[Bug]: Share-by-email fails with HTTP 400 "Tokens must contain at least 1 character" error

[pbol01]

⚠️ This issue respects the following points: ⚠️

• This is a bug, not a question or a configuration/webserver/proxy issue.
• This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
• Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
• I agree to follow Nextcloud's Code of Conduct.

Bug description

Share-by-email feature fails with HTTP 400 error when NextCloud attempts to automatically update share permissions after creation. Error message displayed to user: "Tokens must contain at least 1 character and may only contain letters, numbers, or a hyphen" (misleading - actual issue is permission update validation failure).

Environment

• NextCloud Version: 32.0.1
• Container: LinuxServer.io (lscr.io/linuxserver/nextcloud:latest, tag 32.0.1-ls401)
• PHP Version: 8.4.14
• Database: PostgreSQL 18.0
• Browser: Firefox/Chrome (tested both)
• Share-by-mail App: v1.22.0 (enabled, default config)

Steps to reproduce

1.Navigate to Files in NextCloud web UI
2. Click share icon on any file
3. In sharing dialog, enter external email address (e.g., pbo@portofaalborg.com)
4. Select "Share by email" option
5. Click to create share

Expected behavior

Share is created successfully
Email notification is sent to recipient
Share appears in sharing list with proper permissions

Nextcloud Server version

32

Operating system

Debian/Ubuntu

PHP engine version

PHP 8.4

Web server

Nginx

Database engine version

PostgreSQL

Is this bug present after an update or on a fresh install?

Fresh Nextcloud Server install

Are you using the Nextcloud Server Encryption module?

Encryption is Disabled

What user-backends are you using?

• Default user-backend (database)
• LDAP/ Active Directory
• SSO - SAML
• Other

Configuration report

### NextCloud Configuration
- **Maintenance Mode**: false
- **Encryption**: Disabled
- **Two-Factor Auth**: Enabled (twofactor_backupcodes, twofactor_nextcloud_notification, twofactor_totp)
- **Brute Force Protection**: Enabled (bruteforcesettings v5.0.0)

### Relevant Apps
- **sharebymail**: v1.22.0 (enabled, default config)
- **files_sharing**: v1.24.0 (enabled)
- **Additional apps**: deck, forms, guests, richdocuments (Collabora), tasks, whiteboard

List of activated Apps

Enabled:
  - activity: 5.0.0-dev.0
  - app_api: 32.0.0
  - bruteforcesettings: 5.0.0-dev.0
  - circles: 32.0.0
  - cloud_federation_api: 1.16.0
  - comments: 1.22.0
  - contactsinteraction: 1.13.1
  - dashboard: 7.12.0
  - dav: 1.34.2
  - deck: 1.16.0
  - federatedfilesharing: 1.22.0
  - federation: 1.22.0
  - files: 2.4.0
  - files_downloadlimit: 5.0.0-dev.0
  - files_pdfviewer: 5.0.0-dev.0
  - files_reminders: 1.5.0
  - files_sharing: 1.24.0
  - files_trashbin: 1.22.0
  - files_versions: 1.25.0
  - forms: 5.2.2
  - guests: 4.6.0
  - logreader: 5.0.0-dev.0
  - lookup_server_connector: 1.20.0
  - notifications: 5.0.0-dev.0
  - oauth2: 1.20.0
  - password_policy: 4.0.0-dev.0
  - photos: 5.0.0-dev.1
  - privacy: 4.0.0-dev.0
  - profile: 1.1.0
  - provisioning_api: 1.22.0
  - richdocuments: 9.0.1
  - serverinfo: 4.0.0-dev.0
  - settings: 1.15.1
  - sharebymail: 1.22.0
  - systemtags: 1.22.0
  - tasks: 0.17.0
  - text: 6.0.1
  - theming: 2.7.0
  - twofactor_backupcodes: 1.21.0
  - twofactor_nextcloud_notification: 6.0.0-dev.0
  - updatenotification: 1.22.0
  - user_status: 1.12.0
  - viewer: 5.0.0-dev.0
  - weather_status: 1.12.0
  - webhook_listeners: 1.3.0
  - whiteboard: 1.4.0
  - workflowengine: 2.14.0
Disabled:
  - admin_audit: 1.22.0
  - encryption: 2.20.0
  - files_external: 1.24.0
  - firstrunwizard: 5.0.0-dev.0 (installed 5.0.0-dev.0)
  - nextcloud_announcements: 4.0.0-dev.0 (installed 4.0.0-dev.0)
  - recommendations: 5.0.0-dev.0 (installed 5.0.0-dev.0)
  - related_resources: 3.0.0-dev.0 (installed 3.0.0-dev.0)
  - support: 4.0.0-dev.0 (installed 4.0.0-dev.0)
  - survey_client: 4.0.0-dev.0 (installed 4.0.0-dev.0)
  - suspicious_login: 10.0.0-dev.0
  - twofactor_totp: 14.0.0
  - user_ldap: 1.23.0

Nextcloud Signing status

Passed (no core file modifications)

Nextcloud Logs

Additional info

NextCloud Application Logs

Critical Finding: No share-related errors logged in nextcloud.log during bug reproduction.

Checked:

• Log file: /data/nextcloud.log (65KB, last modified Oct 25)
• Log level: 0 (default - Warnings and errors)
• Searched for: share, sharebymail, token, 400, error patterns
• Result: HTTP 400 error ONLY appears in browser console, not in server logs

This is significant evidence that:

1. The backend accepts the share creation (no server-side error logged)
2. The error occurs during the frontend-initiated PUT request
3. Backend rejects the permission update silently (returns 400 without logging)
4. Suggests API validation issue rather than backend crash/error

Sample Log Entry Format

{
  "reqId":"example123",
  "level":3,
  "time":"2025-10-25T19:50:00+00:00",
  "remoteAddr":"10.10.0.1",
  "user":"peter",
  "app":"files_sharing",
  "method":"PUT",
  "url":"/ocs/v2.php/apps/files_sharing/api/v1/shares/6",
  "message":"Share update validation failed"
}

Expected but NOT found: No such entries exist for the failed share operations.

[pbol01]

share-by-email-bug-report.md

I hope this bug report is OK, I'm very new to this so I had Github AI help me with the bug report.
I have added the output to the attached file.
Hope it is helpful and I don't waste anyone's time :)

[artonge]

I could reproduce, the issue exists when shareapi_allow_custom_tokens is enabled. The token is sent as an empty string.

cc @nfebe

[Jerome-Herbinet]

Same as @artonge description, with Nextcloud 31.0.10.

IMO, this is a critical issue which arms an important share feature.

Cc @nfebe