coldbox-modules / cbsecurity Goto Github PK

For anyone making the transition from ColdBox 3 to ColdBox 4 by now using the cbsecurity module, be aware that this module no longer passes a reference to the MessageBox plugin when it calls your userValidator function. Your userValidator function used to need to handle three parameters as seen in the wiki but now just needs to support two. Maybe some additional up to date examples would be helpful for this unless I just missed it somewhere.

SecurityService.cfc

component singleton {
  // Inject the MessageBox module yourself
  property name="MessageBox" inject="MessageBox@cbmessagebox";

  // Custom User Validator
  boolean function userValidator(struct rule, any controller){
    var isAllowed = YourSpecialLogic();

    if (!isAllowed) {
      MessageBox.warning("Permission denied.");
    }

    return isAllowed;
  }
}

I think the double backslashes in the sample code are incorrect
user\.login will match user.login and not user.login, so trying to match an invalid event?

What are the steps to reproduce this issue?

1. I am using Cbsecurity and cbauth modules.

2. I added Jwt settings in "/config/Coldbox.cfc" (moduleSettings).

3. I am expecting to generate "refresh_token" On hitting url.

4. But it is not doing the same as per the documentation (https://coldbox-security.ortusbooks.com/jwt/refresh-tokens).

5. Settings used:
   cbsecurity : {
   // The WireBox ID of the authentication service to use in cbSecurity which must adhere to the cbsecurity.interfaces.IAuthService interface.
   authenticationService : "authenticationService@cbauth",
   // WireBox ID of the user service to use
   userService : "",
   // The name of the variable to use to store an authenticated user in prc scope if using a validator that supports it.
   prcUserVariable : "oCurrentUser",
   // JWT Settings
   jwt : {
   // The issuer authority for the tokens, placed in the iss claim
   issuer : "",
   // The jwt secret encoding key, defaults to getSystemEnv( "JWT_SECRET", "" )
   // This key is only effective within the config/Coldbox.cfc. Specifying within a module does nothing.
   secretKey : getSystemSetting( "JWT_SECRET", "" ),
   // by default it uses the authorization bearer header, but you can also pass a custom one as well.
   customAuthHeader : "x-auth-token",
   // The expiration in minutes for the jwt tokens
   expiration : 60,
   // If true, enables refresh tokens, token creation methods will return a struct instead
   // of just the access token. e.g. { access_token: "", refresh_token : "" }
   enableRefreshTokens : false,
   // The default expiration for refresh tokens, defaults to 30 days
   refreshExpiration : 10080,
   // The Custom header to inspect for refresh tokens
   customRefreshHeader : "x-refresh-token",
   // If enabled, the JWT validator will inspect the request for refresh tokens and expired access tokens
   // It will then automatically refresh them for you and return them back as
   // response headers in the same request according to the customRefreshHeader and customAuthHeader
   enableAutoRefreshValidator : false,
   // Enable the POST > /cbsecurity/refreshtoken API endpoint
   enableRefreshEndpoint : true,
   // encryption algorithm to use, valid algorithms are: HS256, HS384, and HS512
   algorithm : "HS512",
   // Which claims neds to be present on the jwt token or TokenInvalidException upon verification and decoding
   requiredClaims : [] ,
   // The token storage settings
   tokenStorage : {
   // enable or not, default is true
   "enabled" : true
   // A cache key prefix to use when storing the tokens
   "keyPrefix" : "cbjwt_",
   // The driver to use: db, cachebox or a WireBox ID
   "driver" : "cachebox",
   // Driver specific properties
   "properties" : {
   cacheName : "default"
   }
   }
   }
   }

6. Enable this setting ( enableRefreshTokens : false,) to true.

What happens?

Not updating module config variables.

What were you expecting to happen?

....

Any logs, error output, etc?

Not Found!

Any other comments?

....

What versions are you using?

Operating System: Windows
Package Version: 11

The docs state for JWT I should use the JWTValidator, however, it doesn't seem to exist?

https://coldbox-security.ortusbooks.com/jwt/jwt-validator

cbsecurity.models.JwtValidator

cbsecurity = { validator = "JwtValidator@cbsecurity" }

Yet there is no JwTValidator in cbsecurity.models?

https://github.com/coldbox-modules/cbox-security/wiki/How-it-Works is missing a flow diagram which was present in the original wiki.
Without this diagram it is very hard to understand how cbsecurity works.
The firewall part is clear (at least to me, but I am using this for many years now)
But what might be difficult to understand and is not so "firewall like"

• if an event or URL is WHITELISTED, on a whitelist match the rule is more or less ignored and you continue to the following rule.
• if an event is MATCHED in securylist, this is the LAST rule which will be evaluated, no matter if you are in a role or not (cfsecurity) or no matter if your custom validator returns true or false. If false you will be redirected and all other rules will be ingnored. This is absolutely important for the order of rules (so mor specific rules first). The analogy with firewalls also fails a bit here, because in firewall most of the time you have a BLOCK or ALLOW rule. Here a rule can be both, depending on the outcome of your validator.

If you still have the original flow diagram somewhere it would be very helpful, at least it made me understand the cbsecurity. If the diagram is there I will volunteer for writing a bit more elaborated example so this stuff is easier to understand.

What are the steps to reproduce this issue?

1. When using Oracle db
2. Enable visualizer in cbsecurity
3. Set "autoCreate" to true in /config/cbsecurity.cfc > Firewall > logs

What happens?

Error when creating securityRule column - Invalid DataType ( LongText )

What were you expecting to happen?

For Oracle, using ( CLOB ) works in place of LongText

Any logs, error output, etc?

…

Any other comments?

…

What versions are you using?

CBSecurity 3.4.1, ColdBox 7, Oracle 12c
Operating System: …
Ubuntu 22 LTS
Package Version: …

What are the steps to reproduce this issue?

1. Create a new ColdBox App and install cbsecurity.
2. Use the configuration defaults if you like.
3. Ensure eventCaching is true in your Coldbox.cfc config file.
4. Enable inline event caching on the Main.cfc handler's Index() method:

function index( event, rc, prc ) cache="true" cacheTimeout="60" {
 ...
}

6. Start the server and load the web root /

7. Note the response headers:
   

8. Refresh the browser to bring up the cached event

9. Note all of the response headers added by cbsecurity are duplicated:

What happens?

Response headers are duplicated. This occurs on both Lucee and ACF engines.

Any other comments?

Perhaps setHTTPHeader() in RequestContext could have an additional boolean argument called overwrite. If set to true, it would check the existing header array and overwrite if it finds a match.

function setHTTPHeader( 
     statusCode, 
     statusText = "", 
     name, 
     value = "", 
     boolean overwrite=true
 ){

The overwrite argument must also be passed to addHeader() on the response object so the array can be checked first.

The downside of the above approach is the additional processing time required for checking the array every time you want to add a header. Therefore, it may not be the most performant way to solve the problem.

Here's a reference to the specs on HTTP headers.
https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.2

Based on my interpretation, header names should not be duplicated, except for special cases like Set-Cookie. Browsers will interpret duplicate header key names as a comma-separated list, like this:

Strict-Transport-Security: max-age: 31536000;
Strict-Transport-Security: max-age: 31536000;

The above will be interpreted as:

Strict-Transport-Security: max-age: 31536000, max-age: 31536000;

Depending on the header, it could cause unintended issues.

What versions are you using?

Operating System: Windows Server + Commandbox
Package Version: 3.4.2+4