Nextcloud Addin
Browse and anonymize files from your self-hosted Nextcloud server directly from cloak.business. No OAuth app registration is required — Nextcloud uses its own secure Login Flow v2 to generate a per-app password.
Prerequisites#
- A Nextcloud server accessible via a public HTTPS URL (private IP addresses are blocked for security reasons)
- A Nextcloud account on that server
- Nextcloud version 16 or later (Login Flow v2 support)
Setup#
- Go to App → Addins → Nextcloud
- Click Activate if not already active
- Enter your Nextcloud server URL (e.g.,
https://nextcloud.mycompany.com) - Click Connect to Nextcloud
- A Nextcloud login window opens in a popup
- Sign in to your Nextcloud account
- Nextcloud asks you to approve the connection — click Grant access
- The popup closes and you are connected
How Login Flow v2 Works#
Unlike OAuth2, Nextcloud's Login Flow v2 does not require any app registration:
- cloak.business sends a request to your Nextcloud server
- Nextcloud generates a temporary login URL
- You approve the connection in Nextcloud
- Nextcloud generates a secure app password just for this connection
- cloak.business stores this app password (encrypted) to authenticate future requests
The app password appears in your Nextcloud Settings → Security → App passwords section. You can revoke it there at any time.
Security Considerations#
URL Validation: cloak.business validates your server URL before making any connections:
- Must start with
https:// - Cannot be
localhostor127.x.x.x - Cannot be in private IP ranges:
10.x.x.x,172.16-31.x.x,192.168.x.x,169.254.x.x - URL length is limited
This prevents Server-Side Request Forgery (SSRF) attacks.
App Password: The generated app password has the same permissions as your Nextcloud account. You can revoke it in Nextcloud Settings → Security without revoking your main password.
Browsing Files#
The file browser uses WebDAV to list your Nextcloud files. It starts at your personal files root. Navigate folders using breadcrumbs, select files to analyze.
Supported file types: Same as other addins — .docx, .xlsx, .pdf, .pptx, .txt, .csv, .json, .xml, .md, .html, .png, .jpg, .jpeg, .bmp, .tiff
Supported File Types#
| Extension | Processing |
|---|---|
| .txt .csv .json .xml .md .html | Direct text read |
| .docx | Text extraction via mammoth |
| .xlsx | All sheets and rows extracted |
| Text extracted via pdfjs | |
| .pptx | Text from all slides |
| .png .jpg .jpeg .bmp .tiff | PII detection via OCR |
Saving Results#
Anonymized files are uploaded back to the same WebDAV path as the original with _anonymized appended. For example:
- Original:
/Documents/report.docx - Result:
/Documents/report_anonymized.txt
Connection Persistence#
Your Nextcloud connection persists across sessions. The app password does not expire unless:
- You revoke it in Nextcloud Settings → Security → App passwords
- Your Nextcloud admin disables the app password feature
- You explicitly disconnect in the addin
Troubleshooting#
"SSRF protection" error Your Nextcloud server URL resolves to a private IP address. You need a public HTTPS URL. If your Nextcloud is on a local network only, the Nextcloud addin cannot be used.
"Connection timed out" The approval window was open for more than 5 minutes. Click Connect again and approve within 5 minutes.
"Login Flow v2 not supported" Your Nextcloud server is version 15 or older. Upgrade to Nextcloud 16+ to use this addin.
Files not appearing WebDAV may be disabled on your Nextcloud server. Ask your Nextcloud administrator to enable WebDAV.
Disconnecting#
Click Disconnect in the Connect step. This removes the app password from cloak.business. The app password may still appear in Nextcloud Settings → Security → App passwords — you can manually delete it there.
To reconnect, simply enter your server URL again and approve a new connection.