diff --git a/data/auth.sqlite b/data/auth.sqlite
index 82d5de7..c198192 100644
Binary files a/data/auth.sqlite and b/data/auth.sqlite differ
diff --git a/markbase-core/src/cli/interface/webdav.rs b/markbase-core/src/cli/interface/webdav.rs
index dd96797..ffd9587 100644
--- a/markbase-core/src/cli/interface/webdav.rs
+++ b/markbase-core/src/cli/interface/webdav.rs
@@ -71,10 +71,12 @@ async fn run_webdav_server(
     let dav_handler = crate::webdav::create_webdav_handler(vfs, home_dir.clone(), upload_hook, user.clone());
 
     async fn webdav_auth_middleware(
-        Extension(expected): Extension<crate::webdav::WebdavCredentials>,
         req: Request,
         next: middleware::Next,
     ) -> impl IntoResponse {
+        // Get credentials from extensions (without consuming)
+        let expected = req.extensions().get::<crate::webdav::WebdavCredentials>().cloned();
+        
         let auth = req
             .headers()
             .get("Authorization")
@@ -90,9 +92,12 @@ async fn run_webdav_server(
                 Some((creds[..colon].to_string(), creds[colon + 1..].to_string()))
             });
 
-        let valid = auth.is_some_and(|(u, p)| {
-            u == expected.username && expected.password.as_ref().is_none_or(|exp| p == *exp)
-        });
+        let valid = match (auth, expected) {
+            (Some((u, p)), Some(exp)) => {
+                u == exp.username && exp.password.as_ref().is_none_or(|exp_p| p == *exp_p)
+            }
+            _ => false,
+        };
 
         if !valid {
             return (