Skip to content

fix: don't send auth header for resumable upload PUT requests#49

Open
YasharF wants to merge 1 commit into
KoenZomers:masterfrom
YasharF:master
Open

fix: don't send auth header for resumable upload PUT requests#49
YasharF wants to merge 1 commit into
KoenZomers:masterfrom
YasharF:master

Conversation

@YasharF

@YasharF YasharF commented Jul 13, 2026

Copy link
Copy Markdown

That upload URL is a pre-authenticated, opaque URL returned by createUploadSession; per Microsoft Graph's documented contract, it must not receive an Authorization header (the token is already embedded in the URL). Sending one anyway causes the fragment PUT to fail, the loop retries and eventually gives up, UploadFileViaResumableUploadInternal returns null.

MaximumBasicFileUploadSizeInBytes = 4 * 1024 routes anything ≤4KB through the simple-upload path (which correctly uses the Bearer token against the real Graph endpoint) and anything larger through this resumable path.

Ref doc: https://learn.microsoft.com/en-us/graph/api/driveitem-createuploadsession?view=graph-rest-1.0#remarks 7/13/2026

If you include the Authorization header when issuing the PUT call, it might result in an HTTP 401 Unauthorized response. Only include the Authorization header and bearer token when issuing the POST request during the first step. Don't include it when issuing the PUT call.

@YasharF

YasharF commented Jul 13, 2026

Copy link
Copy Markdown
Author

This is a potential fix for KoenZomers/KeePassOneDriveSync#180
In KeePassOneDriveSync, the UploadFileViaResumableUploadInternal returning null results in OneDriveProvider.cs reporting "Failed to upload the KeePass database."

I don't have access to the different variations of One drive account (i.e. business vs personal) so couldn't fully test it. I think the business end-points might tolerate including the token more often than the personal OneDrive end-points.

That upload URL is a pre-authenticated, opaque URL returned by createUploadSession; per Microsoft Graph's documented contract, it must not receive an Authorization header (the token is already embedded in the URL). Sending one anyway causes the fragment PUT to fail, the loop retries and eventually gives up, UploadFileViaResumableUploadInternal returns null.

MaximumBasicFileUploadSizeInBytes = 4 * 1024 routes anything ≤4KB through the simple-upload path (which correctly uses the Bearer token against the real Graph endpoint) and anything larger through this resumable path.

Ref doc:  https://learn.microsoft.com/en-us/graph/api/driveitem-createuploadsession?view=graph-rest-1.0#remarks 7/13/2026

> If you include the Authorization header when issuing the PUT call, it might result in an HTTP 401 Unauthorized response. Only include the Authorization header and bearer token when issuing the POST request during the first step. Don't include it when issuing the PUT call.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant