webdav: make --webdav-auth-redirect to fix 401 unauthorized on redirect

Before this change, if the server returned a 302 redirect message when opening a file rclone would do the redirect but drop the Authorization: header. This is a sensible thing to do for security reasons but breaks some setups. This patch adds the --webdav-auth-redirect flag which makes it preserve the auth just for this kind of request. See: https://forum.rclone.org/t/webdav-401-unauthorized-when-server-redirects-to-another-domain/39292
2025-02-13 09:01:08 +01:00 · 2023-06-25 14:58:50 +01:00 · 2023-06-25 14:58:50 +01:00 · 572516e301
commit 572516e301
parent 1e9613c186
1 changed files with 19 additions and 0 deletions
--- a/backend/webdav/webdav.go
+++ b/backend/webdav/webdav.go
@ -144,6 +144,23 @@ Set to 0 to disable chunked uploading.
 `,
 			Advanced: true,
 			Default:  10 * fs.Mebi, // Default NextCloud `max_chunk_size` is `10 MiB`. See https://github.com/nextcloud/server/blob/0447b53bda9fe95ea0cbed765aa332584605d652/apps/files/lib/App.php#L57
+		}, {
+			Name: "auth_redirect",
+			Help: `Preserve authentication on redirect.
+
+If the server redirects rclone to a new domain when it is trying to
+read a file then normally rclone will drop the Authorization: header
+from the request.
+
+This is standard security practice to avoid sending your credentials
+to an unknown webserver.
+
+However this is desirable in some circumstances. If you are getting
+an error like "401 Unauthorized" when rclone is attempting to read
+files from the webdav server then you can try this option.
+`,
+			Advanced: true,
+			Default:  false,
 		}},
 	})
 }
@ -160,6 +177,7 @@ type Options struct {
 	Headers            fs.CommaSepList      `config:"headers"`
 	PacerMinSleep      fs.Duration          `config:"pacer_min_sleep"`
 	ChunkSize          fs.SizeSuffix        `config:"nextcloud_chunk_size"`
+	AuthRedirect       bool                 `config:"auth_redirect"`
 }

 // Fs represents a remote webdav
@ -1375,6 +1393,7 @@ func (o *Object) Open(ctx context.Context, options ...fs.OpenOption) (in io.Read
 		ExtraHeaders: map[string]string{
 			"Depth": "0",
 		},
+		AuthRedirect: o.fs.opt.AuthRedirect, // allow redirects to preserve Auth
 	}
 	err = o.fs.pacer.Call(func() (bool, error) {
 		resp, err = o.fs.srv.Call(ctx, &opts)