internxt-webdav/docs/browser-token-auth.md

# Browser Token Authentication (Approach B)

Since API login is blocked for your account type, you can log in via the browser and use the session data for the WebDAV wrapper.

## Flow

1. Log in at https://drive.internxt.com
2. Extract token and mnemonic from the browser
3. Add to `.env`
4. Start WebDAV server

## Extracting Tokens

### Step 1: Show all stored keys

Be logged in at **https://drive.internxt.com**. DevTools (F12) → **Console**:

```javascript
// Show all localStorage keys
Object.keys(localStorage).filter(k => k.includes('x') || k.includes('token') || k.includes('Token')).forEach(k => console.log(k));
```

This shows which keys exist (e.g. `xNewToken`, `xMnemonic`, `xUser`).

### Step 2: Read token and mnemonic

```javascript
// Display token and mnemonic
console.log('Token:', localStorage.getItem('xNewToken') || localStorage.getItem('xToken') || '(not found)');
console.log('Mnemonic:', localStorage.getItem('xMnemonic') || '(not found)');
```

### Step 3: If nothing is found

- **Check Application tab:** DevTools → **Application** (or **Storage**) → **Local Storage** → select **https://drive.internxt.com**. Inspect all entries.
- **Correct URL:** You must be on `https://drive.internxt.com` (not internxt.com) and **logged in** – after login, on `/drive` or `/app`.
- **Session vs Local:** Some values may be in `sessionStorage`. Test with:
  ```javascript
  console.log('sessionStorage:', Object.keys(sessionStorage));
  ```
- **Show all keys:** For debugging, list all keys with values:
  ```javascript
  for (let i = 0; i < localStorage.length; i++) {
    const k = localStorage.key(i);
    console.log(k + ':', localStorage.getItem(k)?.substring(0, 50) + '...');
  }
  ```

## Add to .env

```
INXT_TOKEN=eyJhbGciOiJIUzI1NiIs...
INXT_MNEMONIC=word1 word2 word3 ...
# Name decryption: CRYPTO_SECRET or CRYPTO_SECRET2 (CLI default: 6KYQBP847D4ATSFA)
CRYPTO_SECRET=6KYQBP847D4ATSFA
# Optional: Enforce WebDAV credentials (otherwise any credentials accepted)
# WEBDAV_USER=backup
# WEBDAV_PASS=secret
```

## Duplicati Pre/Post Scripts (optional)

If the WebDAV server does not run permanently, Duplicati can start it before backup and stop it after:

| Script | Duplicati setting | Path |
|--------|-------------------|------|
| Start | Run before backup | `scripts\start-webdav.cmd` |
| Stop | Run after backup | `scripts\stop-webdav.cmd` |

**Settings → Advanced → Scripts** – enter full path, e.g.:
```
C:\Path\to\internxt-webdav\scripts\start-webdav.cmd
C:\Path\to\internxt-webdav\scripts\stop-webdav.cmd
```

Optional port as argument (default: 3005):
```
C:\Path\to\internxt-webdav\scripts\start-webdav.cmd 8080
C:\Path\to\internxt-webdav\scripts\stop-webdav.cmd 8080
```

The server starts in the background and is ready after ~5 seconds.

## Restic + rclone

```bash
restic -r rclone:internxt-webdav:repo-name init
```

The server creates missing folders recursively (MKCOL). On 500 errors: check server log (`PUT Fehler:`), renew token with `npm run token-refresh`.

### Restic "object not found" / 500

1. **Check port:** rclone URL must match server port exactly. If console shows e.g. `http://127.0.0.1:3010`, set `url = http://127.0.0.1:3010` in rclone.
2. **Single server only:** Stop `npm start` (Ctrl+C), then use only `scripts\start-webdav.cmd` – otherwise an old process may respond.
3. **rclone config:** `rclone config` → Remote `internxt-webdav` → `url` = `http://127.0.0.1:PORT` (PORT from server startup).
4. **Logs:** Set `WEBDAV_LOG=debug` in `.env`, restart server, then check `logs\webdav-errors.log` and `logs\webdav-debug.log`.

## WebDAV Credentials (for Duplicati, Explorer)

The server expects **Basic Auth**. Without `WEBDAV_USER`/`WEBDAV_PASS` in `.env`, it accepts **any** credentials – you can use e.g. username `backup` and password `secret` in Duplicati. With `WEBDAV_USER` and `WEBDAV_PASS` set, only those credentials are accepted.

## Start WebDAV Server

```bash
npm start
```

Server runs at `http://127.0.0.1:3005`. Phase 1–4 active: PROPFIND, MKCOL, DELETE, MOVE, GET, PUT. INXT_MNEMONIC required for GET and PUT.

### PowerShell Copy-Item: "Null character in path"

Windows/.NET sometimes adds null bytes to WebDAV paths. **Workaround:**

```powershell
# Option 1: Direct HTTP (bypasses WebDAV bugs, use UUID from dir i:)
Invoke-WebRequest -Uri "http://127.0.0.1:3005/_.69942103-e16f-4714-89bb-9f9f7d3b1bd5" -OutFile test.md

# Upload via PUT (PowerShell)
Invoke-WebRequest -Uri "http://127.0.0.1:3005/my-file.txt" -Method PUT -Body "Content" -ContentType "application/octet-stream"

# Option 2: Robocopy (copy all files from root)
robocopy "i:\" "." /NFL /NDL

# Option 3: Explorer – drag & drop file
# Windows Explorer: Map network drive → http://127.0.0.1:3005

## Renew Token (on 401 / expired)

Tokens expire after some time (typically hours). On 401 errors or "Unauthorized":

### Option A: Automatic (Chromium)

```bash
npm run token-refresh
```

Opens a browser with drive.internxt.com. Log in – tokens are extracted and `.env` updated automatically. Restart server.

### Option B: Manual

1. Open **[https://drive.internxt.com](https://drive.internxt.com)** and log in again
2. Read token and mnemonic from Console as in Step 2 above
3. Update `.env` with new values
4. Restart WebDAV server

## Notes

- **Bridge API:** Download uses Internxt Bridge with `x-api-version: 2` and headers `internxt-version`/`internxt-client`. Without these, Bridge returns 400.
- **Security:** Mnemonic and token are highly sensitive. Do not commit to Git, keep `.env` in `.gitignore`.
- **Personal only:** Tokens are bound to your session. This approach does not work for other users.