Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

临时关闭nacos鉴权时, 登录接口响应内容中tokenttl字段的值过大;恢复鉴权后客户端大面积403报错 #12060

Closed
DemonHugo opened this issue May 6, 2024 · 3 comments · Fixed by #12090
Closed

临时关闭nacos鉴权时, 登录接口响应内容中tokenttl字段的值过大;恢复鉴权后客户端大面积403报错 #12060

DemonHugo opened this issue May 6, 2024 · 3 comments · Fixed by #12090
Labels
kind/bug Category issues or prs related to bug. plugin

Comments

@DemonHugo
Copy link
Contributor

Describe the bug
从2.0.3Nacos升级至最新版本后, 调用接口POST:/nacos/v1/auth/login的响应内容发生改变导致使用相同策略解决default.token.secret.key漏洞时出现403报错.

原处理方式:

  1. 修改配置文件application.properties

a. 将nacos.core.auth.default.token.secret.key设置为新的key,
b. 将nacos.core.auth.enabled设置为false,暂时关闭鉴权

  1. 重启nacos
  2. 等待5小时(18000s),将nacos.core.auth.enabled设置为true,重启nacos

Expected behavior
修改配置文件中nacos.core.auth.enabled的值为false后, 调用登录接口返回如下内容:

{
    "accessToken": "xxx",
    "tokenTtl": 18000,
    "globalAdmin": true,
    "username": "xxx"
}

Actually behavior

修改配置文件中nacos.core.auth.enabled的值为false后, 调用登录接口返回如下内容:

{
    "accessToken": "AUTH_DISABLED",
    "tokenTtl": 1715002590,
    "globalAdmin": true,
    "username": "xxx"
}

其中核心问题在tokenTtl字段, 查看方法com.alibaba.nacos.plugin.auth.impl.token.impl.JwtTokenManager#getTokenTtlInSeconds中, 对于临时关闭鉴权的场景, 返回ttl逻辑为:

if (!authConfigs.isAuthEnabled()) {
	return TimeUnit.MILLISECONDS.toSeconds(System.currentTimeMillis()) + tokenValidityInSeconds;
}

此处ttl返回了一个非常大的值, 而客户端token刷新时间为9/10的ttl, 导致客户端几乎永远不会再调用登录接口重新获取token;
此处返回值修改为tokenValidityInSeconds的值是否更合理些?
@KomachiSion KomachiSion added kind/bug Category issues or prs related to bug. plugin labels May 10, 2024
@KomachiSion
Copy link
Collaborator

welcome to fix it

@KomachiSion
Copy link
Collaborator

修复之前也考虑一下,现在未开启鉴权返回的token是固定的, token中会缺少ttl信息, 是不是连不开启鉴权的token也一起改一下,带上ttl信息。

@DemonHugo
Copy link
Contributor Author

DemonHugo commented May 10, 2024
edited

修复之前也考虑一下,现在未开启鉴权返回的token是固定的, token中会缺少ttl信息, 是不是连不开启鉴权的token也一起改一下,带上ttl信息。

针对该情况 目前我在方法com.alibaba.nacos.plugin.auth.impl.token.impl.JwtTokenManager#createToken中,调整判断条件为:

  1. 当且仅当未开启鉴权及未配置盐值时,返回固定值
  2. 当未开启鉴权但正确配置盐值时,正常生成token
if (!authConfigs.isAuthEnabled() && null == jwtParser) {
    return AUTH_DISABLED_TOKEN;
} else if (authConfigs.isAuthEnabled()) {
    checkJwtParser();
}

DemonHugo added a commit to DemonHugo/nacos that referenced this issue May 12, 2024
@DemonHugo
[ISSUE alibaba#12060] fix too large ttl when auth disabled
4184147 
fix issue alibaba#12060

1. fix too large ttl when auth disabled
2. generate a valid token when key is valid even if auth disabled
@DemonHugo DemonHugo mentioned this issue May 12, 2024
Merged
5 tasks
DemonHugo added a commit to DemonHugo/nacos that referenced this issue May 13, 2024
@DemonHugo
[ISSUE alibaba#12060] add unit test
1928dfa
DemonHugo added a commit to DemonHugo/nacos that referenced this issue May 13, 2024
@DemonHugo
[ISSUE alibaba#12060] add unit test
b337b95
DemonHugo added a commit to DemonHugo/nacos that referenced this issue May 16, 2024
@DemonHugo
[ISSUE alibaba#12060] fix style issue
10cd453
KomachiSion pushed a commit that referenced this issue May 20, 2024
@DemonHugo
[ISSUE #12060] fix too large ttl when auth disabled (#12090)
9363a08 
* [ISSUE #12060]  fix too large ttl when auth disabled

fix issue #12060

1. fix too large ttl when auth disabled
2. generate a valid token when key is valid even if auth disabled

* [ISSUE #12060]  add unit test

* [ISSUE #12060] fix style issue
@KomachiSion KomachiSion linked a pull request May 20, 2024 that will close this issue
[ISSUE #12060] fix too large ttl when auth disabled #12090
Merged
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Category issues or prs related to bug. plugin
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[ISSUE #12060] fix too large ttl when auth disabled DemonHugo/nacos
2 participants
@DemonHugo @KomachiSion