search

ONLYOFFICE / onlyoffice-nextcloud

The app which enables the users to edit office documents from Nextcloud using ONLYOFFICE Document Server, allows multiple users to collaborate in real time and to save back those changes to Nextcloud
GNU Affero General Public License v3.0
564 stars 161 forks source link

Error occurred in the document service: Invalid Token #192

Open KimTheFirst opened 6 years ago

KimTheFirst commented 6 years ago

Do you want to request a feature or report a bug? bug Or maybe I'm being stupid.

What is the current behavior? It connects without JWT, but this is obviously very insecure. After attempting to enable JWT in nextcloud by applying the configuration methods detailed here: https://github.com/ONLYOFFICE/onlyoffice-owncloud/issues/45

Nextcloud will provide the error message "invalid token" upon every connection attempt. Like so:

"message":"CommandRequest on check error: Error occurred in the document service: Invalid token","userAgent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/65.0.3325.181 Safari\/537.36","version":"13.0.1.1"}

Monitoring the loopback interface on the nginx proxy in front of the ONLYOFFICE docker container, I see this:

POST /coauthoring/CommandService.ashx HTTP/1.0 Connection: close Host: 127.0.0.1:61209 Content-Length: 15 Content-type: application/json Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJwYXlsb2FkIjoie1wiY1wiOlwidmVyc2lvblwifSJ9.TPCfco_w5xBfxKSm0LuEP82jHVre9fccVLiKAWqUs-U

{"c":"version"}

This seems to indicate that the JWT request is being made and is being passed through by nginx.

Immediately following this, the response from the docker container is this:

HTTP/1.1 200 OK Server: nginx Date: Tue, 17 Apr 2018 23:03:25 GMT Content-Type: application/json Content-Length: 11 Connection: close X-Powered-By: Express ETag: W/"b-LRcxe7iSAJH5JBcNMVwY3YCaOwE"

{"error":6}

If the current behavior is a bug, please provide the steps to reproduce and if possible a minimal demo of the problem. New NC install + new ONLYOFFICE install on two different servers in two different places. On the document server, it has only the onlyoffice docker container connected behind NGINX local proxy. Nginx proxy is configured with SSL certs and forwarding to port 80 on the docker container. Docker is launched with port mapping to map the docker image port 80+443 to some random high ports. iptables is used to block all inbound connections except for port 443 and port 80. The only changes made to the docker container are to default.json as detailed above.

What is the expected behavior? Works Did this work in previous versions of DocumentServer? Never used it before! DocumentServer version: 5 Operating System: Ubuntu 16

HmmWhy commented 6 years ago

I have the same issue as this, using enterprise trial.

flaminestone commented 6 years ago

Hello @KimTheFirst. I can not reproduce issue. I installed NC (using docker) without SSL on one server (and added'verify_peer_off' => TRUE to /var/www/html/config/config.php), and Document Server (with docker as well) on another. Document Server has been installed using this command: docker run -p 8080:80 -it -e JWT_ENABLED=true -e JWT_SECRET=SECRET -e JWT_HEADER=AuthorizationJwt onlyoffice/documentserver Then, I installed nginx and changed config to https://github.com/ONLYOFFICE/document-server-proxy/blob/master/nginx/proxy-https-to-http.conf. Then I generated a certificate, set paths to the certs and domain name, changed backendserver-address to ip:8080(documentserver path) in config and ran nginx. In nextcloud I installed and configured the ONLYOFFICE app changing Doc Server address and the secret key. If it right, can you show nginx config?

KimTheFirst commented 6 years ago

The server on which I tested this no longer exists. I will at some point need to perform the same configuration on a different server, so I will report back here in due course.

LinneyS commented 4 years ago

Could you please specify if the problem recurs?

achempion commented 2 years ago

I have similar issue, here is how to reproduce

Run OO image

$ docker run -it -p 80:80 -e JWT_ENABLED=true -e JWT_SECRET="secret" onlyoffice/documentserver-de

Generate token here

herder

{
  "alg": "HS256",
  "typ": "JWT"
}

payload

{
"c": "info"
}

secret is secret

Make request

$ curl --request POST --header "Content-Type: application/json" --data '{"token": "%token%"}' http://localhost/coauthoring/CommandService.ashx

{"error":6}
SergeyKorneyev commented 2 years ago

Hi @achempion You're sending the token in the request's body. If you wish to send it this way, you need to modify the Document Server's config as it's described here: https://api.onlyoffice.com/editors/signature/body. Another issue is that you are not including the document key in the request: https://api.onlyoffice.com/editors/command/info.

Also, since Nextcloud is not mentioned in your description, it would be better if you create a new issue in https://github.com/ONLYOFFICE/DocumentServer rather than continuing here.

achempion commented 2 years ago

good points

sorry to mistype the command, I meant the 

{
    "c": "version"
}

I was able to find this section that I have to use header to send the auth key.

What still isn't clear for me though, why do I need to duplicate payload which I already encoded inside the token and send it separately in body?

SergeyKorneyev commented 2 years ago

The way it currently works, the request's body cannot be empty, but it's not necessary to copy the whole payload there, you can simply send a set of curly brackets {}

askya commented 2 years ago

Hello ! I had the same issue and solved it. In my local.json (/etc/onlyoffice/documentserver), it was written AuthorizationJwt instead of Authorization.