Zimbra-Community/owncloud-zimlet

Add support for onlyoffice token

sanchezfauste opened this issue · 9 comments

If you have enabled the token feature on the server side (see https://api.onlyoffice.com/editors/signature/) you've got the following error when document preview of document is loaded:

screenshot_20180302_132815

OnlyOffice API documentation

why is this needed?

It's for security reasons as explained in the official documentation: https://api.onlyoffice.com/editors/security

If the token is used only the requests signed with the secret key specified on the server side are executed by the server. Without this protection, everyone can send requests to the onlyoffice server.

Hi @barrydegraaff, I can test the new feature. No problem.

I think that the value that you must store in config.properties is the secret key to sign the token. To generate the token I think that you will need an external library like those that can be found on this page: https://jwt.io/ since the documentation says:

The token is generated using the JWT (JSON Web Tokens) standard.
The tokens are signed by the server's key, so the client is able to 
verify that the token is legitimate.

Here is one example of how OnlyOffice plugin for Nextcloud implements the use of JWT to make calls to onlyoffice document server using a token:

https://github.com/ONLYOFFICE/onlyoffice-owncloud/blob/ca756a3603c923bb8ebe881df84c3baa651181c3/controller/editorcontroller.php#L389-L417

Do you have test server, where I can try this out. Please send details for the secret to info@barrydegraaff.tk Fingerprint: 97f4694a1d9aedad012533db725ddd156d36a2d0

Hi @barrydegraaff, I have sent an email to you with the secret key of our server so you can perform the tests of the new feature.

@sanchezfauste I have added support for adding jwt-tokens, thanks for pointing me to the correct docs.

You can enable it for your instance by re-running the installer AND set owncloud_zimlet_onlyoffice_secret in config.properties.

Be advised you MUST re-download prop2xml.jar as stated in the README under After changing config.properties run the following. Otherwise your secret may be exposed to the zimlet (client side).

Can you do me a favor and tell me (exactly) how you enabled the tokens on your set-up. I am using this: https://github.com/Zimbra-Community/owncloud-zimlet/wiki/OnlyOffice-Nextcloud

Ideally I need step-by-step instructions added to that wiki, so I can enable the tokens also (and help others).

In addition, the WebDAV Client signs a token without adding parameters to the token payload. This means that we do not benefit from the security features of signing. So when we read in the OnlyOffice manual:
To prevent the substitution of important parameters in ONLYOFFICE Document Server requests an encrypted signature is added to it in the form of token.
That is not implemented at this time, effectively this means we now only implemented an access restriction. Aka unauthorized people on the interwebs cannot use your Document Server, but Zimbra can if it uses the correct secret.

In addition by not adding parameters to the token, the token may be copy-pasted by an authenticated user, and then the token could be used from other locations to render documents. If this ever becomes an issue, we need to start adding parameters to the token, and you need to set a new token.

The current solution will prevent random people from using your service.

@barrydegraaff I have tested the new feature and works correctly. Thank you very much for implementing it.

To enable the token on the server side you have to do the following (on linux environments):

Edit /etc/onlyoffice/documentserver/default.json file and change the following:

--- a/default.json       2017-11-16 12:27:02.661348000 +0100
+++ b/default.json        2017-11-29 14:14:30.046498999 +0100
@@ -133,25 +133,25 @@
       },
       "secret": {
         "inbox": {
-          "string": "secret",
+          "string": "your_secret_key",
           "file": "",
           "tenants": {}
         },
         "outbox": {
-          "string": "secret",
+          "string": "your_secret_key",
           "file": ""
         },
         "session": {
-          "string": "secret",
+          "string": "your_secret_key",
           "file": ""
         }
       },
       "token": {
         "enable": {
-          "browser": false,
+          "browser": true,
           "request": {
-            "inbox": false,
-            "outbox": false
+            "inbox": true,
+            "outbox": true
           }
         },
         "inbox": {

Finally restart the OnlyOffice services in order to load the new config:

supervisorctl restart all

This is explained in the OnlyOffice documentation.