Files
internxt-webdav/docs/browser-token-auth.md
elpatron 262cffe4a6 Translate all user-facing output to English
- Scripts: start-webdav.cmd, stop-webdav.cmd (echo messages, REM comments)
- Server: server.js (console.log, HTTP error messages)
- Token tools: token-test.js, token-refresh.js
- Other: auth-poc.js, debug-name-decrypt.js, internxt-client.js, upload.js
- Docs: README, .env.example, docs/*.md

Made-with: Cursor
2026-02-28 16:37:28 +01:00

152 lines
5.6 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Browser Token Authentication (Approach B)
Since API login is blocked for your account type, you can log in via the browser and use the session data for the WebDAV wrapper.
## Flow
1. Log in at https://drive.internxt.com
2. Extract token and mnemonic from the browser
3. Add to `.env`
4. Start WebDAV server
## Extracting Tokens
### Step 1: Show all stored keys
Be logged in at **https://drive.internxt.com**. DevTools (F12) → **Console**:
```javascript
// Show all localStorage keys
Object.keys(localStorage).filter(k => k.includes('x') || k.includes('token') || k.includes('Token')).forEach(k => console.log(k));
```
This shows which keys exist (e.g. `xNewToken`, `xMnemonic`, `xUser`).
### Step 2: Read token and mnemonic
```javascript
// Display token and mnemonic
console.log('Token:', localStorage.getItem('xNewToken') || localStorage.getItem('xToken') || '(not found)');
console.log('Mnemonic:', localStorage.getItem('xMnemonic') || '(not found)');
```
### Step 3: If nothing is found
- **Check Application tab:** DevTools → **Application** (or **Storage**) → **Local Storage** → select **https://drive.internxt.com**. Inspect all entries.
- **Correct URL:** You must be on `https://drive.internxt.com` (not internxt.com) and **logged in** after login, on `/drive` or `/app`.
- **Session vs Local:** Some values may be in `sessionStorage`. Test with:
```javascript
console.log('sessionStorage:', Object.keys(sessionStorage));
```
- **Show all keys:** For debugging, list all keys with values:
```javascript
for (let i = 0; i < localStorage.length; i++) {
const k = localStorage.key(i);
console.log(k + ':', localStorage.getItem(k)?.substring(0, 50) + '...');
}
```
## Add to .env
```
INXT_TOKEN=eyJhbGciOiJIUzI1NiIs...
INXT_MNEMONIC=word1 word2 word3 ...
# Name decryption: CRYPTO_SECRET or CRYPTO_SECRET2 (CLI default: 6KYQBP847D4ATSFA)
CRYPTO_SECRET=6KYQBP847D4ATSFA
# Optional: Enforce WebDAV credentials (otherwise any credentials accepted)
# WEBDAV_USER=backup
# WEBDAV_PASS=secret
```
## Duplicati Pre/Post Scripts (optional)
If the WebDAV server does not run permanently, Duplicati can start it before backup and stop it after:
| Script | Duplicati setting | Path |
|--------|-------------------|------|
| Start | Run before backup | `scripts\start-webdav.cmd` |
| Stop | Run after backup | `scripts\stop-webdav.cmd` |
**Settings → Advanced → Scripts** enter full path, e.g.:
```
C:\Path\to\internxt-webdav\scripts\start-webdav.cmd
C:\Path\to\internxt-webdav\scripts\stop-webdav.cmd
```
Optional port as argument (default: 3005):
```
C:\Path\to\internxt-webdav\scripts\start-webdav.cmd 8080
C:\Path\to\internxt-webdav\scripts\stop-webdav.cmd 8080
```
The server starts in the background and is ready after ~5 seconds.
## Restic + rclone
```bash
restic -r rclone:internxt-webdav:repo-name init
```
The server creates missing folders recursively (MKCOL). On 500 errors: check server log (`PUT Fehler:`), renew token with `npm run token-refresh`.
### Restic "object not found" / 500
1. **Check port:** rclone URL must match server port exactly. If console shows e.g. `http://127.0.0.1:3010`, set `url = http://127.0.0.1:3010` in rclone.
2. **Single server only:** Stop `npm start` (Ctrl+C), then use only `scripts\start-webdav.cmd` otherwise an old process may respond.
3. **rclone config:** `rclone config` → Remote `internxt-webdav` → `url` = `http://127.0.0.1:PORT` (PORT from server startup).
4. **Logs:** Set `WEBDAV_LOG=debug` in `.env`, restart server, then check `logs\webdav-errors.log` and `logs\webdav-debug.log`.
## WebDAV Credentials (for Duplicati, Explorer)
The server expects **Basic Auth**. Without `WEBDAV_USER`/`WEBDAV_PASS` in `.env`, it accepts **any** credentials you can use e.g. username `backup` and password `secret` in Duplicati. With `WEBDAV_USER` and `WEBDAV_PASS` set, only those credentials are accepted.
## Start WebDAV Server
```bash
npm start
```
Server runs at `http://127.0.0.1:3005`. Phase 14 active: PROPFIND, MKCOL, DELETE, MOVE, GET, PUT. INXT_MNEMONIC required for GET and PUT.
### PowerShell Copy-Item: "Null character in path"
Windows/.NET sometimes adds null bytes to WebDAV paths. **Workaround:**
```powershell
# Option 1: Direct HTTP (bypasses WebDAV bugs, use UUID from dir i:)
Invoke-WebRequest -Uri "http://127.0.0.1:3005/_.69942103-e16f-4714-89bb-9f9f7d3b1bd5" -OutFile test.md
# Upload via PUT (PowerShell)
Invoke-WebRequest -Uri "http://127.0.0.1:3005/my-file.txt" -Method PUT -Body "Content" -ContentType "application/octet-stream"
# Option 2: Robocopy (copy all files from root)
robocopy "i:\" "." /NFL /NDL
# Option 3: Explorer drag & drop file
# Windows Explorer: Map network drive → http://127.0.0.1:3005
## Renew Token (on 401 / expired)
Tokens expire after some time (typically hours). On 401 errors or "Unauthorized":
### Option A: Automatic (Chromium)
```bash
npm run token-refresh
```
Opens a browser with drive.internxt.com. Log in tokens are extracted and `.env` updated automatically. Restart server.
### Option B: Manual
1. Open **[https://drive.internxt.com](https://drive.internxt.com)** and log in again
2. Read token and mnemonic from Console as in Step 2 above
3. Update `.env` with new values
4. Restart WebDAV server
## Notes
- **Bridge API:** Download uses Internxt Bridge with `x-api-version: 2` and headers `internxt-version`/`internxt-client`. Without these, Bridge returns 400.
- **Security:** Mnemonic and token are highly sensitive. Do not commit to Git, keep `.env` in `.gitignore`.
- **Personal only:** Tokens are bound to your session. This approach does not work for other users.