coldbox-modules / cbsecurity Goto Github PK
View Code? Open in Web Editor NEWAnnotation, rule driven security and authentication for ColdBox Applications!
Home Page: https://coldbox-security.ortusbooks.com
Annotation, rule driven security and authentication for ColdBox Applications!
Home Page: https://coldbox-security.ortusbooks.com
For anyone making the transition from ColdBox 3 to ColdBox 4 by now using the cbsecurity module, be aware that this module no longer passes a reference to the MessageBox plugin when it calls your userValidator function. Your userValidator function used to need to handle three parameters as seen in the wiki but now just needs to support two. Maybe some additional up to date examples would be helpful for this unless I just missed it somewhere.
SecurityService.cfc
component singleton {
// Inject the MessageBox module yourself
property name="MessageBox" inject="MessageBox@cbmessagebox";
// Custom User Validator
boolean function userValidator(struct rule, any controller){
var isAllowed = YourSpecialLogic();
if (!isAllowed) {
MessageBox.warning("Permission denied.");
}
return isAllowed;
}
}
I think the double backslashes in the sample code are incorrect
user\.login will match user.login and not user.login, so trying to match an invalid event?
I am using Cbsecurity and cbauth modules.
I added Jwt settings in "/config/Coldbox.cfc" (moduleSettings).
I am expecting to generate "refresh_token" On hitting url.
But it is not doing the same as per the documentation (https://coldbox-security.ortusbooks.com/jwt/refresh-tokens).
Settings used:
cbsecurity : {
// The WireBox ID of the authentication service to use in cbSecurity which must adhere to the cbsecurity.interfaces.IAuthService interface.
authenticationService : "authenticationService@cbauth",
// WireBox ID of the user service to use
userService : "",
// The name of the variable to use to store an authenticated user in prc scope if using a validator that supports it.
prcUserVariable : "oCurrentUser",
// JWT Settings
jwt : {
// The issuer authority for the tokens, placed in the iss
claim
issuer : "",
// The jwt secret encoding key, defaults to getSystemEnv( "JWT_SECRET", "" )
// This key is only effective within the config/Coldbox.cfc
. Specifying within a module does nothing.
secretKey : getSystemSetting( "JWT_SECRET", "" ),
// by default it uses the authorization bearer header, but you can also pass a custom one as well.
customAuthHeader : "x-auth-token",
// The expiration in minutes for the jwt tokens
expiration : 60,
// If true, enables refresh tokens, token creation methods will return a struct instead
// of just the access token. e.g. { access_token: "", refresh_token : "" }
enableRefreshTokens : false,
// The default expiration for refresh tokens, defaults to 30 days
refreshExpiration : 10080,
// The Custom header to inspect for refresh tokens
customRefreshHeader : "x-refresh-token",
// If enabled, the JWT validator will inspect the request for refresh tokens and expired access tokens
// It will then automatically refresh them for you and return them back as
// response headers in the same request according to the customRefreshHeader and customAuthHeader
enableAutoRefreshValidator : false,
// Enable the POST > /cbsecurity/refreshtoken API endpoint
enableRefreshEndpoint : true,
// encryption algorithm to use, valid algorithms are: HS256, HS384, and HS512
algorithm : "HS512",
// Which claims neds to be present on the jwt token or TokenInvalidException
upon verification and decoding
requiredClaims : [] ,
// The token storage settings
tokenStorage : {
// enable or not, default is true
"enabled" : true
// A cache key prefix to use when storing the tokens
"keyPrefix" : "cbjwt_",
// The driver to use: db, cachebox or a WireBox ID
"driver" : "cachebox",
// Driver specific properties
"properties" : {
cacheName : "default"
}
}
}
}
Enable this setting ( enableRefreshTokens : false,) to true.
Not updating module config variables.
....
....
Operating System: Windows
Package Version: 11
The docs state for JWT I should use the JWTValidator, however, it doesn't seem to exist?
https://coldbox-security.ortusbooks.com/jwt/jwt-validator
cbsecurity.models.JwtValidator
cbsecurity = { validator = "JwtValidator@cbsecurity" }
Yet there is no JwTValidator in cbsecurity.models?
https://github.com/coldbox-modules/cbox-security/wiki/How-it-Works is missing a flow diagram which was present in the original wiki.
Without this diagram it is very hard to understand how cbsecurity works.
The firewall part is clear (at least to me, but I am using this for many years now)
But what might be difficult to understand and is not so "firewall like"
If you still have the original flow diagram somewhere it would be very helpful, at least it made me understand the cbsecurity. If the diagram is there I will volunteer for writing a bit more elaborated example so this stuff is easier to understand.
Error when creating securityRule column - Invalid DataType ( LongText )
For Oracle, using ( CLOB ) works in place of LongText
…
…
CBSecurity 3.4.1, ColdBox 7, Oracle 12c
Operating System: …
Ubuntu 22 LTS
Package Version: …
eventCaching
is true
in your Coldbox.cfc config file.function index( event, rc, prc ) cache="true" cacheTimeout="60" {
...
}
Start the server and load the web root /
Refresh the browser to bring up the cached event
Note all of the response headers added by cbsecurity are duplicated:
Response headers are duplicated. This occurs on both Lucee and ACF engines.
Perhaps setHTTPHeader()
in RequestContext could have an additional boolean argument called overwrite
. If set to true, it would check the existing header array and overwrite if it finds a match.
function setHTTPHeader(
statusCode,
statusText = "",
name,
value = "",
boolean overwrite=true
){
The overwrite
argument must also be passed to addHeader()
on the response object so the array can be checked first.
The downside of the above approach is the additional processing time required for checking the array every time you want to add a header. Therefore, it may not be the most performant way to solve the problem.
Here's a reference to the specs on HTTP headers.
https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.2
Based on my interpretation, header names should not be duplicated, except for special cases like Set-Cookie
. Browsers will interpret duplicate header key names as a comma-separated list, like this:
Strict-Transport-Security: max-age: 31536000;
Strict-Transport-Security: max-age: 31536000;
The above will be interpreted as:
Strict-Transport-Security: max-age: 31536000, max-age: 31536000;
Depending on the header, it could cause unintended issues.
Operating System: Windows Server + Commandbox
Package Version: 3.4.2+4
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.