albogdano on master
fixed assets version number sho… (compare)
albogdano on master
fixed git revision should not b… (compare)
@albogdano Before support of nested fields user accounts were created with invalid name/email.
Now accounts are created with correct info, but there are two cases:
I think it should get updated at Scoold on every sign in, because that user info is owned by OIDC/LDAP and they are the only source of truth about user.
Worth to notice that we have no picture
config and it's only customizable by user. It would be evil to reset their image to default on every sign in :smiling_imp:
But when our OIDC let us fill para.security.oauth.parameters.picture = "picture"
i would set para.avatar_edits_enabled = false
and expect pictures to get updated on sign in just like other data from identity providers.
oa2:sub
objects where sub is the sub
ID
user
for each problematic user
user
object -> Scoold profile
object
123
then you changed settings and that same user logged in but now with sub 345
and a new user was created so you now have "dead" user objects which need to be deleted
@albogdano AD
is a storage for user data, LDAP
and OIDC
are just different ways to get them.
I could have been wrong about the Scoold users being stored in Mongo (which we use with Para), as You say they are stored in Para. So there's no mongo in process.
OIDC data for para between versions was like:
scoold v. | sub | email | name
1.45.0 | 123 | |
1.46.3 | 123 | user@company.com | Best User (His Department)
Also users were able to sign in their No Name accounts using LDAP wchich has a valid user info.
In fact that was our workaround - first login with username/pass trough LDAP to create Scoold account, then use OIDC wchich supports SSO.
In result they got full user data in Scoold, and sign in with OIDC didn't clear user name or email.
While signed in with opposite order, No Name account were created for Scoold and no info were updated after LDAP sign in to the same account.
I'll try to investigate this more after the weekend.
Thank you for your help and have a nice weekend :smiley:
user
objects in Para and if they have the correct user data from OIDC
@albogdano At last I had some time to investigate Scoold users.
Looks like there is a problem with profile
update.
While user
was updated with correct name
, profile
have old wrong name
and new correct originalName
.
Search query:para-cli search "creatorid:ID* OR id:ID*"
Where ID
is a id
field value from result of:para-cli search "type:user AND email:greatuser*"
For users that used ldap and oa2 to login, result is (excluding posts/queries/votes etc.):
sysprop | identifier | id:ldap:...
sysprop | identifier | id:oa2:...
type | profile
type | user
On profile
we have name
and originalName
.profile
where identifier
for ldap
was created before oa2
got valid name
and originalName
seems ok.profile
where identifier
for oa2
was created before ldap
(and before last update which fixed oa2) got invalid name
but originalName
seems ok.
Also I have found that long time ago I had different name pattern from ldap
like User Name (login)
and oa2
is User Name (Office)
.
My own profile
is one of oldest and it has name
in old format, but originalName
have been updated from oa2
.
Last time I used oa2
to signin.
Seems that Scoold uses name
field from profile
which is not updated with data from identity providers (ldap, oa2).
I didn't write about user
object as it contains valid name.
If it would help I can paste this objects.
para.session_timeout = 21600
for 6h session duration (in seconds) and restart. In 6h the auth cookie willpara.jwt_expires_after = 21600
or by updating your Para app object to have a property tokenValiditySec: tokenValiditySec
Yes, will set up an Elasticsearch server
Regarding the server unhealthy message, it was this
2021-11-02 10:56:11 [WARN ] Server is unhealthy - the search index may be corrupted and may have to be rebuilt.
then after I ran para-cli rebuild-index
, the log message was
[INFO ] Server is healthy.
@se-alexnsa I'm pretty sure that your search index is not stored to disk properly. check if the
./data
folder is mounted properly as a volume if using docker.
We're using AWS Fargate.
When running locally using docker, data is at /para/data
I didn't physically mount it, but it was already there when I spun up the container. Do we need to do something differently there?
And how can that be mounted when using Fargate too?
erudikaltd/para-search-elasticsearch
image to our already existing dockerfile?
@albogdano Hello! :)
My organization's security team found few bugs in Scoold.
There's no check of what user set, and its served to all other users as avatar.
User can setup malicious link, containing js code which for exapmle could steal auth tokens from cookies.
As example this URL were given:
https://suvroc.github.io/security-demos/XSS/reflectedXSS.html?name=%3Cscript%3Ealert%3C/script%3E
Recommendations:
References:
Cookie scoold-auth
with JWT can be stolen and it's valid for 7 days.
Also user session is not closed after logout, with stolen cookie it's possible to get access without login.
Recommendations:
References:
I've seen para.jwt_expires_after
few posts before.
Correct me if i'm wrong, when set to 300
it will make JWT expire after 5min? It should fix 7 days problem.
But it won't solve existing session after logout.
Is there anything that can be done to fix them?
@pikrakpzu Hey, thanks for this! I will work on the code to address these points.
On the first topic: I don't think that's even possible because Scoold has a pretty strict CSP - https://cspvalidator.org/#url=https://live.scoold.com
Security headers are also in place - https://securityheaders.com/?q=https%3A%2F%2Flive.scoold.com&followRedirects=on
There's always room for improvement here and I will soon add filtering of the actual URLs for avatars
On the second topic: Scoold does not use sessions at all - it uses JWTs instead. It's a similar concept and JWTs can be made to expire after a configurable time period.para.session_timeout
is the validity period in seconds for the auth cookie itself, para.jwt_expires_after
is the validity period in seconds for the JWT token inside the auth cookie.
Again, here we can tighten security by only allowing one valid JWT per user/browser. It should be pretty straightforward to implement this.
yes, you need to add the plugin image as a layer on top of the Para Docker image
If I do that, do I still need to download this jar file as well:
https://github.com/Erudika/para-search-elasticsearch/releases
great
also since mounting the volume, we no longer get indexing errors, but now instead have this error
Application run failed org.springframework.context.ApplicationContextException: Failed to start bean 'webServerStartStop'; nested exception is org.springframework.boot.web.server.WebServerException:
could this be because something has changed location now?
____ ___ _ ____ ___ _
/ __ \/ __` / ___/ __` /
/ /_/ / /_/ / / / /_/ /
/ .___/\__,_/_/ \__,_/ v1.40.1-SNAPSHOT
/_/
2021-11-24 14:08:45 [INFO ] --- Para.initialize() [production] ---
2021-11-24 14:08:45 [INFO ] Loaded new DAO, Search and Cache implementations - SqlDAO, LuceneSearch and CaffeineCache.
2021-11-24 14:08:46 [INFO ] HikariPool-1 - Starting...
2021-11-24 14:08:46 [INFO ] HikariPool-1 - Start completed.
2021-11-24 14:08:51 [INFO ] Server is healthy.
2021-11-24 14:08:51 [INFO ] Found root app 'para' and 0 existing child app(s).
2021-11-24 14:08:55 [INFO ] Queue 'para-default' could not be found: software.amazon.awssdk.services.sqs.model.QueueDoesNotExistException: The specified queue does not exist for this wsdl version. (Service: Sqs, Status Code: 400, Request ID: e7c38864-0824-594a-91fd-d27c419227a6, Extended Request ID: null)
2021-11-24 14:08:55 [ERROR] null
java.util.concurrent.ExecutionException: software.amazon.awssdk.services.sqs.model.SqsException: Access to the resource https://sqs.eu-west-1.amazonaws.com/ is denied. (Service: Sqs, Status Code: 403, Request ID: 08a4be23-07df-519e-9d7e-e43b4e68cf72, Extended Request ID: null)
at java.base/java.util.concurrent.CompletableFuture.reportGet(Unknown Source)
at java.base/java.util.concurrent.CompletableFuture.get(Unknown Source)
at com.erudika.para.queue.AWSQueueUtils.createQueue(AWSQueueUtils.java:95)
at com.erudika.para.queue.AWSQueue.getUrl(AWSQueue.java:89)
at com.erudika.para.queue.AWSQueue.startPolling(AWSQueue.java:65)
at com.erudika.para.ParaServer.initialize(ParaServer.java:157)
at com.erudika.para.ParaServer.runAsJAR(ParaServer.java:423)
at com.erudika.para.ParaServer.main(ParaServer.java:432)
at com.erudika.para.Run.main(Run.java:26)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.base/java.lang.reflect.Method.invoke(Unknown Source)
at org.springframework.boot.loader.MainMethodRunner.run(MainMethodRunner.java:49)
at org.springframework.boot.loader.Launcher.launch(Launcher.java:108)
at org.springframework.boot.loader.Launcher.launch(Launcher.java:58)
at org.springframework.boot.loader.PropertiesLauncher.main(PropertiesLauncher.java:467)
Caused by: software.amazon.awssdk.services.sqs.model.SqsException: Access to the resource https://sqs.eu-west-1.amazonaws.com/ is denied. (Service: Sqs, Status Code: 403, Request ID: 08a4be23-07df-519e-9d7e-e43b4e68cf72, Extended Request ID: null)
at software.amazon.awssdk.services.sqs.model.SqsException$BuilderImpl.build(SqsException.java:95)
at software.amazon.awssdk.services.sqs.model.SqsException$BuilderImpl.build(SqsException.java:55)
at software.amazon.awssdk.protocols.query.internal.unmarshall.AwsXmlErrorUnmarshaller.unmarshall(AwsXmlErrorUnmarshaller.java:99)
at software.amazon.awssdk.protocols.query.unmarshall.AwsXmlErrorProtocolUnmarshaller.handle(AwsXmlErrorProtocolUnmarshaller.java:102)
at software.amazon.awssdk.protocols.query.unmarshall.AwsXmlErrorProtocolUnmarshaller.handle(AwsXmlErrorProtocolUnmarshaller.java:82)
at software.amazon.awssdk.core.http.MetricCollectingHttpResponseHandler.lambda$handle$0(MetricCollectingHttpResponseHandler.java:52)
at software.amazon.awssdk.core.internal.util.MetricUtils.measureDurationUnsafe(MetricUtils.java:64)
at software.amazon.awssdk.core.http.MetricCollectingHttpResponseHandler.handle(MetricCollectingHttpResponseHandler.java:52)
at software.amazon.awssdk.core.internal.http.async.AsyncResponseHandler.lambda$prepare$0(AsyncResponseHandler.java:89)
at java.base/java.util.concurrent.CompletableFuture$UniCompose.tryFire(Unknown Source)
at java.base/java.util.concurrent.CompletableFuture.postComplete(Unknown Source)
at java.base/java.util.concurrent.CompletableFuture.complete(Unknown Source)
at software.amazon.awssdk.core.internal.http.async.AsyncResponseHandler$BaosSubscriber.onC