Nextcloud Talk bot signature mismatch (spreed 22.0.7): server expects HMAC over random + message, OpenClaw signs random + JSON body → 401 #48
Description
Environment
- Nextcloud: 32.0.3.2 (versionstring 32.0.3)
- Talk app: spreed 22.0.7
- OpenClaw: 2026.2.3-1
- Bot created with:
php occ talk:bot:install "OpenClaw-new" "<shared-secret>" "https://<gateway>/nextcloud-webhook" --feature webhook --feature
response --feature reaction
Problem
Outbound bot replies fail with HTTP 401 Unauthorized even though the shared secret is correct.
Steps to reproduce
1. Configure OpenClaw Nextcloud Talk with correct baseUrl and botSecret.
2. Send a message in an allowlisted Talk room.
3. OpenClaw posts to:
POST /ocs/v2.php/apps/spreed/api/v1/bot/<roomToken>/message
with headers:
- X-Nextcloud-Talk-Bot-Random
- X-Nextcloud-Talk-Bot-Signature
4. If signature is computed as HMAC(secret, random + bodyStr) where bodyStr is JSON like {"message":"...","replyTo":...}, Nextcloud
returns 401.
Expected
Bot message accepted (HTTP 201 OK) and posted in the room.
Actual
HTTP 401 (OCS failure), OpenClaw reports “authentication failed - check bot secret”.
Minimal evidence / Repro test
With:
- message = "diag-xxxx"
- bodyStr = JSON.stringify({message})
- random = <hex>
A) sig = HMAC(secret, random + bodyStr) → 401
B) sig = HMAC(secret, random + message) → 201 OK
So on Nextcloud 32.0.3.2 + spreed 22.0.7, the signature appears to be validated against random + message (message string only), not
the full JSON request body.
Proposed fix
Change signature generation to use the message string (not the full JSON body) when calling the bot message endpoint.
(Consider implications for fields like replyTo—server may ignore them in signature calculation.)
Impact
Bots receive inbound webhooks fine but can’t send replies; repeated failures trigger brute-force delay accumulation for the gateway
IP.