Hi Slash, thanks for reporting this bug. As I understand from your logs, it's not even possible to create a nextcloud account; can you please confirm this?
Anyway, this looks like a bug in the Nextcloud server implementation: CSRF is not something that normally affects REST APIs, which are stateless by definition. When registering the account, we are passing username and password with every function call.
Please file a bug against Nextcloud, and write here the link to the report, so that I can comment in case they ask for more information.
Hi Slash, thanks for reporting this bug. As I understand from your logs, it's not even possible to create a nextcloud account; can you please confirm this?
Anyway, this looks like a bug in the Nextcloud server implementation: CSRF is not something that normally affects REST APIs, which are stateless by definition. When registering the account, we are passing username and password with every function call.
Please file a bug against Nextcloud, and write here the link to the report, so that I can comment in case they ask for more information.
For the record, the API we are using when verifying whether the account is valid is /ocs/v1. php/person/ check, which is documented here: /www.freedeskto p.org/wiki/ Specifications/ open-collaborat ion-services/ #index4h4
https:/
I think they forced the CSRF check on all API, including the public REST APIs, by mistake.