Nextcloud Talk bot signature mismatch (spreed 22.0.7): server expects HMAC over random + message, OpenClaw signs random + JSON body → 401 #1

Open
opened 2026-02-15 17:17:05 -05:00 by yindo · 2 comments
Owner

Originally created by @reindje80 on GitHub (Feb 5, 2026).

Environment

  • Nextcloud: 32.0.3.2 (versionstring 32.0.3)
  • Talk app: spreed 22.0.7
  • OpenClaw: 2026.2.3-1
  • Bot created with:
      php occ talk:bot:install "OpenClaw-new" "<shared-secret>" "https://<gateway>/nextcloud-webhook" --feature webhook --feature
    

response --feature reaction


Problem

Outbound bot replies fail with HTTP 401 Unauthorized even though the shared secret is correct.

Steps to reproduce

1. Configure OpenClaw Nextcloud Talk with correct baseUrl and botSecret.
2. Send a message in an allowlisted Talk room.
3. OpenClaw posts to:
POST /ocs/v2.php/apps/spreed/api/v1/bot/<roomToken>/message
with headers:
  - X-Nextcloud-Talk-Bot-Random
  - X-Nextcloud-Talk-Bot-Signature
4. If signature is computed as HMAC(secret, random + bodyStr) where bodyStr is JSON like {"message":"...","replyTo":...}, Nextcloud
returns 401.

Expected

Bot message accepted (HTTP 201 OK) and posted in the room.

Actual

HTTP 401 (OCS failure), OpenClaw reports “authentication failed - check bot secret”.

Minimal evidence / Repro test

With:
- message = "diag-xxxx"
- bodyStr = JSON.stringify({message})
- random = <hex>

A) sig = HMAC(secret, random + bodyStr) → 401

B) sig = HMAC(secret, random + message) → 201 OK

So on Nextcloud 32.0.3.2 + spreed 22.0.7, the signature appears to be validated against random + message (message string only), not
the full JSON request body.

Proposed fix

Change signature generation to use the message string (not the full JSON body) when calling the bot message endpoint.

(Consider implications for fields like replyTo—server may ignore them in signature calculation.)

Impact

Bots receive inbound webhooks fine but can’t send replies; repeated failures trigger brute-force delay accumulation for the gateway
IP.
Originally created by @reindje80 on GitHub (Feb 5, 2026). Environment - Nextcloud: 32.0.3.2 (versionstring 32.0.3) - Talk app: spreed 22.0.7 - OpenClaw: 2026.2.3-1 - Bot created with: ```bash php occ talk:bot:install "OpenClaw-new" "<shared-secret>" "https://<gateway>/nextcloud-webhook" --feature webhook --feature response --feature reaction ``` Problem Outbound bot replies fail with HTTP 401 Unauthorized even though the shared secret is correct. Steps to reproduce 1. Configure OpenClaw Nextcloud Talk with correct baseUrl and botSecret. 2. Send a message in an allowlisted Talk room. 3. OpenClaw posts to: POST /ocs/v2.php/apps/spreed/api/v1/bot/<roomToken>/message with headers: - X-Nextcloud-Talk-Bot-Random - X-Nextcloud-Talk-Bot-Signature 4. If signature is computed as HMAC(secret, random + bodyStr) where bodyStr is JSON like {"message":"...","replyTo":...}, Nextcloud returns 401. Expected Bot message accepted (HTTP 201 OK) and posted in the room. Actual HTTP 401 (OCS failure), OpenClaw reports “authentication failed - check bot secret”. Minimal evidence / Repro test With: - message = "diag-xxxx" - bodyStr = JSON.stringify({message}) - random = <hex> A) sig = HMAC(secret, random + bodyStr) → 401 B) sig = HMAC(secret, random + message) → 201 OK So on Nextcloud 32.0.3.2 + spreed 22.0.7, the signature appears to be validated against random + message (message string only), not the full JSON request body. Proposed fix Change signature generation to use the message string (not the full JSON body) when calling the bot message endpoint. (Consider implications for fields like replyTo—server may ignore them in signature calculation.) Impact Bots receive inbound webhooks fine but can’t send replies; repeated failures trigger brute-force delay accumulation for the gateway IP.
Author
Owner

@pagsjarvis-oss commented on GitHub (Feb 10, 2026):

This was fixed in openclaw/openclaw@57326f72e (fix(nextcloud-talk): sign message text instead of JSON body (#2092)).

The current code in send.ts correctly signs HMAC(secret, random + message) (the plain message text) instead of HMAC(secret, random + bodyStr) (the full JSON body), matching what Nextcloud spreed 22.0.7 expects.

If you're still seeing 401 errors, make sure you're running OpenClaw >= 2026.2.3 which includes this fix.

@pagsjarvis-oss commented on GitHub (Feb 10, 2026): This was fixed in openclaw/openclaw@57326f72e (`fix(nextcloud-talk): sign message text instead of JSON body (#2092)`). The current code in `send.ts` correctly signs `HMAC(secret, random + message)` (the plain message text) instead of `HMAC(secret, random + bodyStr)` (the full JSON body), matching what Nextcloud spreed 22.0.7 expects. If you're still seeing 401 errors, make sure you're running OpenClaw >= 2026.2.3 which includes this fix.
Author
Owner

@pagsjarvis-oss commented on GitHub (Feb 10, 2026):

Closing — already fixed in openclaw/openclaw@57326f72e (shipped in 2026.2.3).

@pagsjarvis-oss commented on GitHub (Feb 10, 2026): Closing — already fixed in openclaw/openclaw@57326f72e (shipped in 2026.2.3).
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: openclaw/openclaw.ai#1