search

ONLYOFFICE / DocumentServer

ONLYOFFICE Docs is a free collaborative online office suite comprising viewers and editors for texts, spreadsheets and presentations, forms and PDF, fully compatible with Office Open XML formats: .docx, .xlsx, .pptx and enabling collaborative editing in real time.
https://www.onlyoffice.com
GNU Affero General Public License v3.0
4.86k stars 1.09k forks source link

Mail merge from URL not working if a token is passed in the URL #2788

Open raphaelbadawi opened 4 months ago

raphaelbadawi commented 4 months ago

This issue is unique.

Operating System of DocumentServer

Linux (RPM package)

Version information

8.1.0.169

Expected Behavior

When I mail merge (or merge, or compare) a file from a URL, if I use a URL, it works even if a ticket session or a token is passed in the URL.

Actual Behavior

When I mail merge (or merge, or compare) a file from a URL, if I use a plain URL for a publicly available file, it works. But when I use an URL like mydomain.com/path/to/my/file?ticket=XXXX-XXXX-XX where a ticket session or a token is passed to the URL for authentication to happen, it fails. The link works when pasting it in another browser tab, but OO DocumentServer is not able to download it server side, as if the query params were skipped. I digged a bit into the asc_docs_api.prototype._downloadAs method but didn't find the cause of it.

Reproduction Steps

  1. Get a download link where some hash or token is part of the URL and file is available only if hash or token is valid.
  2. Copy it in the "from URL" option of mail merge
  3. Apply

Additional information

No response

XDmitryK commented 2 months ago

@raphaelbadawi Hi Can you attach a screenshot or a short video with docservice or converter logs?

raphaelbadawi commented 2 months ago

Of course.

Here I have a document open: image

The document URL has the following format: https://xxx.yyy.com/node/content/XXX?alf_ticket=XXX.

The URL param "alf_ticket" is essential since it contains an access token. So logically, if I copy paste the full URL value in my browser, it downloads the document.

Capture d’écran du 2024-08-23 09-23-58

It I remove the access token, it asks for credentials:

Capture d’écran du 2024-08-23 09-24-17

OO is cohesive with it when I use the URL as the document.url of the instance: it loads the document when I give the full URL in the document.url property, but obviously fails if I remove the URL param from the document.url value. This is what is expected.

But I don't have the same behavior when using such an URL as an URL source for mail merge.

Capture d’écran du 2024-08-23 09-30-27

Capture d’écran du 2024-08-23 09-30-58

Capture d’écran du 2024-08-23 09-31-07

The weirdest part being that I see in my network tab the download request to the URL actually succeeding:

Capture d’écran du 2024-08-23 09-32-37

Capture d’écran du 2024-08-23 09-32-58

But I still have the error message. When I put the same document in an unprotected URL (no token required, no URL param), it works. So this seems related to the URL having an auth token in an URL param.

The only thing I see in the converter log is this:

image

Hope it will help!

XDmitryK commented 1 month ago

@raphaelbadawi There are still a few steps left to take: 1.Set "level": "ALL" in /etc/onlyoffice/documentserver/log4js/production.json 2.Set FileConverter.converter.errorfiles:"error" in config file /etc/onlyoffice/documentserver/default.json

  1. Restart everything with the command "supervisorctl restart all"
raphaelbadawi commented 1 month ago

Here is the output on our dev server :

[2024-09-11T14:20:25.059] [DEBUG] [localhost] [5a50dc50-29a5-4c6d-b521-05fecb52d369_1726057145] [userId] nodeJS - Start downloadAs: {"c":"save","id":"5a50dc50-29a5-4c6d-b521-05fecb52d369_1726057145","userid":"adm","tokenSession":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJkb2N1bWVudCI6eyJrZXkiOiI1YTUwZGM1MC0yOWE1LTRjNmQtYjUyMS0wNWZlY2I1MmQzNjlfMTcyNjA1NzE0NSIsInBlcm1pc3Npb25zIjp7ImVkaXQiOnRydWUsInByaW50Ijp0cnVlLCJkb3dubG9hZCI6ZmFsc2V9LCJkc19lbmNyeXB0ZWQiOmZhbHNlfSwiZWRpdG9yQ29uZmlnIjp7InVzZXIiOnsiaWQiOiJhZG0iLCJuYW1lIjoiQWRtaW5pc3RyYXRvciBHb2Zhc3QiLCJpbmRleCI6MX0sImRzX3ZpZXciOmZhbHNlLCJkc19pc0Nsb3NlQ29BdXRob3JpbmciOmZhbHNlLCJkc19zZXNzaW9uVGltZUNvbm5lY3QiOjE3MjYwNTcxNDc4NTd9LCJpYXQiOjE3MjYwNTcxNDgsImV4cCI6MTcyODY0OTE0OH0.9UB5-BPsQJujDR8AN9sAf22L5p9StfEM6RJVxji3R7o","outputformat":2056,"title":"factoure(1)(2).json","nobase64":true,"isSaveAs":false,"lcid":12,"url":"https://gofast-dev.ceo-vision.com/alfresco/s/api/node/content/workspace/SpacesStore/5a50dc50-29a5-4c6d-b521-05fecb52d369?alf_ticket={{OBFUSCATED}}","format":"csv","codepage":46,"delimiter":4,"savetype":3,"saveindex":1,"userconnectionid":"adm1"}
[2024-09-11T14:20:25.059] [DEBUG] [localhost] [5a50dc50-29a5-4c6d-b521-05fecb52d369_1726057145] [userId] nodeJS - checkJwt success: decoded = {"document":{"key":"5a50dc50-29a5-4c6d-b521-05fecb52d369_1726057145","permissions":{"edit":true,"print":true,"download":false},"ds_encrypted":false},"editorConfig":{"user":{"id":"adm","name":"Administrator Gofast","index":1},"ds_view":false,"ds_isCloseCoAuthoring":false,"ds_sessionTimeConnect":1726057147857},"iat":1726057148,"exp":1728649148}
[2024-09-11T14:20:25.068] [DEBUG] [localhost] [5a50dc50-29a5-4c6d-b521-05fecb52d369_1726057145] [userId] nodeJS - End downloadAs: {"type":"save","status":"ok","data":"5a50dc50-29a5-4c6d-b521-05fecb52d369_1726057145_3944"}
[2024-09-11T14:20:25.110] [INFO] [localhost] [5a50dc50-29a5-4c6d-b521-05fecb52d369_1726057145] [userId] nodeJS - receiveTask start: {"ctx":{"tenant":"localhost","docId":"5a50dc50-29a5-4c6d-b521-05fecb52d369_1726057145","userId":"userId","shardKey":"5a50dc50-29a5-4c6d-b521-05fecb52d369_1726057145"},"cmd":{"c":"save","id":"5a50dc50-29a5-4c6d-b521-05fecb52d369_1726057145","userid":"adm","userindex":1,"tokenSession":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJkb2N1bWVudCI6eyJrZXkiOiI1YTUwZGM1MC0yOWE1LTRjNmQtYjUyMS0wNWZlY2I1MmQzNjlfMTcyNjA1NzE0NSIsInBlcm1pc3Npb25zIjp7ImVkaXQiOnRydWUsInByaW50Ijp0cnVlLCJkb3dubG9hZCI6ZmFsc2V9LCJkc19lbmNyeXB0ZWQiOmZhbHNlfSwiZWRpdG9yQ29uZmlnIjp7InVzZXIiOnsiaWQiOiJhZG0iLCJuYW1lIjoiQWRtaW5pc3RyYXRvciBHb2Zhc3QiLCJpbmRleCI6MX0sImRzX3ZpZXciOmZhbHNlLCJkc19pc0Nsb3NlQ29BdXRob3JpbmciOmZhbHNlLCJkc19zZXNzaW9uVGltZUNvbm5lY3QiOjE3MjYwNTcxNDc4NTd9LCJpYXQiOjE3MjYwNTcxNDgsImV4cCI6MTcyODY0OTE0OH0.9UB5-BPsQJujDR8AN9sAf22L5p9StfEM6RJVxji3R7o","data":null,"format":"csv","url":"https://gofast-dev.ceo-vision.com/alfresco/s/api/node/content/workspace/SpacesStore/5a50dc50-29a5-4c6d-b521-05fecb52d369?alf_ticket={{OBFUSCATED}}","title":"factoure(1)(2).json","outputformat":2056,"outputpath":"output.json","savetype":3,"saveindex":1,"codepage":46,"delimiter":4,"status_info":-88,"savekey":"5a50dc50-29a5-4c6d-b521-05fecb52d369_1726057145_3944","userconnectionid":"adm1","lcid":12,"nobase64":true,"isSaveAs":false,"originformat":65}}
[2024-09-11T14:20:25.112] [DEBUG] [localhost] [5a50dc50-29a5-4c6d-b521-05fecb52d369_1726057145] [userId] nodeJS - receiveTask publish: {"type":"save","status":"err","data":-88}
[2024-09-11T14:20:25.112] [INFO] [localhost] [5a50dc50-29a5-4c6d-b521-05fecb52d369_1726057145] [userId] nodeJS - receiveTask end
[2024-09-11T14:20:25.112] [DEBUG] [localhost] [5a50dc50-29a5-4c6d-b521-05fecb52d369_1726057145] [userId] nodeJS - pubsub message start:{"type":7,"ctx":{"tenant":"localhost","docId":"5a50dc50-29a5-4c6d-b521-05fecb52d369_1726057145","userId":"userId","shardKey":"5a50dc50-29a5-4c6d-b521-05fecb52d369_1726057145"},"cmd":{"c":"save","id":"5a50dc50-29a5-4c6d-b521-05fecb52d369_1726057145","userid":"adm","userindex":1,"tokenSession":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJkb2N1bWVudCI6eyJrZXkiOiI1YTUwZGM1MC0yOWE1LTRjNmQtYjUyMS0wNWZlY2I1MmQzNjlfMTcyNjA1NzE0NSIsInBlcm1pc3Npb25zIjp7ImVkaXQiOnRydWUsInByaW50Ijp0cnVlLCJkb3dubG9hZCI6ZmFsc2V9LCJkc19lbmNyeXB0ZWQiOmZhbHNlfSwiZWRpdG9yQ29uZmlnIjp7InVzZXIiOnsiaWQiOiJhZG0iLCJuYW1lIjoiQWRtaW5pc3RyYXRvciBHb2Zhc3QiLCJpbmRleCI6MX0sImRzX3ZpZXciOmZhbHNlLCJkc19pc0Nsb3NlQ29BdXRob3JpbmciOmZhbHNlLCJkc19zZXNzaW9uVGltZUNvbm5lY3QiOjE3MjYwNTcxNDc4NTd9LCJpYXQiOjE3MjYwNTcxNDgsImV4cCI6MTcyODY0OTE0OH0.9UB5-BPsQJujDR8AN9sAf22L5p9StfEM6RJVxji3R7o","data":null,"format":"csv","url":"https://gofast-dev.ceo-vision.com/alfresco/s/api/node/content/workspace/SpacesStore/5a50dc50-29a5-4c6d-b521-05fecb52d369?alf_ticket={{OBFUSCATED}}","title":"factoure(1)(2).json","outputformat":2056,"outputpath":"output.json","savetype":3,"saveindex":1,"codepage":46,"delimiter":4,"status_info":-88,"savekey":"5a50dc50-29a5-4c6d-b521-05fecb52d369_1726057145_3944","userconnectionid":"adm1","lcid":12,"nobase64":true,"isSaveAs":false,"originformat":65},"output":{"type":"documentOpen","data":{"type":"save","status":"err","data":-88}},"needUrlKey":null,"needUrlMethod":null,"needUrlType":null}

I put the "{{OBFUSCATED}}" parts here for security reasons, they are not in the original logs. The URL I used works as a document.url for opening a coediting session, but fails as an URL source for mail merge.

Thanks for your help!

Raphaël.

XDmitryK commented 1 month ago

Sorry for the late reply. We need to look at the logs in the converter and we need to know which link is used to download Also, the logs show that there is a conversion error and the original files will be located /var/lib/onlyoffice/documentserver/App_Data/cache/files/error/ There you will see what the server downloaded and what it sent for conversion.

raphaelbadawi commented 1 month ago

Hmm very weird I retested it this morning with document server 8.1.3 and it successfully got the recipient list from my xlsx file for mail merge, though the link was exactly the kind of link which was problematic before (link with a session token).

Maybe some changes made in the meantime collaterally repaired stuff?