jwt token on open

Common/config/default.json

@@ -114,6 +114,13 @@
 				"rules": [{"address": "*", "allowed": true}],
 				"useforrequest": false,
 				"errorcode": 401
+			},
+			"signature": {
+				"enable": false,
+				"useforrequest": false,
+				"secret": "",
+				"secretByTenant": {},
+				"expiresSession": "1d"
 			}
 		}
 	},

Common/sources/commondefines.js

@@ -37,7 +37,7 @@ function InputCommand(data) {
     this['c'] = data['c'];
     this['id'] = data['id'];
     this['userid'] = data['userid'];
-    this['vkey'] = data['vkey'];
+    this['jwt'] = data['jwt'];
     this['data'] = data['data'];
     this['editorid'] = data['editorid'];
     this['format'] = data['format'];
@@ -50,7 +50,6 @@ function InputCommand(data) {
     this['codepage'] = data['codepage'];
     this['delimiter'] = data['delimiter'];
     this['embeddedfonts'] = data['embeddedfonts'];
-    this['viewmode'] = data['viewmode'];
     if (data['mailmergesend']) {
       this['mailmergesend'] = new CMailMergeSendData(data['mailmergesend']);
     } else {
@@ -76,7 +75,7 @@ function InputCommand(data) {
     this['c'] = undefined;//string command
     this['id'] = undefined;//string document id
     this['userid'] = undefined;//string
-    this['vkey'] = undefined;//string validate
+    this['jwt'] = undefined;//string validate
     this['data'] = undefined;//string
     //to open
     this['editorid'] = undefined;//int
@@ -92,7 +91,6 @@ function InputCommand(data) {
     this['codepage'] = undefined;
     this['delimiter'] = undefined;
     this['embeddedfonts'] = undefined;//bool
-    this['viewmode'] = undefined;//bool
     this['mailmergesend'] = undefined;
     this['thumbnail'] = undefined;
     //private
@@ -128,11 +126,8 @@ InputCommand.prototype = {
   setUserId: function(data) {
     this['userid'] = data;
   },
-  getVKey: function() {
-    return this['vkey'];
-  },
-  setVKey: function(data) {
-    this['vkey'] = data;
+  getJwt: function() {
+    return this['jwt'];
   },
   getData: function() {
     return this['data'];
@@ -200,12 +195,6 @@ InputCommand.prototype = {
   setEmbeddedFonts: function(data) {
     this['embeddedfonts'] = data;
   },
-  getViewMode: function() {
-    return this['viewmode'];
-  },
-  setViewMode: function(data) {
-    this['viewmode'] = data;
-  },
   getMailMergeSend: function() {
     return this['mailmergesend'];
   },

Common/sources/constants.js

@@ -189,6 +189,14 @@ exports.SESSION_IDLE_CODE = 4002;
 exports.SESSION_IDLE_REASON = 'idle session expires';
 exports.SESSION_ABSOLUTE_CODE = 4003;
 exports.SESSION_ABSOLUTE_REASON = 'absolute session expires';
+exports.ACCESS_DENIED_CODE = 4004;
+exports.ACCESS_DENIED_REASON = 'access deny';
+exports.JWT_EMPTYSECRET_CODE = 4005;
+exports.JWT_EMPTYSECRET_REASON = 'token:empty secret';
+exports.JWT_EXPIRED_CODE = 4006;
+exports.JWT_EXPIRED_REASON = 'token:';
+exports.JWT_ERROR_CODE = 4007;
+exports.JWT_ERROR_REASON = 'token:';
 
 exports.CONTENT_DISPOSITION_INLINE = 'inline';
 exports.CONTENT_DISPOSITION_ATTACHMENT = 'attachment';

Common/sources/utils.js

@@ -557,4 +557,13 @@ function dnsLookup(hostname, options) {
     });
   });
 }
-exports.dnsLookup = dnsLookup;
+exports.dnsLookup = dnsLookup;
+function isEditMode(permissions, mode, def) {
+  if (permissions && mode) {
+    //as in web-apps/apps/documenteditor/main/app/controller/Main.js
+    return (permissions.edit !== false || permissions.review === true) && mode !== 'view';
+  } else {
+    return def;
+  }
+}
+exports.isEditMode = isEditMode;

DocService/package.json

@@ -12,7 +12,9 @@
     "express": "^4.14.0",
     "fakeredis": "^1.0.3",
     "forwarded": "^0.1.0",
+    "jsonwebtoken": "^7.1.9",
     "mime": "^1.3.4",
+    "ms": "^0.7.2",
     "multiparty": "^4.1.2",
     "mysql": "^2.11.1",
     "pg": "^6.1.0",

DocService/sources/converterservice.js

@@ -198,7 +198,6 @@ function convertRequest(req, res) {
     try {
       var cmd = new commonDefines.InputCommand();
       cmd.setCommand('conv');
-      cmd.setVKey(req.query['vkey']);
       cmd.setUrl(req.query['url']);
       cmd.setEmbeddedFonts(false);//req.query['embeddedfonts'];
       cmd.setFormat(req.query['filetype']);

DocService/sources/fileuploaderservice.js

@@ -33,6 +33,7 @@
 var multiparty = require('multiparty');
 var co = require('co');
 var taskResult = require('./taskresult');
+var docsCoServer = require('./DocsCoServer');
 var utils = require('./../../Common/sources/utils');
 var constants = require('./../../Common/sources/constants');
 var storageBase = require('./../../Common/sources/storage-base');
@@ -44,6 +45,7 @@ var configUtils = config.get('services.CoAuthoring.utils');
 
 var cfgImageSize = configServer.get('limits_image_size');
 var cfgTypesUpload = configUtils.get('limits_image_types_upload');
+var cfgSignatureEnable = config.get('services.CoAuthoring.signature.enable');
 
 exports.uploadTempFile = function(req, res) {
   return co(function* () {
@@ -70,15 +72,43 @@ exports.uploadTempFile = function(req, res) {
     }
   });
 };
+function checkJwt(docId, errorName, jwt){
+  var res = {err: true, docId: null, userid: null};
+  var checkJwtRes = docsCoServer.checkJwt(jwt);
+  if (checkJwtRes.decoded) {
+    var doc = checkJwtRes.decoded.document;
+    var edit = checkJwtRes.decoded.editorConfig;
+    if (utils.isEditMode(doc.permissions, edit.mode, true)) {
+      res.err = false;
+      res.docId = doc.key;
+      if (edit.user) {
+        res.userid = edit.user.id;
+      }
+    } else {
+      logger.error('Error %s jwt: docId = %s\r\n%s', errorName, docId, 'access deny');
+    }
+  } else {
+    logger.error('Error %s jwt: docId = %s\r\n%s', errorName, docId, checkJwtRes.description);
+  }
+  return res;
+}
 exports.uploadImageFileOld = function(req, res) {
   var docId = req.params.docid;
   logger.debug('Start uploadImageFileOld: docId = %s', docId);
   var userid = req.params.userid;
-  var vkey = req.params.vkey;
+  if (cfgSignatureEnable) {
+    var checkJwtRes = checkJwt(docId, 'uploadImageFileOld', req.params.jwt);
+    if(!checkJwtRes.err){
+      docId = checkJwtRes.docId || docId;
+      userid = checkJwtRes.userid || userid;
+    } else {
+      res.sendStatus(400);
+      return;
+    }
+  }
   var index = parseInt(req.params.index);
   var listImages = [];
   //todo userid
-  //todo vkey
   if (docId && index) {
     var isError = false;
     var form = new multiparty.Form();
@@ -149,11 +179,22 @@ exports.uploadImageFile = function(req, res) {
     var docId = 'null';
     try {
       docId = req.params.docid;
-      logger.debug('Start uploadImageFile: docId = %s', docId);
       var userid = req.params.userid;
-      var vkey = req.params.vkey;
+      logger.debug('Start uploadImageFile: docId = %s', docId);
+
+      var isValidJwt = true;
+      if (cfgSignatureEnable) {
+        var checkJwtRes = checkJwt(docId, 'uploadImageFile', req.params.jwt);
+        if (!checkJwtRes.err) {
+          docId = checkJwtRes.docId || docId;
+          userid = checkJwtRes.userid || userid;
+        } else {
+          isValidJwt = false;
+        }
+      }
+
       var index = parseInt(req.params.index);
-      if (docId && req.body && Buffer.isBuffer(req.body)) {
+      if (isValidJwt && docId && req.body && Buffer.isBuffer(req.body)) {
         var buffer = req.body;
         var format = formatChecker.getImageFormat(buffer);
         var formatStr = formatChecker.getStringFromFormat(format);

DocService/sources/server.js

@@ -219,8 +219,8 @@ if (cluster.isMaster) {
         res.sendStatus(403);
       }
     });
-    app.post('/uploadold/:docid/:userid/:index/:vkey?', fileUploaderService.uploadImageFileOld);
-    app.post('/upload/:docid/:userid/:index/:vkey?', rawFileParser, fileUploaderService.uploadImageFile);
+    app.post('/uploadold/:docid/:userid/:index/:jwt?', fileUploaderService.uploadImageFileOld);
+    app.post('/upload/:docid/:userid/:index/:jwt?', rawFileParser, fileUploaderService.uploadImageFile);
 
     app.post('/downloadas/:docid', rawFileParser, canvasService.downloadAs);
     app.get('/healthcheck', checkClientIp, converterService.convertHealthCheck);