Constant 401 in Surfer app for WebDAV after user password change

d19dotca

I updated my Cloudron user password on my server and had to update all my Mail and DAV clients, etc. Not a problem, they all worked. However in the Surfer app, I have been unable to access it's WebDAV feature using my new credentials, even the old credentials don't seem to work there either. I've restarted the app several times, even restarted the entire server, no difference unfortunately.

I initially just thought it was my Enpass app, but I've also tried to connect via Cyberduck and even the Surfer WebDAV link from it's homepage where it then prompts for credentials, and same behaviour where it won't let me in and the logs show a constant 401 no matter what method is used.

Any ideas?

From the logs:

Nov 29 13:11:10 Listening on http://:::3000
Nov 29 13:12:24 GET / 304 12.740 ms - -
Nov 29 13:12:24 GET /_admin/css/style.css 304 0.919 ms - -
Nov 29 13:12:24 GET /_admin/img/logo.png 304 0.477 ms - -
Nov 29 13:12:29 PROPFIND /_webdav/ 401 7.956 ms - -
Nov 29 13:12:30 PROPFIND /_webdav/ 401 0.368 ms - -
Nov 29 13:12:30 PROPFIND /_webdav/ 401 0.535 ms - -
Nov 29 13:12:30 PROPFIND /_webdav/ 401 0.370 ms - -
Nov 29 13:12:30 PROPFIND /_webdav/ 401 0.426 ms - -
Nov 29 13:12:39 PROPFIND /_webdav/ 401 0.557 ms - -
Nov 29 13:12:39 PROPFIND /_webdav/ 401 0.367 ms - -
Nov 29 13:12:40 PROPFIND /_webdav/ 401 0.512 ms - -
Nov 29 13:12:40 PROPFIND /_webdav/ 401 0.328 ms - -
Nov 29 13:12:40 PROPFIND /_webdav/ 401 0.390 ms - -
Nov 29 13:13:36 PROPFIND /_webdav/ 401 0.770 ms - -
Nov 29 13:13:36 PROPFIND /_webdav/ 401 0.344 ms - -
Nov 29 13:13:37 PROPFIND /_webdav/ 401 0.433 ms - -
Nov 29 13:13:37 PROPFIND /_webdav/ 401 0.306 ms - -
Nov 29 13:13:37 PROPFIND /_webdav/ 401 0.279 ms - -
Nov 29 13:15:53 GET /_webdav/ 401 1.234 ms - -
Nov 29 13:15:56 GET /_webdav/ 401 0.564 ms - -

Given that it's a 401, I presume this definitely has to do with the user password change, but no idea why it's not corrected / fixed after a restart of the app or restart of the entire server even. It won't take the old credentials nor the new ones. Every other service seems to work fine though, I can even login to the web admin for Surfer just fine with the new credentials, this seems specific to WebDAV functionality.

d19dotca

Okay I think I figured out the issue - however this is still very strange to me as to why it only seemed to impact WebDAV access and nothing else. TL;DR: Something about the password (perhaps a special character?) isn't treated properly in the WebDAV functionality in Surfer.

When I created my new password earlier, it was a very strong 32-character password with symbols, uppercase, lowercase, and digits - randomly generated by a password generator. It worked fine for logging into Cloudron and the associated LDAP-enabled apps like WordPress for example, however WebDAV in the Surfer app would constantly respond with HTTP 401.

So I ran a test and made the password just regular characters (uppercase, lowercase, and hyphens only, not even any digits, an 8-word randomized diceware password generated by the password generator). It was even longer than the original password I used earlier today, just less types of characters. It then worked successfully - I was able to login to my WebDAV immediately after that change.

So it seems that WebDAV in Surfer app for some reason won't work well with very strong complex passwords. I will email in to Support to provide the password I was using earlier for example where it wouldn't work so that you can reproduce the issue and resolve it (if it's something that can be resolved). If it's a limitation that can't be worked around, then we need to make sure it gets added to the docs.

nebulon

Thanks for getting down to the issue! Surfer essentially uses https://www.npmjs.com/package/webdav-server for webdav support, so I guess something needs fixing there. I will see how to get this fixed.

nebulon

Just to give a quick update on this. The issue is, that if a password contains a colon : then the node module handling webdav for surfer breaks at https://github.com/OpenMarshal/npm-WebDAV-Server/blob/c82291f74e065e4795ba388d18be93898e610ddf/src/user/v2/authentication/HTTPBasicAuthentication.ts#L40

I've put more context at https://github.com/OpenMarshal/npm-WebDAV-Server/issues/85 please vote or comment on that to raise awareness

d19dotca

@nebulon awesome, just did. Thanks so much!