[Bug]: "Editing session has expired. Please reload the page." on public share links with readme.md

[edocod1]

⚠️ This issue respects the following points: ⚠️

• This is a bug, not a question or a configuration/webserver/proxy issue.
• This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
• Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
• I agree to follow Nextcloud's Code of Conduct.

Bug description

When accessing folders with "readme.md" files through public shares, an error "Editing session has expired. Please reload the page." will popup periodically.
Checking inside of Developer Tools -> Network, periodic calls to "/apps/text/public/session/2012934/push" and "/apps/text/public/session/2012934/sync" are executed.
Call to sync returns a bunch of "steps" and "sessions", while call to push only had the "Editing session has expired" message.

This does not happen when you are logged in.

Steps to reproduce

1. Create a folder, write anything in readme.md
2. Share via shared link
3. Open the shared link in a private window or anything that invalidates your nextcloud session

Expected behavior

You are able to see and scroll the readme.md file.

Installation method

Community Web installer on a VPS or web space

Nextcloud Server version

29

Operating system

Debian/Ubuntu

PHP engine version

PHP 8.3

Web server

Nginx

Database engine version

PostgreSQL

Is this bug present after an update or on a fresh install?

Upgraded to a MAJOR version (ex. 22 to 23)

Are you using the Nextcloud Server Encryption module?

None

What user-backends are you using?

• Default user-backend (database)
• LDAP/ Active Directory
• SSO - SAML
• Other

Configuration report

{
    "system": {
        "debug": false,
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "redacted",
            "192.168.20.12"
        ],
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
        "memcache.local": "\\OC\\Memcache\\Redis",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "memcache.distributed": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 0,
            "timeout": 1.5,
            "dbindex": 0
        },
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "29.0.0.19",
        "overwrite.cli.url": "https:\/\/redacted",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpmode": "smtp",
        "mail_sendmailmode": "smtp",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpauth": 1,
        "mail_smtpauthtype": "PLAIN",
        "mail_smtpsecure": "ssl",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "465",
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "maintenance": false,
        "enable_previews": true,
        "updater.release.channel": "stable",
        "default_phone_region": "it",
        "loglevel": 2,
        "maintenance_window_start": 1
    }
}

List of activated Apps

Enabled:
  - activity: 2.21.1
  - auto_groups: 1.5.3
  - bruteforcesettings: 2.9.0
  - circles: 29.0.0-dev
  - cloud_federation_api: 1.12.0
  - collectives: 2.10.1
  - comments: 1.19.0
  - contacts: 6.0.0
  - contactsinteraction: 1.10.0
  - dashboard: 7.9.0
  - dav: 1.30.1
  - external: 5.4.0
  - federatedfilesharing: 1.19.0
  - files: 2.1.0
  - files_accesscontrol: 1.19.1
  - files_automatedtagging: 1.19.0
  - files_downloadlimit: 2.0.0
  - files_external: 1.21.0
  - files_reminders: 1.2.0
  - files_sharing: 1.21.0
  - files_trashbin: 1.19.0
  - files_versions: 1.22.0
  - forms: 4.2.3
  - group_everyone: 0.1.15
  - groupfolders: 17.0.0-beta.1
  - logreader: 2.14.0
  - lookup_server_connector: 1.17.0
  - notifications: 2.17.0
  - oauth2: 1.17.0
  - password_policy: 1.19.0
  - privacy: 1.13.0
  - provisioning_api: 1.19.0
  - recommendations: 2.1.0
  - related_resources: 1.4.0
  - settings: 1.12.0
  - sociallogin: 5.6.4
  - spreed: 19.0.0
  - systemtags: 1.19.0
  - text: 3.10.0
  - theming: 2.4.0
  - twofactor_backupcodes: 1.18.0
  - updatenotification: 1.19.1
  - user_status: 1.9.0
  - viewer: 2.3.0
  - weather_status: 1.9.0

Nextcloud Signing status

No errors have been found.

Nextcloud Logs

Log is empty.

Additional info

I have backported a "group folders" app for NC29 until they release a proper one, but the issue also happens if that app is disabled.

[G3-Logic]

Having the same problem with a Note that I shared publicly. The message pops up over and over while trying to view the document.

[Ennowulff]

I have the same issue on anleitung.md and txt-files in a group folder.
additionally user can edit the markdown file anleitung.md (folder description) although he should have no rights to do this...

[Ceralor]

Issue here as well. Read-only share keeps popping up this message repeatedly, making it unsuitable for me to share Markdown documents for others to read without it looking horribly unprofessional or like the viewer is doing something wrong.

[mejo-]

Thanks all for your report.

So far it seems to me like this only happens in documents with headings. My current guess is that this is because extractHeadings() creates a transaction which leads to a push message with steps.

[juliusknorr]

yjs/y-prosemirror#134 could be helpful though I'm also not sure if that could have unexpected side effects later on in the sync

Quick fix would be to never send any step data on the client side if we are in read only mode.

Otherwise we'd probably need to rethink how headings are extracted. Maybe there is a way to define the unique id at time of rendering the heading and store it then to build the toc from that?

[x011]

I have the same problem with, at least, .md and .py files. Is there any update regarding this bug?

[ArminXG]

Same problem here with Nextcloud 28.0.6.
As far as I remember 28.0.4 didn't show that problem.
A quickfix / workaround would be very helpful.

[juliusknorr]

Fixed by #5895

[ArminXG]

Besides the push message, editing options are shown as well. These should not be seen here.