search

mickael-kerjean / filestash

🦄 A file manager / web client for SFTP, S3, FTP, WebDAV, Git, Minio, LDAP, CalDAV, CardDAV, Mysql, Backblaze, ...
https://www.filestash.app/
GNU Affero General Public License v3.0
10.04k stars 737 forks source link

[bug] The document security token is not correctly formed #516

Open alpineQ opened 1 year ago

alpineQ commented 1 year ago

Description of the bug

Opening any .docx document leads to onlyoffice error:

The document security token is not correctly formed.
Please contact your Document Server Administrator.

Step by step instructions to reproduce the bug

It literally doesn't work on live demo

Can you replicate that error from the demo?

Yep

Observed behavior

Onlyoffice error:

The document security token is not correctly formed.
Please contact your Document Server Administrator.

Expected behavior

No error

yy8402 commented 1 year ago

Onlyoffice docker image recently changes its default setting that JSON Web Token validation (JWT_ENABLED) is now set to true. So, the solution is to start onlyoffice with "JWT_ENABLED=false", and it may be also a solution to properly set the token used by filestash for onlyoffice, in plg_editor_onlyoffice/index.go as I am aware of.

mickael-kerjean commented 1 year ago

Thank you for the report, that part of Filestash doesn't have any integration tests that could have detect such issue yet. @yy8402 is correct, I'm working on it with a fix coming up very soon

mickael-kerjean commented 1 year ago

Somehow I can't start the new version of onlyoffice, not sure what has changed, it does loop over this message:

nc: port number invalid: 
Waiting for connection to the  host on port
mickael-kerjean commented 1 year ago

If someone can make a PR for a better fix than bf2bca4cbb5ba57092c51c2163ea04cad987d0f3, please do

c0xc commented 1 year ago

@mickael-kerjean I've hit the same bug. The "port number invalid" is probably just because of a lack of error handling in the shell script, but the original error is an NPM crash. I've sent in a PR (PR #518).

dadams1969 commented 1 year ago

I am using the docker version and I had this come up every time I restart the container. The JWT is changing upon restart.

x-real-ip commented 1 year ago

Any news on this one? Having the same issue

yuckdevchan commented 1 year ago

Can't seem to do it either, even when running:

JWT_ENABLED=false docker-compose up -d

Is this the correct command? Should this work? I still get the same only office error when running this: image

c0xc commented 1 year ago

JWT_ENABLED=false docker-compose up -d

Is this the correct command? Should this work?

No, you need to be explicit when passing variables. For example, you could set this variable in the "environment" section of your service:

services:
  onlyoffice:
    environment:
        JWT_ENABLED: "false"
    ...

I'd say this is just a configuration issue, not a bug in Filestash, maybe a missing feature to support those security tokens.

yuckdevchan commented 1 year ago

JWT_ENABLED=false docker-compose up -d Is this the correct command? Should this work?

No, you need to be explicit when passing variables. For example, you could set this variable in the "environment" section of your service:

services:
  onlyoffice:
    environment:
        JWT_ENABLED: "false"
    ...

I'd say this is just a configuration issue, not a bug in Filestash, maybe a missing feature to support those security tokens.

I solved it yesterday by putting the variable in the docker compose file.

ggoral commented 1 year ago

I had the same problem, i have my documentserver behind reverse proxy, and fix them change it some parameters on nginx 

location / {
    proxy_pass        http://10.11.12.13:80;

    proxy_set_header    X-Real-IP           $remote_addr;
    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
    proxy_set_header    X-Forwarded-Proto   $scheme;
    proxy_set_header    Host                $host;
    proxy_set_header    X-Forwarded-Host    $host;
    proxy_set_header    X-Forwarded-Port    $server_port;

  }

Good Luck!

capocasa commented 10 months ago

I had the same problem, i have my documentserver behind reverse proxy, and fix them change it some parameters on nginx

Tried to duplicate this on apache as reverse proxy but no dice...

        ProxyPass / "http://10.0.7.2:8334/"
        ProxyPassReverse / "http://10.0.7.2:8334/"
        RequestHeader set X-Forwarded-Proto "https"
        RequestHeader set Host "docs.capo.casa"
        RequestHeader set X-Forwarded-Host "docs.capo.casa"
        RequestHeader set X-Forwarded-Port 443
        ProxyPreserveHost On
capocasa commented 10 months ago

JWT_ENABLED: "false

This worked for me! But now I'm getting "Download Failed", not sure if this is a related issue or not.

Edit: This was an unrelated issue. For posterity: fixed by adding to adding

"request-filtering-agent": {
  "allowPrivateIPAddress": true
}

to "CoAuthoring" in /etc/onlyoffice/documentserver/local.json in the onlyoffice container. It was because of using a reverse proxy.

darkdragon-001 commented 10 months ago

JWT_ENABLED: "false

This worked for me! But now I'm getting "Download Failed", not sure if this is a related issue or not.

I am also getting the "Download failed." error even with your fix below...

Edit: This was an unrelated issue. For posterity: fixed by adding to adding

"request-filtering-agent": {
  "allowPrivateIPAddress": true
}

to "CoAuthoring" in /etc/onlyoffice/documentserver/local.json in the onlyoffice container. It was because of using a reverse proxy.

You can also set this via environment variable (see available configuration parameters):

ALLOW_PRIVATE_IP_ADDRESS: "true"
capocasa commented 10 months ago

I am also getting the "Download failed." error even with your fix below...

Off the top of my head, maybe the env var isn't being applied? Try the config fix.

Also, do ’docker log -f myid’ for both the filestash and onlyoffice containers and open a word file to find error messages to google.

darkdragon-001 commented 10 months ago

In docker logs for onlyoffice, I find

2023/11/06 20:01:11 [error] 689#689: *4 connect() failed (111: Unknown error) while connecting to upstream, client: FILESTASH_DOCKER_IP, server: , request: "GET /7.5.0-125/doc/6bndad3b5dHbvb1BcDbB/c/?EIO=4&transport=websocket HTTP/1.1", upstream: "http://127.0.0.1:8000/doc/6bndad3b5dHbvb1BcDbB/c/?EIO=4&transport=websocket", host: "FILESTASH_APPLICATION_URL"

It seems that server is unset for some reason. Does anyone know how the document comes from filestash to OnlyOffice? Does it send it somehow via API (push) or does OnlyOffice somehow request the document from filestash (pull)?

capocasa commented 10 months ago

I think it's a push, filestash url for a doc opens an iframe with the onlyoffice url inside passing a one time key in a cookie and filename in url. The filestash image reverse-proxies to the onlyoffice at http://onlyoffice (internal network).

A guess, is the docker-compose.yml configured with exactly the same vars as the example, and are the backend vars at default?

darkdragon-001 commented 10 months ago

I guess the difference is that I am using a reverse proxy in a separate network. I could reproduce the issue with the following example:

version: '3'
services:
  app:
    image: machines/filestash
    environment:
      #APPLICATION_URL: 
      ONLYOFFICE_URL: http://onlyoffice
    networks:
      - filestash
      - nginx

  onlyoffice:
    image: onlyoffice/documentserver
    environment:
      ALLOW_META_IP_ADDRESS: "true"
      ALLOW_PRIVATE_IP_ADDRESS: "true"
      JWT_ENABLED: "false"
    networks:
      - filestash
    security_opt:
      - seccomp:unconfined

  nginx:
    image: nginx:latest
    volumes:
      - /tmp/filestash/nginx/default.conf:/etc/nginx/conf.d/default.conf
    networks:
      - nginx
    ports:
      - 8080:8080
    links:
     - app

networks:
  filestash:
  nginx:

So localhost:8080 -> nginx:8080 -> app:8334.

So onlyoffice container should reach app via filestash network while the interface which filestash uses to connect to the internet (localip when connecting to 8.8.8.8) is the one from nginx network in https://github.com/mickael-kerjean/filestash/blob/513ba65d46d1cf739b73c0288410c961c1bcede0/server/plugin/plg_editor_onlyoffice/index.go#L236-L277

For this case, I think it would be the easiest to allow manually overwriting filestashServerLocation, for example via environment variable.

EDIT: Or even better, instead of connecting to 8.8.8.8, connect to the onlyoffice server (specified by ONLYOFFICE_URL) directly, this should automatically choose the right interface!

spamatica commented 6 months ago

Is there any further progress on this issue?

I seem to be having precisely this problem now with filestash and onlyoffice. It works if I access the site without the proxy.

The last suggestion, to resolve using the ONLYOFFICE_URL, would this be possible to test?

viscous-coder commented 2 months ago

import React, { useState, useEffect } from “react”; import { DocumentEditor } from “@onlyoffice/document-editor-react”;

const OnlyOffc = (props) => { const [docUrl, setDocUrl] = useState(“”); let token = sessionStorage.getItem(“jwt_token”); let username = localStorage.getItem(“username”); let deptRole = sessionStorage.getItem(“role”); let sessionId = sessionStorage.getItem(“sessionId”); console.log(props.url, token, “this”); let correctUrl = props?.url?.replaceAll(“xxxyyyzzz”, “/”);

const onDocumentReady = () => { console.log(“Document is loaded”); setLoading(false); };

const onLoadComponentError = function (errorCode, errorDescription) { switch (errorCode) { case -1: // Unknown error loading component console.log(errorDescription); break;

case -2: // Error load DocsAPI from http://documentserver/ console.log(errorDescription); break;

case -3: // DocsAPI is not defined console.log(errorDescription); break; } };

useEffect(() => { fetch(For_Getting_the_file_url, { //to get the file url headers: { “Content-Type”: “application/json”, Authorization: "Bearer " + token, username: username, deptRole: deptRole, sessionId: sessionId, }, }) .then(async (res) => { console.log(res, “res”); let data = await res.blob(); // console.log(data);

let file = new File([data], "test.docx"); console.log("file", file.name);

setDocUrl(URL.createObjectURL(file)); // set object URL of file as docUrl }) .catch((error) => { console.log(error); }); }, [correctUrl, token, username, deptRole, sessionId]);

console.log(“docurl”, docUrl);

return (

{docUrl && ( <DocumentEditor id=“docxEditor” documentServerUrl=“DOCKER_URL” //getting from docker config={{ document: { key: “SECRET_KEY”, fileType: “docx”, title: “farmer.docx”, url: docUrl, }, documentType: “word”, type: “desktop”, height: “800px”, width: “100%”, }} events_onDocumentReady={onDocumentReady} onLoadComponentError={onLoadComponentError} /> )}

); }; export default OnlyOffc;

//local.json { “services”: { “CoAuthoring”: { “sql”: { …data }, “token”: { “enable”: { “request”: { “inbox”: true, “outbox”: true, }, “browser”: true }, “inbox”: { “header”: “Authorization”, “inBody”: false }, “outbox”: { “header”: “Authorization”, “inBody”: false } }, “secret”: { “inbox”: { “string”: “SECRET_KEY” }, “outbox”: { “string”: “SECRET_KEY” }, “session”: { “string”: “SECRET_KEY” } } } }, “rabbitmq”: { “url”: “Some_URL” }, “wopi”: { “enable”: false, “privateKey”: “SOMEVALUES”, “privateKeyOld”: “SOMEVALUES”, “publicKey”: “SOMEVALUES”, “publicKeyOld”: “SOMEVALUES”, “modulus”: “SOMEVALUES”, “modulusOld”: “SOMEVALUES”, “exponent”: 12333, “exponentOld”: 11111 }, “queue”: { “type”: “abc” }, “storage”: { “fs”: { “secretString”: “MY_SECRET_KEY” } } }

//compose.yml

environment:

mickael-kerjean commented 2 months ago

Until this is finalised, I will not take extra work on my end. Should be about 3 to 6 more months

viscous-coder commented 2 months ago

@mickael-kerjean I go through serveral docs and some blogs also but i still not able to resolve that issue if i JWT_ENABLED=true the i get the error "The document security token is not correctly formed. Please contact your Document Server administrator" , or JWT_ENABLED=false the i get the "Download Failed" error