sujingjhong.com

除錯日記#4 ONLYOFFICE JWT Auth

Because, It is private IP address #

IP 設定問題,可以 參考前一篇 設定經過。

今天為了盡可能開發功能,所以在 document server 啟動時加入關閉 JWT 選項。

然後,就出事了。錯誤訊息認證可以找到 IP,但,不給找,因為是私有 IP 位置。我架在內網測試錯了嗎?

在 ONLYOFFICE 的 Github 有找到相關的議題 ,簡言之就是為了預防 SSRF 攻擊,官方在 JWT 開啟時,不會跳出任何有關 request-filtering-agent 錯誤。

This is to protect against SSRF attacks. We highly recommend enabling JWT in your integrations. When JWT is enabled links in the server are signed by it and you won’t get any “request-filtering-agent” errors.

發問者將 JWT 開啟後,就可以了。我自己嘗試也是,就是開啟 JWT 後,就可以正常存取。

所以,雖然文件上允許你關閉 JWT,系統可能會異常唷!以一種消極方式避免你關閉 JWT。

ONLYOFFICE 的 JWT 格式長什麼 #

這是接下來遇到的問題。既然要簽 JWT,那格式長什麼樣子?

首先先看文件

JSON Web Tokens consist of three parts separated by dots (.), which are: headerpayloadsignature. The header consists of two parts: the type of the token (JWT), and the hashing algorithm (HMAC SHA256). The second part of the token is the payload, which contains the claims in JSON format. To create the signature part you have to take the encoded header, the encoded payload, a secret, the algorithm specified in the header, and sign that.

所以這把 JWT 要用 HS256。那內容呢?

ONLYOFFICE Docs validates the token. The data from the payload is considered valid and is used instead of the corresponding data from the main parameters. If the token is invalid, the command is not executed.

好喔,所以內容要包什麼… 感謝 Google 大神,我找到一篇官方論壇在討論 JWT 格式 。接著在看文件時,終於找到 指標性文件 中提到:

The payload for the JWT token in the JSON format must have the same structure as the config .

官方文件的 Opening file 為例子,使用到的程式碼會長這樣:

new DocsAPI.DocEditor("placeholder", {
    "document": {
        "fileType": "docx",
        "key": "Khirz6zTPdfd7",
        "title": "Example Document Title.docx",
        "url": "https://example.com/url-to-example-document.docx"
    },
    "documentType": "word",
    "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJkb2N1bWVudCI6eyJmaWxlVHlwZSI6ImRvY3giLCJrZXkiOiJLaGlyejZ6VFBkZmQ3IiwidGl0bGUiOiJFeGFtcGxlIERvY3VtZW50IFRpdGxlLmRvY3giLCJ1cmwiOiJodHRwczovL2V4YW1wbGUuY29tL3VybC10by1leGFtcGxlLWRvY3VtZW50LmRvY3gifSwiZG9jdW1lbnRUeXBlIjoid29yZCJ9.7IpEJxdOvBQ0kJ8l6ZegIV4tX5vsPbZZCDDVmcFROXc"
});

所以你的 JWT Payload 就是這段:

{
    "document": {
        "fileType": "docx",
        "key": "Khirz6zTPdfd7",
        "title": "Example Document Title.docx",
        "url": "https://example.com/url-to-example-document.docx"
    },
    "documentType": "word"
}