search

mike-goodwin / owasp-threat-dragon

An open source, online threat modelling tool from OWASP
http://mike-goodwin.github.io/owasp-threat-dragon/
Apache License 2.0
483 stars 130 forks source link

SyntaxError: Unexpected token U in JSON at position 0 #79

Closed ghost closed 5 years ago

ghost commented 6 years ago

Hi there. I am getting an error regarding the Github Oauth process and hoping for some assistance :)

The error seems to be related to the callback URL. My setting for the callback URL is http://:3000/oauth/github. My homepage URL is set to http://:3000.

My .env variables are set to the below: GITHUB_CLIENT_ID="" GITHUB_CLIENT_SECRET="" SESSION_SIGNING_KEY="UIJL08ihIS7H3pkCnyc3cX6h6Rbbs0rp" SESSION_STORE="local"

Error Message:

SyntaxError: Unexpected token U in JSON at position 0 at JSON.parse () at getPrimaryKey (/home/ubuntu/owasp/owasp-threat-dragon/td/helpers/encryption.helper.js:17:21) at /home/ubuntu/owasp/owasp-threat-dragon/td/helpers/encryption.helper.js:60:19 at RandomBytes.ondone (/home/ubuntu/owasp/owasp-threat-dragon/td/helpers/encryption.helper.js:11:9)

npm ERR! Linux 4.15.0-1023-aws npm ERR! argv "/usr/bin/node" "/usr/bin/npm" "start" npm ERR! node v8.10.0 npm ERR! npm v3.5.2 npm ERR! code ELIFECYCLE npm ERR! owasp-threat-dragon@0.5.1 start: node server.js npm ERR! Exit status 1 npm ERR! npm ERR! Failed at the owasp-threat-dragon@0.5.1 start script 'node server.js'. npm ERR! Make sure you have the latest version of node.js and npm installed. npm ERR! If you do, this is most likely a problem with the owasp-threat-dragon package, npm ERR! not with npm itself. npm ERR! Tell the author that this fails on your system: npm ERR! node server.js npm ERR! You can get information on how to open an issue for this project with: npm ERR! npm bugs owasp-threat-dragon npm ERR! Or if that isn't available, you can get their info via: npm ERR! npm owner ls owasp-threat-dragon npm ERR! There is likely additional logging output above.

npm ERR! Please include the following file with any support request: npm ERR! /home/ubuntu/owasp/owasp-threat-dragon/npm-debug.log

rkara commented 5 years ago

I ran into this as well, you need to set the SESSION_ENCRYPTION_KEYS environment variable as well

$ENV:SESSION_ENCRYPTION_KEYS="[{""isPrimary"": true, ""id"": 0, ""value"": ""XXXXXXX""}]"

I'm not sure if it's required, but for my value I encrypted my SESSION_SIGNING_KEY using AES-128 encryption via this website.

mike-goodwin commented 5 years ago

Yes, you need to set the session encryption keys. The reason for this is that the session state stores GitHub access tokens with a significant scope, so I thought they were certainly worth encrypting in storage as a defense in depth mechanism. There are two keys used to support key rotation without losing the ability to decrypt existing session state.

Encryption of new sessions is always done using the key that is marked as primary. Decryption is done using whichever key was used for the encryption. The idea is that when rotating keys you:

  1. Generate a new key and add it to the SESSION_ENCRYPTION_KEYS value, marked as pimary, alongside the old key
  2. After some time, remove the old key once all sessions that used it are expired

Future versions will support storing the session encryption keys more securely (e.g. in Azure Key Vault)

Hope this answers your question. Please re-open if not.