filestash
filestash copied to clipboard
mickael-kerjean
[bug] The document security token is not correctly formed
Description of the bug
Opening any .docx document leads to onlyoffice error:
The document security token is not correctly formed.
Please contact your Document Server Administrator.
Step by step instructions to reproduce the bug
It literally doesn't work on live demo
Can you replicate that error from the demo?
Yep
Observed behavior
Onlyoffice error:
The document security token is not correctly formed.
Please contact your Document Server Administrator.
Expected behavior
No error
Onlyoffice docker image recently changes its default setting that JSON Web Token validation (JWT_ENABLED) is now set to true. So, the solution is to start onlyoffice with "JWT_ENABLED=false", and it may be also a solution to properly set the token used by filestash for onlyoffice, in plg_editor_onlyoffice/index.go as I am aware of.
Thank you for the report, that part of Filestash doesn't have any integration tests that could have detect such issue yet. @yy8402 is correct, I'm working on it with a fix coming up very soon
Somehow I can't start the new version of onlyoffice, not sure what has changed, it does loop over this message:
nc: port number invalid:
Waiting for connection to the host on port
If someone can make a PR for a better fix than bf2bca4cbb5ba57092c51c2163ea04cad987d0f3, please do
@mickael-kerjean I've hit the same bug. The "port number invalid" is probably just because of a lack of error handling in the shell script, but the original error is an NPM crash. I've sent in a PR (PR #518).
I am using the docker version and I had this come up every time I restart the container. The JWT is changing upon restart.
Can't seem to do it either, even when running:
JWT_ENABLED=false docker-compose up -d
Is this the correct command? Should this work? I still get the same only office error when running this:
JWT_ENABLED=false docker-compose up -dIs this the correct command? Should this work?
No, you need to be explicit when passing variables. For example, you could set this variable in the "environment" section of your service:
services:
onlyoffice:
environment:
JWT_ENABLED: "false"
...
I'd say this is just a configuration issue, not a bug in Filestash, maybe a missing feature to support those security tokens.
JWT_ENABLED=false docker-compose up -dIs this the correct command? Should this work?No, you need to be explicit when passing variables. For example, you could set this variable in the "environment" section of your service:
services: onlyoffice: environment: JWT_ENABLED: "false" ...I'd say this is just a configuration issue, not a bug in Filestash, maybe a missing feature to support those security tokens.
I solved it yesterday by putting the variable in the docker compose file.
I had the same problem, i have my documentserver behind reverse proxy, and fix them change it some parameters on nginx
location / {
proxy_pass http://10.11.12.13:80;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
}
Good Luck!
I had the same problem, i have my documentserver behind reverse proxy, and fix them change it some parameters on nginx
Tried to duplicate this on apache as reverse proxy but no dice...
ProxyPass / "http://10.0.7.2:8334/"
ProxyPassReverse / "http://10.0.7.2:8334/"
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set Host "docs.capo.casa"
RequestHeader set X-Forwarded-Host "docs.capo.casa"
RequestHeader set X-Forwarded-Port 443
ProxyPreserveHost On
JWT_ENABLED: "false
This worked for me! But now I'm getting "Download Failed", not sure if this is a related issue or not.
Edit: This was an unrelated issue. For posterity: fixed by adding to adding
"request-filtering-agent": {
"allowPrivateIPAddress": true
}
to "CoAuthoring" in /etc/onlyoffice/documentserver/local.json in the onlyoffice container. It was because of using a reverse proxy.
JWT_ENABLED: "false
This worked for me! But now I'm getting "Download Failed", not sure if this is a related issue or not.
I am also getting the "Download failed." error even with your fix below...
Edit: This was an unrelated issue. For posterity: fixed by adding to adding
"request-filtering-agent": { "allowPrivateIPAddress": true }to "CoAuthoring" in
/etc/onlyoffice/documentserver/local.jsonin the onlyoffice container. It was because of using a reverse proxy.
You can also set this via environment variable (see available configuration parameters):
ALLOW_PRIVATE_IP_ADDRESS: "true"
I am also getting the "Download failed." error even with your fix below...
Off the top of my head, maybe the env var isn't being applied? Try the config fix.
Also, do ’docker log -f myid’ for both the filestash and onlyoffice containers and open a word file to find error messages to google.
In docker logs for onlyoffice, I find
2023/11/06 20:01:11 [error] 689#689: *4 connect() failed (111: Unknown error) while connecting to upstream, client: FILESTASH_DOCKER_IP, server: , request: "GET /7.5.0-125/doc/6bndad3b5dHbvb1BcDbB/c/?EIO=4&transport=websocket HTTP/1.1", upstream: "http://127.0.0.1:8000/doc/6bndad3b5dHbvb1BcDbB/c/?EIO=4&transport=websocket", host: "FILESTASH_APPLICATION_URL"
It seems that server is unset for some reason. Does anyone know how the document comes from filestash to OnlyOffice? Does it send it somehow via API (push) or does OnlyOffice somehow request the document from filestash (pull)?
I think it's a push, filestash url for a doc opens an iframe with the onlyoffice url inside passing a one time key in a cookie and filename in url. The filestash image reverse-proxies to the onlyoffice at http://onlyoffice (internal network).
A guess, is the docker-compose.yml configured with exactly the same vars as the example, and are the backend vars at default?
I guess the difference is that I am using a reverse proxy in a separate network. I could reproduce the issue with the following example:
version: '3'
services:
app:
image: machines/filestash
environment:
#APPLICATION_URL:
ONLYOFFICE_URL: http://onlyoffice
networks:
- filestash
- nginx
onlyoffice:
image: onlyoffice/documentserver
environment:
ALLOW_META_IP_ADDRESS: "true"
ALLOW_PRIVATE_IP_ADDRESS: "true"
JWT_ENABLED: "false"
networks:
- filestash
security_opt:
- seccomp:unconfined
nginx:
image: nginx:latest
volumes:
- /tmp/filestash/nginx/default.conf:/etc/nginx/conf.d/default.conf
networks:
- nginx
ports:
- 8080:8080
links:
- app
networks:
filestash:
nginx:
So localhost:8080 -> nginx:8080 -> app:8334.
So onlyoffice container should reach app via filestash network while the interface which filestash uses to connect to the internet (localip when connecting to 8.8.8.8) is the one from nginx network in
https://github.com/mickael-kerjean/filestash/blob/513ba65d46d1cf739b73c0288410c961c1bcede0/server/plugin/plg_editor_onlyoffice/index.go#L236-L277
For this case, I think it would be the easiest to allow manually overwriting filestashServerLocation, for example via environment variable.
EDIT: Or even better, instead of connecting to 8.8.8.8, connect to the onlyoffice server (specified by ONLYOFFICE_URL) directly, this should automatically choose the right interface!
Is there any further progress on this issue?
I seem to be having precisely this problem now with filestash and onlyoffice. It works if I access the site without the proxy.
The last suggestion, to resolve using the ONLYOFFICE_URL, would this be possible to test?
import React, { useState, useEffect } from “react”; import { DocumentEditor } from “@onlyoffice/document-editor-react”;
const OnlyOffc = (props) => { const [docUrl, setDocUrl] = useState(“”); let token = sessionStorage.getItem(“jwt_token”); let username = localStorage.getItem(“username”); let deptRole = sessionStorage.getItem(“role”); let sessionId = sessionStorage.getItem(“sessionId”); console.log(props.url, token, “this”); let correctUrl = props?.url?.replaceAll(“xxxyyyzzz”, “/”);
const onDocumentReady = () => { console.log(“Document is loaded”); setLoading(false); };
const onLoadComponentError = function (errorCode, errorDescription) { switch (errorCode) { case -1: // Unknown error loading component console.log(errorDescription); break;
case -2: // Error load DocsAPI from http://documentserver/ console.log(errorDescription); break;
case -3: // DocsAPI is not defined console.log(errorDescription); break; } };
useEffect(() => { fetch(For_Getting_the_file_url, { //to get the file url headers: { “Content-Type”: “application/json”, Authorization: "Bearer " + token, username: username, deptRole: deptRole, sessionId: sessionId, }, }) .then(async (res) => { console.log(res, “res”); let data = await res.blob(); // console.log(data);
let file = new File([data], "test.docx"); console.log("file", file.name);
setDocUrl(URL.createObjectURL(file)); // set object URL of file as docUrl }) .catch((error) => { console.log(error); }); }, [correctUrl, token, username, deptRole, sessionId]);
console.log(“docurl”, docUrl);
return (
{docUrl && ( <DocumentEditor id=“docxEditor” documentServerUrl=“DOCKER_URL” //getting from docker config={{ document: { key: “SECRET_KEY”, fileType: “docx”, title: “farmer.docx”, url: docUrl, }, documentType: “word”, type: “desktop”, height: “800px”, width: “100%”, }} events_onDocumentReady={onDocumentReady} onLoadComponentError={onLoadComponentError} /> )}
); }; export default OnlyOffc;
//local.json { “services”: { “CoAuthoring”: { “sql”: { …data }, “token”: { “enable”: { “request”: { “inbox”: true, “outbox”: true, }, “browser”: true }, “inbox”: { “header”: “Authorization”, “inBody”: false }, “outbox”: { “header”: “Authorization”, “inBody”: false } }, “secret”: { “inbox”: { “string”: “SECRET_KEY” }, “outbox”: { “string”: “SECRET_KEY” }, “session”: { “string”: “SECRET_KEY” } } } }, “rabbitmq”: { “url”: “Some_URL” }, “wopi”: { “enable”: false, “privateKey”: “SOMEVALUES”, “privateKeyOld”: “SOMEVALUES”, “publicKey”: “SOMEVALUES”, “publicKeyOld”: “SOMEVALUES”, “modulus”: “SOMEVALUES”, “modulusOld”: “SOMEVALUES”, “exponent”: 12333, “exponentOld”: 11111 }, “queue”: { “type”: “abc” }, “storage”: { “fs”: { “secretString”: “MY_SECRET_KEY” } } }
environment:
- JWT_ENABLED=true
- JWT_SECRET=SECRET_KEY
- JWT_HEADER=Authorization how to resolve that error
@mickael-kerjean I go through serveral docs and some blogs also but i still not able to resolve that issue if i JWT_ENABLED=true the i get the error "The document security token is not correctly formed. Please contact your Document Server administrator" , or JWT_ENABLED=false the i get the "Download Failed" error