onlyoffice token认证

在不开启token认证的时候，用onlyoffice是不安全的，配置可以随意篡改，例如本来没有编辑权限的，通过改js，可以变成有权限，还有onlyoffice的功能服务给随意白嫖。

token认证的启动方式：

1.修改onlyoffice的/etc/onlyoffice/documentserver/local.json 文件

修改成

{
  "services": {
    "CoAuthoring": {
      "sql": {
        "dbHost": "localhost",
        "dbName": "onlyoffice",
        "dbUser": "onlyoffice",
        "dbPass": "onlyoffice"
      },
      "redis": {
        "host": "localhost"
      },
      "token": {
        "enable": {
          "request": {
            "inbox": true,
            "outbox": true
          },
          "browser": true
        },
        "inbox": {
          "header": "Authorization"
        },
        "outbox": {
          "header": "Authorization"
        }
      },
      "secret": {
        "inbox": {
          "string": "你的密钥"
        },
        "outbox": {
          "string": "你的密钥"
        },
        "session": {
          "string": "你的密钥"
        }
      }
    }
  },
  "rabbitmq": {
    "url": "amqp://guest:guest@localhost"
  }
}

2.服务器端增加onlyoffice的配置

onlyoffice: {
      "authorizationHeader": "Authorization",
      "authorizationHeaderPrefix": "Bearer ",
      "secret": "你的密钥",
      "expiresIn": "5m"
    },

3.服务器添加utils的serveice

const Service = require('egg').Service;
const jwt = require("jsonwebtoken");

class UtilsService extends Service {
  getToken(data) {
    const { expiresIn, secret } = this.config.onlyoffice
    const options = { expiresIn: expiresIn };
    return jwt.sign(data, secret, options);
  }
  readToken(token) {
    try {
      return jwt.verify(token, this.config.onlyoffice.secret);  // verify signature on jwt token using signature secret
    } catch (err) {
      console.log('checkJwtHeader error: name = ' + err.name + ' message = ' + err.message + ' token = ' + token)
    }
    return null;
  }
  readHeaderToken(req) {
    let decoded = null;
    const { authorizationHeader, authorizationHeaderPrefix, secret } = this.config.onlyoffice
    var authorization = req.get(authorizationHeader);  // get signature authorization header from the request
    //console.log("authorization-----", authorization)
    if (authorization && authorization.startsWith(authorizationHeaderPrefix)) {  // if authorization header exists and it starts with the authorization header prefix
      var token = authorization.substring(authorizationHeaderPrefix.length);  // the resulting token starts after the authorization header prefix
      //console.log("authorization-----", token)
      try {
        decoded = jwt.verify(token, secret);  // verify signature on jwt token using signature secret
        //console.log("decoded-----", decoded)
      } catch (err) {
        console.log('checkJwtHeader error: name = ' + err.name + ' message = ' + err.message + ' token = ' + token)  // print debug information to the console
      }
    }
    return decoded;
  }
}

module.exports = UtilsService;

4.在获取配置的时候调用

const token = this.service.utils.getToken(cfg)
cfg.token = token;

将配置内容签名起来

5.在获取下载文件的时候检查请求头是否来自onlyoffice

 let decode = this.service.utils.readHeaderToken(ctx.request)
    if (!decode) {
      ctx.status = 403;
      ctx.body = { "error": 1 };
      return
    }

6.在onlyoffice回调的/track里面做相同的检查