"Write access to end-to-end encrypted folder requires token" out of nowhere (E2EE file deletion impossible with "403 Forbidden")

[bcutter]

How to use GitHub

• Please use the 👍 reaction to show that you are affected by the same issue.
• Please don't comment if you have no relevant information to add. It's just extra noise for everyone subscribed to this issue.

Steps to reproduce

1. Use E2EE
2. Delete single files

Expected behaviour

Files are deleted on the server

Actual behaviour

Client complains about "403 Forbidden ..." and server logs errors

Server configuration

Operating system: Raspberry Pi OS

Web server: nginx

Database: MariaDB

PHP version: 8.2

Nextcloud version: 27.1.7.2

Updated from an older Nextcloud/ownCloud or fresh install: Updated

Where did you install Nextcloud from: archive, bare metal

Signing status:

Signing status

Login as admin user into your Nextcloud and access 
http://example.com/index.php/settings/integrity/failed 
paste the results here.

List of activated apps:

App list

End-to-End-Encryption app: 1.13.1

Nextcloud configuration:

Config report

If you have access to your command line run e.g.:
sudo -u www-data php occ config:list system
from within your Nextcloud installation folder

or 

Insert your config.php content here. 
Make sure to remove all sensitive content such as passwords. (e.g. database password, passwordsalt, secret, smtp password, …)

Are you using external storage, if yes which one: local

Are you using encryption: no (only what's needed for E2EE so server-side encryption is likely used)

Are you using an external user-backend, if yes which one: no

Client configuration

Browser: irrelevant

Operating system: irrelevant, multiple clients

Logs

Web server error log

Web server error log

Insert your webserver log here

Nextcloud log (data/nextcloud.log)

Nextcloud log

[webdav] Fehler: OCA\DAV\Connector\Sabre\Exception\Forbidden: Write access to end-to-end encrypted folder requires token - no token sent at <<closure>>

0. /var/www/nextcloud/apps/end_to_end_encryption/lib/Connector/Sabre/LockPlugin.php line 143
   OCA\EndToEndEncryption\Connector\Sabre\LockPlugin->verifyTokenOnWriteAccess()
1. /var/www/nextcloud/3rdparty/sabre/event/lib/WildcardEmitterTrait.php line 89
   OCA\EndToEndEncryption\Connector\Sabre\LockPlugin->checkLock()
2. /var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php line 456
   Sabre\DAV\Server->emit()
3. /var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php line 253
   Sabre\DAV\Server->invokeMethod()
4. /var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php line 321
   Sabre\DAV\Server->start()
5. /var/www/nextcloud/apps/dav/lib/Server.php line 368
   Sabre\DAV\Server->exec()
6. /var/www/nextcloud/apps/dav/appinfo/v2/remote.php line 35
   OCA\DAV\Server->exec()
7. /var/www/nextcloud/remote.php line 172
   require_once("/var/www/nextcl ... p")

DELETE /remote.php/dav/files/username/encrypted_folder/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
from xxx.xxx.xxx.xxx by username at 2024-03-05T00:35:32+01:00

Browser log

Browser log

Insert your browser log here, this could for example include:

a) The javascript console log
b) The network log
c) ...

Seen this before here:

• https://help.nextcloud.com/t/end-to-end-encryption-delete-problem/181912/3
• stuck with an encrypted folder #197

Happens for Windows desktop as well as Android desktop. iOS can not be tested as E2EE is just completely broken there currently (nextcloud/ios#2809, which is a follow-up of nextcloud/desktop#5918 (comment), which is a follow-up of nextcloud/desktop#5564 ...).

I will try to reset E2EE using /settings/user/security (once again) now... but this needs to stop. E2EE is so annoying unreliable and breaks on a regular occasion, rendering it the most unreliable part of Nextcloud by far.

[bcutter]

OK, after resetting keys (including deletion of E2EE files) and uploading E2EE content, everything seemed to work.

Unfortunately, now when adding files inside an E2EE folder, the desktop client (Windows or Android, tested both) complains: "upload failed" with no further information

Windows

Android

There's NOTHING (!!!) in the server logs.

I even don't know if this issue has to do something with the initial one. Step by step this freaking E2EE kills itself. What now?

[bcutter]

Tested it over and over again. Now I can provoke / replicate the issue:

1. Reset E2EE
2. Use it with several Windows desktop clients - works fine
3. Use E2EE on Android and perform any sync-relevant action (e. g. deleting one E2EE file) --> deletion not working, error presented
4. Now try to continue E2EE on the (until/before step 3 perfectly working) Windows endpoints by e. g. deleting one E2EE file there: 403 Forbidden - and E2EE is completely broken from now on. No matter if deletions or file uploads.

No idea what the Android app does here. But it breaks E2EE for the whole server, also affecting the Windows endpoints.

[webdav] Fehler: OCA\DAV\Connector\Sabre\Exception\Forbidden: Write access to end-to-end encrypted folder requires token - no token sent at <<closure>>

0. /var/www/nextcloud/apps/end_to_end_encryption/lib/Connector/Sabre/LockPlugin.php line 143
   OCA\EndToEndEncryption\Connector\Sabre\LockPlugin->verifyTokenOnWriteAccess()
1. /var/www/nextcloud/3rdparty/sabre/event/lib/WildcardEmitterTrait.php line 89
   OCA\EndToEndEncryption\Connector\Sabre\LockPlugin->checkLock()
2. /var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php line 456
   Sabre\DAV\Server->emit()
3. /var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php line 253
   Sabre\DAV\Server->invokeMethod()
4. /var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php line 321
   Sabre\DAV\Server->start()
5. /var/www/nextcloud/apps/dav/lib/Server.php line 368
   Sabre\DAV\Server->exec()
6. /var/www/nextcloud/apps/dav/appinfo/v2/remote.php line 35
   OCA\DAV\Server->exec()
7. /var/www/nextcloud/remote.php line 172
   require_once("/var/www/nextcl ... p")

DELETE /remote.php/dav/files/Username/Encrypted/xxxxxxxxxxxxxxxxxde331b37/exxxxxxxxxxxxxxxxxxxxx5ee94947c4cc
from xxx.xxx.xxx.xxx by Username at 2024-03-08T16:39:17+01:00

Workaround: step 1 + step 2. NEVER EVER do step 3.

So, current E2EE status:
✅ Windows
❌ Android (because of triggering the issue at all: see above)
❌ iOS (because of: nextcloud/ios#2809)

[digitalpanopticon]

For me its even easier to replicate the issue. Or it could, in fact, be a completely different one, but as the symptoms are the exact same im appending to your thread. Correct me if im wrong or if I should open a sperate issue.

Versions at the time of writing:
Nextcloud 27.1.10
E2EE 1.13.1

1. Reset E2EE, as @bcutter did
2. Activate the plugin
3. Upload a file from the web client (To rule out any client being faulty. Still, I get the same result using any other client)
4. Upon deleting it I get Error deleting file "Fuck around and find out.png". and in the logs it is the same error as described above.

I also thought it was a problem of either the Android or iOS app at first because thats where I first saw the issue, but it even happens when the App is not at play, as was the case in my tests.

So for me the current E2EE status sadly is:
❌ E2EE 1.13.1