Server: "CSRF check failed" when using nextcloud/ocs/v1.php/cloud/users API

Created on 19 Dec 2016 · 2Comments · Source: nextcloud/server

NextCloud 11 server, we have a php script that add users. It worked well with NextCloud 10.

Steps to reproduce

code snippet:

$url = 'https://' . $ownAdminname . ':' . $ownAdminpassword . '@nextcloud.example.com/nextcloud/ocs/v1.php/cloud/users';
$nextcloudPOSTArray = array('userid' => $userName, 'password' => $RRpassword );

curl it to server

Expected behaviour

User created

Actual behaviour

"CSRF check failed"

Server configuration

Operating system: openSUSE 13.2

Web server: Apache2

Database: mysql

PHP version: 5.6.1

Nextcloud version: 11.0.0

Updated from an older Nextcloud/ownCloud or fresh install: updated from 10.0.2

Where did you install Nextcloud from: zip

Signing status:

Signing status

Login as admin user into your Nextcloud and access 
http://example.com/index.php/settings/integrity/failed 
paste the results here.

No errors have been found.

List of activated apps:

App list

  - activity: 2.4.1
  - comments: 1.1.0
  - dav: 1.1.1
  - federatedfilesharing: 1.1.1
  - federation: 1.1.1
  - files: 1.6.1
  - files_pdfviewer: 1.0.1
  - files_sharing: 1.1.1
  - files_texteditor: 2.2
  - files_trashbin: 1.1.0
  - files_versions: 1.4.0
  - files_videoplayer: 1.0.0
  - firstrunwizard: 2.0
  - gallery: 16.0.0
  - logreader: 2.0.0
  - lookup_server_connector: 1.0.0
  - nextcloud_announcements: 1.0
  - notifications: 1.0.1
  - password_policy: 1.1.0
  - provisioning_api: 1.1.0
  - richdocuments: 1.1.24
  - serverinfo: 1.1.1
  - sharebymail: 1.0.1
  - survey_client: 0.1.5
  - systemtags: 1.1.3
  - theming: 1.1.1
  - twofactor_backupcodes: 1.0.0
  - updatenotification: 1.1.1
  - user_ldap: 1.1.1
  - workflowengine: 1.1.1
Disabled:
  - admin_audit
  - encryption
  - external
  - files_accesscontrol
  - files_automatedtagging
  - files_external
  - files_retention
  - templateeditor
  - user_external
  - user_saml

The content of config/config.php:

Config report

{
    "system": {
        "instanceid": "ociimghhkjug",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "demo.collaboracloudsuite.com"
        ],
        "datadirectory": "\/srv\/www\/htdocs\/nextcloud\/data",
        "overwrite.cli.url": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "11.0.0.10",
        "logtimezone": "UTC",
        "installed": true,
        "appstore.experimental.enabled": true,
        "maintenance": false,
        "dbname": "nextcloud",
        "dbhost": "localhost",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "memcache.local": "\\OC\\Memcache\\APCu",
        "loglevel": 0,
        "ldapIgnoreNamingRules": false,
        "ldapProviderFactory": "\\OCA\\User_LDAP\\LDAPProviderFactory",
        "updater.secret": "***REMOVED SENSITIVE VALUE***",
        "updater.release.channel": "stable"
    }
}```
</details>

**Are you using external storage, if yes which one:** N/A

**Are you using encryption:** no

**Are you using an external user-backend, if yes which one:** N/A

#### Nextcloud log (data/nextcloud.log)
<details>
<summary>Nextcloud log</summary>

{"reqId":"jN8gFgi\/7VHz4Yy8Ceec","remoteAddr":"52.51.221.25","app":"no app in context","message":"CSRF check failed","level":0,"time":"2016-12-19T12:24:22+00:00","method":"POST","url":"\/nextcloud\/ocs\/v1.php\/cloud\/users","user":"admin","version":"11.0.0.10"}
```

Source

timar

Most helpful comment

The CSRF token isn't required in those cases as long as you send the OCS-APIRequest: true HTTP header. For example:

➜  stable9 git:(master) ✗ curl http://admin:[email protected]/stable9/ocs/v1.php/cloud/users -H "OCS-APIRequest: true"
<?xml version="1.0"?>
<ocs>
 <meta>
  <status>ok</status>
  <statuscode>100</statuscode>
  <message>OK</message>
  <totalitems></totalitems>
  <itemsperpage></itemsperpage>
 </meta>
 <data>
  <users>
   <element>admin</element>
   <element>test</element>
   <element>user01</element>
   <element>user02</element>
  </users>
 </data>

The OCS-APIRequest header is required for security reasons in Nextcloud 11 and later. (this has been documented in the OCS docs before but not properly implemented)

LukasReschke on 19 Dec 2016

🎉7

All 2 comments

The CSRF token isn't required in those cases as long as you send the OCS-APIRequest: true HTTP header. For example:

➜  stable9 git:(master) ✗ curl http://admin:[email protected]/stable9/ocs/v1.php/cloud/users -H "OCS-APIRequest: true"
<?xml version="1.0"?>
<ocs>
 <meta>
  <status>ok</status>
  <statuscode>100</statuscode>
  <message>OK</message>
  <totalitems></totalitems>
  <itemsperpage></itemsperpage>
 </meta>
 <data>
  <users>
   <element>admin</element>
   <element>test</element>
   <element>user01</element>
   <element>user02</element>
  </users>
 </data>

The OCS-APIRequest header is required for security reasons in Nextcloud 11 and later. (this has been documented in the OCS docs before but not properly implemented)

LukasReschke on 19 Dec 2016

🎉7

When I am using nextcloud ocs curl api then give me error 503
can anyone help me what is enable for curl request to nextcloud