Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

临时关闭nacos鉴权时, 登录接口响应内容中tokenttl字段的值过大;恢复鉴权后客户端大面积403报错 #12060

Open
DemonHugo opened this issue May 6, 2024 · 3 comments
Open

临时关闭nacos鉴权时, 登录接口响应内容中tokenttl字段的值过大;恢复鉴权后客户端大面积403报错 #12060

DemonHugo opened this issue May 6, 2024 · 3 comments
Labels
kind/bug Category issues or prs related to bug. plugin

Comments

@DemonHugo
Copy link

Describe the bug
从2.0.3Nacos升级至最新版本后, 调用接口POST:/nacos/v1/auth/login的响应内容发生改变导致使用相同策略解决default.token.secret.key漏洞时出现403报错.

原处理方式:

  1. 修改配置文件application.properties

a. 将nacos.core.auth.default.token.secret.key设置为新的key,
b. 将nacos.core.auth.enabled设置为false,暂时关闭鉴权

  1. 重启nacos
  2. 等待5小时(18000s),将nacos.core.auth.enabled设置为true,重启nacos

Expected behavior
修改配置文件中nacos.core.auth.enabled的值为false后, 调用登录接口返回如下内容:

{
    "accessToken": "xxx",
    "tokenTtl": 18000,
    "globalAdmin": true,
    "username": "xxx"
}

Actually behavior

修改配置文件中nacos.core.auth.enabled的值为false后, 调用登录接口返回如下内容:

{
    "accessToken": "AUTH_DISABLED",
    "tokenTtl": 1715002590,
    "globalAdmin": true,
    "username": "xxx"
}

其中核心问题在tokenTtl字段, 查看方法com.alibaba.nacos.plugin.auth.impl.token.impl.JwtTokenManager#getTokenTtlInSeconds中, 对于临时关闭鉴权的场景, 返回ttl逻辑为:

if (!authConfigs.isAuthEnabled()) {
	return TimeUnit.MILLISECONDS.toSeconds(System.currentTimeMillis()) + tokenValidityInSeconds;
}

此处ttl返回了一个非常大的值, 而客户端token刷新时间为9/10的ttl, 导致客户端几乎永远不会再调用登录接口重新获取token;
此处返回值修改为tokenValidityInSeconds的值是否更合理些?
@KomachiSion KomachiSion added kind/bug Category issues or prs related to bug. plugin labels May 10, 2024
@KomachiSion
Copy link
Collaborator

welcome to fix it

@KomachiSion
Copy link
Collaborator

修复之前也考虑一下,现在未开启鉴权返回的token是固定的, token中会缺少ttl信息, 是不是连不开启鉴权的token也一起改一下,带上ttl信息。

@DemonHugo
Copy link
Author

DemonHugo commented May 10, 2024
edited

修复之前也考虑一下,现在未开启鉴权返回的token是固定的, token中会缺少ttl信息, 是不是连不开启鉴权的token也一起改一下,带上ttl信息。

针对该情况 目前我在方法com.alibaba.nacos.plugin.auth.impl.token.impl.JwtTokenManager#createToken中,调整判断条件为:

  1. 当且仅当未开启鉴权及未配置盐值时,返回固定值
  2. 当未开启鉴权但正确配置盐值时,正常生成token
if (!authConfigs.isAuthEnabled() && null == jwtParser) {
    return AUTH_DISABLED_TOKEN;
} else if (authConfigs.isAuthEnabled()) {
    checkJwtParser();
}

DemonHugo added a commit to DemonHugo/nacos that referenced this issue May 12, 2024
@DemonHugo
[ISSUE alibaba#12060] fix too large ttl when auth disabled
4184147 
fix issue alibaba#12060

1. fix too large ttl when auth disabled
2. generate a valid token when key is valid even if auth disabled
@DemonHugo DemonHugo mentioned this issue May 12, 2024
Open
5 tasks
DemonHugo added a commit to DemonHugo/nacos that referenced this issue May 13, 2024
@DemonHugo
[ISSUE alibaba#12060] add unit test
1928dfa
DemonHugo added a commit to DemonHugo/nacos that referenced this issue May 13, 2024
@DemonHugo
[ISSUE alibaba#12060] add unit test
b337b95
DemonHugo added a commit to DemonHugo/nacos that referenced this issue May 16, 2024
@DemonHugo
[ISSUE alibaba#12060] fix style issue
10cd453
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Category issues or prs related to bug. plugin
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@DemonHugo @KomachiSion