Fix Bearer token authentication causing session logout

cbcoutinho · cbcoutinho · commit deab2dac3d73 · 2025-10-12T21:09:29.000+02:00
When using Bearer token authentication with OIDC, API requests to endpoints with @cors annotations (like Notes API) were failing with 401 Unauthorized errors. This occurred because: 1. Bearer token validation successfully authenticated the user 2. A session was created for the authenticated user 3. Nextcloud's CORSMiddleware detected the logged-in session but no CSRF token, causing it to call session->logout() 4. The logout invalidated the session, breaking the API request This fix sets the 'app_api' session flag during Bearer token authentication, which instructs CORSMiddleware to skip the CSRF check and logout logic. This is the same mechanism used by Nextcloud's AppAPI framework for external application authentication. The flag is set at all successful Bearer token authentication points: - Line 243: After OIDC Identity Provider validation - Line 310: After auto-provisioning with bearer provisioning - Line 315: After existing user authentication - Line 337: After LDAP user sync Fixes: Bearer token authentication for all Nextcloud APIs Tested-with: nextcloud-mcp-server integration tests
diff --git a/lib/User/Backend.php b/lib/User/Backend.php
@@ -240,6 +240,7 @@ public function getCurrentUserId(): string {
 					$this->eventDispatcher->dispatchTyped($validationEvent);
 					$oidcProviderUserId = $validationEvent->getUserId();
 					if ($oidcProviderUserId !== null) {
+						$this->session->set('app_api', true);
 						return $oidcProviderUserId;
 					} else {
 						$this->logger->debug('[NextcloudOidcProviderValidator] The bearer token validation has failed');
@@ -306,10 +307,12 @@ public function getCurrentUserId(): string {
 							}
 
 							$this->session->set('last-password-confirm', strtotime('+4 year', time()));
+							$this->session->set('app_api', true);
 							return $userId;
 						} elseif ($this->userExists($tokenUserId)) {
 							$this->checkFirstLogin($tokenUserId);
 							$this->session->set('last-password-confirm', strtotime('+4 year', time()));
+							$this->session->set('app_api', true);
 							return $tokenUserId;
 						} else {
 							// check if the user exists locally
@@ -331,6 +334,7 @@ public function getCurrentUserId(): string {
 							}
 							$this->checkFirstLogin($tokenUserId);
 							$this->session->set('last-password-confirm', strtotime('+4 year', time()));
+							$this->session->set('app_api', true);
 							return $tokenUserId;
 						}
 					}
