在不开启token认证的时候,用onlyoffice是不安全的,配置可以随意篡改,例如本来没有编辑权限的,通过改js,可以变成有权限,还有onlyoffice的功能服务给随意白嫖。
token认证的启动方式:
1.修改onlyoffice的/etc/onlyoffice/documentserver/local.json 文件
修改成
{
"services": {
"CoAuthoring": {
"sql": {
"dbHost": "localhost",
"dbName": "onlyoffice",
"dbUser": "onlyoffice",
"dbPass": "onlyoffice"
},
"redis": {
"host": "localhost"
},
"token": {
"enable": {
"request": {
"inbox": true,
"outbox": true
},
"browser": true
},
"inbox": {
"header": "Authorization"
},
"outbox": {
"header": "Authorization"
}
},
"secret": {
"inbox": {
"string": "你的密钥"
},
"outbox": {
"string": "你的密钥"
},
"session": {
"string": "你的密钥"
}
}
}
},
"rabbitmq": {
"url": "amqp://guest:guest@localhost"
}
}
2.服务器端增加onlyoffice的配置
onlyoffice: {
"authorizationHeader": "Authorization",
"authorizationHeaderPrefix": "Bearer ",
"secret": "你的密钥",
"expiresIn": "5m"
},
3.服务器添加utils的serveice
const Service = require('egg').Service;
const jwt = require("jsonwebtoken");
class UtilsService extends Service {
getToken(data) {
const { expiresIn, secret } = this.config.onlyoffice
const options = { expiresIn: expiresIn };
return jwt.sign(data, secret, options);
}
readToken(token) {
try {
return jwt.verify(token, this.config.onlyoffice.secret); // verify signature on jwt token using signature secret
} catch (err) {
console.log('checkJwtHeader error: name = ' + err.name + ' message = ' + err.message + ' token = ' + token)
}
return null;
}
readHeaderToken(req) {
let decoded = null;
const { authorizationHeader, authorizationHeaderPrefix, secret } = this.config.onlyoffice
var authorization = req.get(authorizationHeader); // get signature authorization header from the request
//console.log("authorization-----", authorization)
if (authorization && authorization.startsWith(authorizationHeaderPrefix)) { // if authorization header exists and it starts with the authorization header prefix
var token = authorization.substring(authorizationHeaderPrefix.length); // the resulting token starts after the authorization header prefix
//console.log("authorization-----", token)
try {
decoded = jwt.verify(token, secret); // verify signature on jwt token using signature secret
//console.log("decoded-----", decoded)
} catch (err) {
console.log('checkJwtHeader error: name = ' + err.name + ' message = ' + err.message + ' token = ' + token) // print debug information to the console
}
}
return decoded;
}
}
module.exports = UtilsService;
4.在获取配置的时候调用
const token = this.service.utils.getToken(cfg)
cfg.token = token;
将配置内容签名起来
5.在获取下载文件的时候检查请求头是否来自onlyoffice
let decode = this.service.utils.readHeaderToken(ctx.request)
if (!decode) {
ctx.status = 403;
ctx.body = { "error": 1 };
return
}