarks app. I know it's frustrating when software
causes problems. You have made the right choice to come here and open an issue to make sure your problem gets looked at
and if possible solved.
I'm Marcel and have been maintaining this software the last few years. I currently work for Nextcloud but maintain this app
in my free time, because it is not an official Nextcloud product. My day job at Nextcloud is pretty awesome but sadly leaves me with
less time for side projects like this one than I used to have.
I still try to answer all issues and if possible fix all bugs here, but it sometimes takes a while until I get to it.
Until then, please be patient.
Note also that GitHub is a place where people meet to make software better together. Nobody here is under any obligation
to help you, solve your problems or deliver on any expectations or demands you may have, but if enough people come together we can
collaborate to make this software better. For everyone.
Thus, if you can, you could also look at other issues to see whether you can help other people with your knowledge
and experience. If you have coding experience it would also be awesome if you could step up to dive into the code and
try to fix the odd bug yourself. Everyone will be thankful for extra helping hands!
One last word: If you feel, at any point, like you need to vent, this is not the place for it; you can go to the forum,
to twitter or somewhere else. But this is a technical issue tracker, so please make sure to
focus on the tech and keep your opinions to yourself. (Also see our Code of Conduct. Really.)

I look forward to working with you on this issue
Cheers 💙

[joshqou]

My working theory of this bug is that the code within Authorizer.php is somehow not recognizing or not receiving the bearer tokens the Bookmarks API is returning to clients. Alteratively, this behaviour could have been a result of a breaking change within Nextcloud that results in requests which are not authenticated not being passed to Bookmarks in the first place. I believe this due to these three behaviours:

1. If alternate authorization is sent by the client, such as session cookies, then the API will respond perfectly fine even with a bearer token also being supplied.
2. If requests are replayed using basic authorization, the API will respond perfectly fine even if session cookies are not sent.
3. Declaring a bearer token via Authorization or through &token= behave identically and do not authorize the request.

Request using userpass authorization:

Request using bearer authorization:

Additional finding: Requesting /index.php/apps/bookmarks/public/rest/v2/folder?root=12&layers=0 with no Authorization and credentials: include returns HTTP 401 whereas no Authorization with credentials: omit returns HTTP 405. I'm beginning to lean more towards my routing issue theory

[marcelklehr]

I'm beginning to lean more towards my routing issue theory

Yeah, 405 seems to indicate that the Authorizer code isn't even reached.

[marcelklehr]

I think this may be happening due to an optimization in nextcloud to avoid loading certain routes if the user is not logged in. I'll have to rewrite the auth logic then :(

[marcelklehr]

mmh, I still cannot reproduce this with a clean nextcloud 32 instance. @joshqou Can you try to reproduce this without the user_oidc app or with a user that is not provisioned by user_oidc?

[marcelklehr]

Also, can you try the following on an affected instance:

php occ router:match --method=GET /apps/bookmarks/public/rest/v2/folder

[joshqou]

mmh, I still cannot reproduce this with a clean nextcloud 32 instance. @joshqou Can you try to reproduce this without the user_oidc app or with a user that is not provisioned by user_oidc?

Same behaviour happens with a native nextcloud user.

Also, can you try the following on an affected instance:

php occ router:match --method=GET /apps/bookmarks/public/rest/v2/folder

$ ./occ router:match --method=GET /apps/bookmarks/public/rest/v2/folder
Method not allowed on this path

[joshqou]

The passwords app is also installed on my instance and behaves just fine

$ ./occ router:match --method=POST /apps/passwords/api/1.0/session/open
+----------------------------+-----------+----------------------+--------+
| route                      | appid     | controller           | method |
+----------------------------+-----------+----------------------+--------+
| passwords.session_api.open | passwords | SessionApiController | open   |
+----------------------------+-----------+----------------------+--------+

[marcelklehr]

mmh, this is what I get

php occ router:match --method=GET /apps/bookmarks/public/rest/v2/folder
+------------------------------+-----------+-------------------+------------+
| route                        | appid     | controller        | method     |
+------------------------------+-----------+-------------------+------------+
| bookmarks.folders.getfolders | bookmarks | FoldersController | getFolders |
+------------------------------+-----------+-------------------+------------+

./occ --version
Nextcloud 32.0.8 RC1

[joshqou]

Well we've at least established it's a routing issue of... some kind. Is there a very simple route in the bookmarks app I could check that doesn't go through the custom authorizer?

Also I joined the gitter room a few days ago if you'd prefer to work through this over there instead

$ ./occ --version
Nextcloud 32.0.6

[marcelklehr]

It seems the issue comes from the one legacy route I left in place in routes.php which in some cases matches the routes greedily before the actual routes :/ I'll publish a fix this week :) Thank you for taking the time to get to the bottom of this with me!

[marcelklehr]

@joshqou Would you mind testing this PR: #2397