[bug] The document security token is not correctly formed

[alpineQ]

Description of the bug

Opening any .docx document leads to onlyoffice error:

The document security token is not correctly formed.
Please contact your Document Server Administrator.

Step by step instructions to reproduce the bug

It literally doesn't work on live demo

Can you replicate that error from the demo?

Yep

Observed behavior

Onlyoffice error:

The document security token is not correctly formed.
Please contact your Document Server Administrator.

Expected behavior

No error

[yy8402]

Onlyoffice docker image recently changes its default setting that JSON Web Token validation (JWT_ENABLED) is now set to true. So, the solution is to start onlyoffice with "JWT_ENABLED=false", and it may be also a solution to properly set the token used by filestash for onlyoffice, in plg_editor_onlyoffice/index.go as I am aware of.

[mickael-kerjean]

Thank you for the report, that part of Filestash doesn't have any integration tests that could have detect such issue yet. @yy8402 is correct, I'm working on it with a fix coming up very soon

[mickael-kerjean]

Somehow I can't start the new version of onlyoffice, not sure what has changed, it does loop over this message:

nc: port number invalid: 
Waiting for connection to the  host on port 

[mickael-kerjean]

If someone can make a PR for a better fix than bf2bca4, please do

[c0xc]

@mickael-kerjean I've hit the same bug. The "port number invalid" is probably just because of a lack of error handling in the shell script, but the original error is an NPM crash. I've sent in a PR (PR #518).

[dadams1969]

I am using the docker version and I had this come up every time I restart the container. The JWT is changing upon restart.

[x-real-ip]

Any news on this one? Having the same issue

[yuckdevchan]

Can't seem to do it either, even when running:

JWT_ENABLED=false docker-compose up -d

Is this the correct command? Should this work? I still get the same only office error when running this:

[c0xc]

JWT_ENABLED=false docker-compose up -d

Is this the correct command? Should this work?

No, you need to be explicit when passing variables. For example, you could set this variable in the "environment" section of your service:

services:
  onlyoffice:
    environment:
        JWT_ENABLED: "false"
    ...

I'd say this is just a configuration issue, not a bug in Filestash, maybe a missing feature to support those security tokens.

[yuckdevchan]

JWT_ENABLED=false docker-compose up -d
Is this the correct command? Should this work?

No, you need to be explicit when passing variables. For example, you could set this variable in the "environment" section of your service:

services:
  onlyoffice:
    environment:
        JWT_ENABLED: "false"
    ...

I'd say this is just a configuration issue, not a bug in Filestash, maybe a missing feature to support those security tokens.

I solved it yesterday by putting the variable in the docker compose file.

[ggoral]

I had the same problem, i have my documentserver behind reverse proxy, and fix them change it some parameters on nginx

location / {
    proxy_pass        http://10.11.12.13:80;

    proxy_set_header    X-Real-IP           $remote_addr;
    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
    proxy_set_header    X-Forwarded-Proto   $scheme;
    proxy_set_header    Host                $host;
    proxy_set_header    X-Forwarded-Host    $host;
    proxy_set_header    X-Forwarded-Port    $server_port;

  }

Good Luck!

[capocasa]

I had the same problem, i have my documentserver behind reverse proxy, and fix them change it some parameters on nginx

Tried to duplicate this on apache as reverse proxy but no dice...

        ProxyPass / "http://10.0.7.2:8334/"
        ProxyPassReverse / "http://10.0.7.2:8334/"
        RequestHeader set X-Forwarded-Proto "https"
        RequestHeader set Host "docs.capo.casa"
        RequestHeader set X-Forwarded-Host "docs.capo.casa"
        RequestHeader set X-Forwarded-Port 443
        ProxyPreserveHost On

[capocasa]

JWT_ENABLED: "false

This worked for me! But now I'm getting "Download Failed", not sure if this is a related issue or not.

Edit: This was an unrelated issue. For posterity: fixed by adding to adding

"request-filtering-agent": {
  "allowPrivateIPAddress": true
}

to "CoAuthoring" in /etc/onlyoffice/documentserver/local.json in the onlyoffice container. It was because of using a reverse proxy.

[darkdragon-001]

JWT_ENABLED: "false

This worked for me! But now I'm getting "Download Failed", not sure if this is a related issue or not.

I am also getting the "Download failed." error even with your fix below...

Edit: This was an unrelated issue. For posterity: fixed by adding to adding

"request-filtering-agent": {
  "allowPrivateIPAddress": true
}

to "CoAuthoring" in /etc/onlyoffice/documentserver/local.json in the onlyoffice container. It was because of using a reverse proxy.

You can also set this via environment variable (see available configuration parameters):

ALLOW_PRIVATE_IP_ADDRESS: "true"

[capocasa]

I am also getting the "Download failed." error even with your fix below...

Off the top of my head, maybe the env var isn't being applied? Try the config fix.

Also, do ’docker log -f myid’ for both the filestash and onlyoffice containers and open a word file to find error messages to google.

[darkdragon-001]

In docker logs for onlyoffice, I find

2023/11/06 20:01:11 [error] 689#689: *4 connect() failed (111: Unknown error) while connecting to upstream, client: FILESTASH_DOCKER_IP, server: , request: "GET /7.5.0-125/doc/6bndad3b5dHbvb1BcDbB/c/?EIO=4&transport=websocket HTTP/1.1", upstream: "http://127.0.0.1:8000/doc/6bndad3b5dHbvb1BcDbB/c/?EIO=4&transport=websocket", host: "FILESTASH_APPLICATION_URL"

It seems that server is unset for some reason. Does anyone know how the document comes from filestash to OnlyOffice? Does it send it somehow via API (push) or does OnlyOffice somehow request the document from filestash (pull)?

[capocasa]

I think it's a push, filestash url for a doc opens an iframe with the onlyoffice url inside passing a one time key in a cookie and filename in url. The filestash image reverse-proxies to the onlyoffice at http://onlyoffice (internal network).

A guess, is the docker-compose.yml configured with exactly the same vars as the example, and are the backend vars at default?

[darkdragon-001]

I guess the difference is that I am using a reverse proxy in a separate network. I could reproduce the issue with the following example:

version: '3'
services:
  app:
    image: machines/filestash
    environment:
      #APPLICATION_URL: 
      ONLYOFFICE_URL: http://onlyoffice
    networks:
      - filestash
      - nginx

  onlyoffice:
    image: onlyoffice/documentserver
    environment:
      ALLOW_META_IP_ADDRESS: "true"
      ALLOW_PRIVATE_IP_ADDRESS: "true"
      JWT_ENABLED: "false"
    networks:
      - filestash
    security_opt:
      - seccomp:unconfined

  nginx:
    image: nginx:latest
    volumes:
      - /tmp/filestash/nginx/default.conf:/etc/nginx/conf.d/default.conf
    networks:
      - nginx
    ports:
      - 8080:8080
    links:
     - app

networks:
  filestash:
  nginx:

So localhost:8080 -> nginx:8080 -> app:8334.

So onlyoffice container should reach app via filestash network while the interface which filestash uses to connect to the internet (localip when connecting to 8.8.8.8) is the one from nginx network in

filestash/server/plugin/plg_editor_onlyoffice/index.go

Lines 236 to 277 in 513ba65

	localip = func() string { // https://stackoverflow.com/questions/23558425/how-do-i-get-the-local-ip-address-in-go#23558495
	addrs, err := net.InterfaceAddrs()
	if err != nil {
	return ""
	}
	maybeips := []string{}
	for _, address := range addrs {
	if ipnet, ok := address.(*net.IPNet); ok && !ipnet.IP.IsLoopback() {
	if ipnet.IP.To4() != nil {
	maybeips = append(maybeips, ipnet.IP.String())
	}
	}
	}
	// if there is just one interface, we can just pick that one
	if len(maybeips) == 1 {
	return maybeips[0]
	}
	// if not, fallback to capturing our outgoing local ip
	conn, err := net.Dial("udp", "8.8.8.8:80")
	if err != nil {
	return ""
	}
	defer conn.Close()
	localAddr := conn.LocalAddr().(*net.UDPAddr)
	return localAddr.IP.String()
	}()
	filestashServerLocation = fmt.Sprintf(
	"%s://%s:%d",
	func() string { // proto
	if req.TLS == nil {
	return "http"
	}
	return "https"
	}(),
	localip,
	Config.Get("general.port").Int(),
	)

For this case, I think it would be the easiest to allow manually overwriting filestashServerLocation, for example via environment variable.

EDIT: Or even better, instead of connecting to 8.8.8.8, connect to the onlyoffice server (specified by ONLYOFFICE_URL) directly, this should automatically choose the right interface!

[spamatica]

Is there any further progress on this issue?

I seem to be having precisely this problem now with filestash and onlyoffice. It works if I access the site without the proxy.

The last suggestion, to resolve using the ONLYOFFICE_URL, would this be possible to test?

[viscous-coder]

import React, { useState, useEffect } from “react”;
import { DocumentEditor } from “@onlyoffice/document-editor-react”;

const OnlyOffc = (props) => {
const [docUrl, setDocUrl] = useState(“”);
let token = sessionStorage.getItem(“jwt_token”);
let username = localStorage.getItem(“username”);
let deptRole = sessionStorage.getItem(“role”);
let sessionId = sessionStorage.getItem(“sessionId”);
console.log(props.url, token, “this”);
let correctUrl = props?.url?.replaceAll(“xxxyyyzzz”, “/”);

const onDocumentReady = () => {
console.log(“Document is loaded”);
setLoading(false);
};

const onLoadComponentError = function (errorCode, errorDescription) {
switch (errorCode) {
case -1: // Unknown error loading component
console.log(errorDescription);
break;

case -2: // Error load DocsAPI from http://documentserver/
console.log(errorDescription);
break;

case -3: // DocsAPI is not defined
console.log(errorDescription);
break;
}
};

useEffect(() => {
fetch(For_Getting_the_file_url, { //to get the file url
headers: {
“Content-Type”: “application/json”,
Authorization: "Bearer " + token,
username: username,
deptRole: deptRole,
sessionId: sessionId,
},
})
.then(async (res) => {
console.log(res, “res”);
let data = await res.blob();
// console.log(data);

let file = new File([data], "test.docx");
console.log("file", file.name);

setDocUrl(URL.createObjectURL(file)); // set object URL of file as docUrl
})
.catch((error) => {
console.log(error);
});
}, [correctUrl, token, username, deptRole, sessionId]);

console.log(“docurl”, docUrl);

return (

{docUrl && (
<DocumentEditor
id=“docxEditor”
documentServerUrl=“DOCKER_URL” //getting from docker
config={{
document: {
key: “SECRET_KEY”,
fileType: “docx”,
title: “farmer.docx”,
url: docUrl,
},
documentType: “word”,
type: “desktop”,
height: “800px”,
width: “100%”,
}}
events_onDocumentReady={onDocumentReady}
onLoadComponentError={onLoadComponentError}
/>
)}

);
};
export default OnlyOffc;

//local.json
{
“services”: {
“CoAuthoring”: {
“sql”: {
…data
},
“token”: {
“enable”: {
“request”: {
“inbox”: true,
“outbox”: true,
},
“browser”: true
},
“inbox”: {
“header”: “Authorization”,
“inBody”: false
},
“outbox”: {
“header”: “Authorization”,
“inBody”: false
}
},
“secret”: {
“inbox”: {
“string”: “SECRET_KEY”
},
“outbox”: {
“string”: “SECRET_KEY”
},
“session”: {
“string”: “SECRET_KEY”
}
}
}
},
“rabbitmq”: {
“url”: “Some_URL”
},
“wopi”: {
“enable”: false,
“privateKey”: “SOMEVALUES”,
“privateKeyOld”: “SOMEVALUES”,
“publicKey”: “SOMEVALUES”,
“publicKeyOld”: “SOMEVALUES”,
“modulus”: “SOMEVALUES”,
“modulusOld”: “SOMEVALUES”,
“exponent”: 12333,
“exponentOld”: 11111
},
“queue”: {
“type”: “abc”
},
“storage”: {
“fs”: {
“secretString”: “MY_SECRET_KEY”
}
}
}

//compose.yml

environment:

• JWT_ENABLED=true
• JWT_SECRET=SECRET_KEY
• JWT_HEADER=Authorization
  how to resolve that error

[mickael-kerjean]

Until this is finalised, I will not take extra work on my end. Should be about 3 to 6 more months

[viscous-coder]

@mickael-kerjean I go through serveral docs and some blogs also but i still not able to resolve that issue if i JWT_ENABLED=true the i get the error "The document security token is not correctly formed. Please contact your Document Server administrator" ,
or JWT_ENABLED=false the i get the "Download Failed" error