Unable to attach a group due to Password confirmation is required error in REST API

[zak39]

H 👋

I'm a developer of the Workspace app at Arawa, which uses the Groupfolders API Rest for Workspace to work.

We encountered an issue with Groupfolders version 17.0.4 where a subgroup (a business concept in the app) is created, but not attached to the Groupfolders.

Step to reproduce

Workspace Side:

• I go to the workspace app
• I created a workspace named Space01 (for example)
• I click on the "+" button at the top right of window (in the workspace app)
• I click on "Create a group"
• I enter a name for the group in the field and confirm
• The app displays the group's content (it's empty, which is expected), and the group is correctly listed in the gorup list of Space01
• I refresh the page, and the new group is no longer visible in the group list of Space01

Expected behavior

The new group (or subgroup in the business context) is created and appears in the Space01 workspace.

Server configuration

OS: Linux based
Database: MySQL
PHP Version: 8.1.29
Nextcloud version: 29
Groupfolder version: 17.0.4 or more
Updated from an older Nextcloud/ownCloud or fresh install: classic
Where did you install Nextcloud from: classic
Are you using external storage, if yes which one: classic
Are you using encryption: No
Are you using an external user-backend, if yes which one: Yes (LDAP)

I'm using the development environment from Julius to test the bug : https://github.com/juliushaertl/nextcloud-docker-dev .

Client configuration

Browser: Chromium
Operating System: Ubuntu 24.04

Logs

The HTTP request that attaches the new group to the groupfolder returned a 200 response with this URL http://stable29.local/index.php/apps/groupfolders/folders/3/groups :

And the response to this request is:

{
    "ocs": {
        "meta": {
            "status": "failure",
            "statuscode": 403,
            "message": "Password confirmation is required",
            "totalitems": "",
            "itemsperpage": ""
        },
        "data": []
    }
}

My Point of View

While researching the Password confirmation is required error message, I found that the exception is NotConfirmedException.php, and it's triggered by the PasswordConfirmationMiddleware.php middleware with the PasswordConfirmationRequired annotation or attribute.
In our case, the PasswordConfirmationRequired attribute is attached to all methods of the FolderController, such as the addGroup() method.

From what I understand about the middleware, it checks if the users is authenticated by retrieving the last time they confirmed their password, and if it was within the last 15 seconds. If not, the user is prompted to re-enter their password.
However, when it comes to an app using the REST API, the user (or the browser) cannot be redirected to the session page.

The user must log out and log back in to execute this REST API without encountering an error.

[provokateurin]

You need to use https://github.com/nextcloud-libraries/nextcloud-password-confirmation in the frontend before calling the endpoint.

[joshtrichards]

Closing since it appears you found solution. :)

Ref: arawa/workspace#1066