I was looking for a self hosted password management solution, and decided to to use Passman, which is:

  • An extension (app) for OwnCloud / Next Cloud
  • Can be used to store your passwords securely
  • Open source, and can be installed on your own environment (on top of OwnCloud or Next Cloud)
  • Has browser extension (for Chrome and Firefox) for automatic password fill

So I installed a copy of OwnCloud (v10.0.10) to a shared cPanel hosting, and tried to use the Passman App in it. The process all went okay, I also downloaded the Passman extension for Chrome. After the extension installation, the first step is to fill the server URL, and your username + password. After I filled the forms, I received

[401] Unauthorized

After I enabled the logging (OwnCloud admin panel, Administration / General, bottom section), I saw the following messages:

{"reqId":"...","level":0,"time":"2019-01-12T20:20:12+00:00","remoteAddr":"...","user":"--","app":"OC\\Authentication\\Token\\DefaultTokenProvider::getToken","method":"GET","url":"\/index.php\/apps\/passman\/api\/v2\/vaults","message":"token ... does not exist"}
{"reqId":"...","level":0,"time":"2019-01-12T20:20:12+00:00","remoteAddr":"...","user":"--","app":"OC\\Authentication\\Token\\DefaultTokenProvider::getToken","method":"GET","url":"\/index.php\/apps\/passman\/api\/v2\/vaults","message":"token ... does not exist"}
{"reqId":"...","level":0,"time":"2019-01-12T20:20:12+00:00","remoteAddr":"...","user":"--","app":"no app in context","method":"GET","url":"\/index.php\/apps\/passman\/api\/v2\/vaults","message":"Current user is not logged in"}

I made several Google searches, and found multiple issues could cause this problem (like this), but none of the fixes solved my problem.

So I took a look in extension’s requests, the source code, and found that the extension uses Basic HTTP Authentication. I tracked the problem to the auth() function in the lib\private\User\BasicAuthModule.php file: The $request->server[‘PHP_AUTH_USER’], $request->server[‘PHP_AUTH_PW’] variables were empty. These values should be filled automatically by the webserver/PHP based on the “Authorization” header, so I checked, and the header was not present. Google lead me to a stack overflow issue: somehow the Authorization Header was lost. After I added the recommended three lines to the Owncloud .htaccess file, the plugin started working:

RewriteEngine On
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]

As I said, there can be many things that cause the same problem, but If you tried every other solution, go and check if the PHP Basic Auth variables are correctly set.