memories icon indicating copy to clipboard operation
memories copied to clipboard
verified publisher icon pulsejet

External Link: Share is password protected and user is not authenticated

Open lapsedtheorist opened this issue 4 months ago • 1 comments

Describe the bug

When an external share link is created with password protection, and the link is accessed and the correct password typed, the Memories app no longer allows access to the contents. It returns an error message "Share is password protected and user is not authenticated".

Steps To Reproduce

  1. Create a folder in Nextcloud
  2. Place a few photos in that folder
  3. Open Memories app and navigate to that folder
  4. Click the "Share folder" icon top right
  5. Click "Create Link" in the central dialog
  6. In the Sidebar, alongside the new link, click the 3 dots icon and select "Customise Link"
  7. Open the "Advanced Settings" drop-down menu, set a password, and click "Update share" in the sidebar
  8. In the central dialog, click "Refresh" and observe the annotation change from "Read only" to "Password protected"
  9. From the central dialog, click the share link and copy it
  10. Open a new private browser window at this link
  11. Type the password
  12. Observe the error message "Share is password protected and user is not authenticated"

Platform

- Client OS: MacOS Tahoe 26.1 (25B78)
- Browser: Safari Version 26.1 (21622.2.11.11.9)
- Server Operating System: Linux 6.12.47+rpt-rpi-2712 aarch64
- Server CPU: Raspberry Pi 5 Model B Rev 1.0 (4 threads)
- Server Memory: 7.87 GB
- Memories Version: 7.7.0
- Nextcloud Version: 31.0.11
- PHP Version: 8.4.11

Screenshots

Image

Additional context

The JS console shows a HTTP 500 error for the request to {host}/apps/memories/api/folders/sub?token={token}&folder=%2F and a similar HTTP 500 error for {host}/apps/memories/api/days?token={token}&folder=%2F. The latter is shown in further detail below.

The Nextcloud server log shows this:

[no app in context] Error: Share is password protected and user is not authenticated
	GET /apps/memories/api/days?token=yJMztiZ8Qm2kxBB&folder=%2F
	from [[REDACTED]] by -- at 2 Dec 2025 at 21:40:05

and this:

{
  "reqId": "2Vt2PQGfu4XUXciPOsfE",
  "level": 3,
  "time": "2025-12-02T21:40:05+00:00",
  "remoteAddr": "[[REDACTED]]",
  "user": "--",
  "app": "no app in context",
  "method": "GET",
  "url": "/apps/memories/api/days?token=yJMztiZ8Qm2kxBB&folder=%2F",
  "message": "Share is password protected and user is not authenticated",
  "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/26.1 Safari/605.1.15",
  "version": "31.0.11.2",
  "data": {
    "trace": "[{\"file\":\"/var/www/nextcloud/apps/memories/lib/Db/FsManager.php\",\"line\":346,\"function\":\"getShareObject\",\"class\":\"OCA\\Memories\\Db\\FsManager\",\"type\":\"->\"},{\"file\":\"/var/www/nextcloud/apps/memories/lib/Db/FsManager.php\",\"line\":82,\"function\":\"getShareNode\",\"class\":\"OCA\\Memories\\Db\\FsManager\",\"type\":\"->\"},{\"file\":\"/var/www/nextcloud/apps/memories/lib/Db/TimelineQueryDays.php\",\"line\":221,\"function\":\"populateRoot\",\"class\":\"OCA\\Memories\\Db\\FsManager\",\"type\":\"->\"},{\"file\":\"/var/www/nextcloud/apps/memories/lib/Db/TimelineQueryDays.php\",\"line\":55,\"function\":\"filterFilecache\",\"class\":\"OCA\\Memories\\Db\\TimelineQuery\",\"type\":\"->\"},{\"file\":\"/var/www/nextcloud/apps/memories/lib/Controller/DaysController.php\",\"line\":40,\"function\":\"getDays\",\"class\":\"OCA\\Memories\\Db\\TimelineQuery\",\"type\":\"->\"},{\"file\":\"/var/www/nextcloud/apps/memories/lib/UtilController.php\",\"line\":20,\"function\":\"{closure:OCA\\Memories\\Controller\\DaysController::days():39}\",\"class\":\"OCA\\Memories\\Controller\\DaysController\",\"type\":\"->\"},{\"file\":\"/var/www/nextcloud/apps/memories/lib/Controller/DaysController.php\",\"line\":39,\"function\":\"guardEx\",\"class\":\"OCA\\Memories\\Util\",\"type\":\"::\"},{\"file\":\"/var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php\",\"line\":200,\"function\":\"days\",\"class\":\"OCA\\Memories\\Controller\\DaysController\",\"type\":\"->\"},{\"file\":\"/var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php\",\"line\":114,\"function\":\"executeController\",\"class\":\"OC\\AppFramework\\Http\\Dispatcher\",\"type\":\"->\"},{\"file\":\"/var/www/nextcloud/lib/private/AppFramework/App.php\",\"line\":161,\"function\":\"dispatch\",\"class\":\"OC\\AppFramework\\Http\\Dispatcher\",\"type\":\"->\"},{\"file\":\"/var/www/nextcloud/lib/private/Route/Router.php\",\"line\":315,\"function\":\"main\",\"class\":\"OC\\AppFramework\\App\",\"type\":\"::\"},{\"file\":\"/var/www/nextcloud/lib/base.php\",\"line\":1063,\"function\":\"match\",\"class\":\"OC\\Route\\Router\",\"type\":\"->\"},{\"file\":\"/var/www/nextcloud/index.php\",\"line\":24,\"function\":\"handleRequest\",\"class\":\"OC\",\"type\":\"::\"}]"
  },
  "id": "692f5d6f06baa"
}

It would appear this issue may potentially be related to https://github.com/nextcloud/server/pull/55955, which appears to have been back ported to Nextcloud 31 and contains the following note:

Previously: we set the session based on the password/share combo. Accessing a new one will override the previous one. Now: we store the allowed tokens in an array.

It has been noted that other apps are potentially affected by this https://github.com/nextcloud/server/pull/55955#issuecomment-3581460101

lapsedtheorist avatar Dec 02 '25 21:12 lapsedtheorist

Any news on this? Unfortunately none of my password protected external links is currently accessible via Memories...

Thomas-Magnum avatar Dec 12 '25 17:12 Thomas-Magnum