Changed file download without token

Hello, why does the download link in the callback from the changed file work without a token? Of course you would have to find out the URL first, but in principle I find it unsafe. Is there a way to change that?


Hey @parceval
Let’s delve into your scenario a bit more. It’s not entirely clear where potential security issues may arise when using JWT. Could you provide more details or specify the areas of concern?

Just the normal scenario. I only have the JS API in an html test where I also set the callback url. The callback delivers a JSON with, among other things, the download URL of the processed file. And I can open this URL without a token.

The URL you mention, do you mean where it welcomes you?
Or does it mean that when you connect it to a cloud it allows you to work on the documentserver?

do you really have a password declared in the local.json file?

I mean the URL that you get back from the onlyoffice server to download the edited file. And yes I put a secret key to the local.json to all three options like “inbox”, “outbox” and “session”. And the API Key to open the API.js

Do you use it in nextcloud or in what service?

If so, do you leave it blank in the password box and will it still connect?

Where do you have onlyoffice-ds installed?

I installed onlyoffice 7.1 on an ubuntu server. And I will it integrate in my own Java Tomcat webapp. This is my test case:

and here is my local.json

I don’t mean connecting through the API. The token works there. But the API sends a callback url back to my server when the file has finished processing. And in the JSON that is sent from the onlyoffice server there is also a download URL to the new file. And you can use this URL without a token.

@infinityysteel , thank you for your assistance :handshake:

A new version of ONLYOFFICE Docs 7.5.0 is now available.

The link is not token-protected. However, the message with the status is fully secured with a token. This link can only be obtained through callback handler, so it’s just your application that has access to it.
It’s not possible to obtain it using brute-force attack, for instance, and it’s protected with secure link.
Thus we can’t think of a scenario posing a security concern here. If you have a detailed scenario of how this could potentially pose security issues (from the document server side) or if you consider this behavior to be incorrect, please provide it.

Security is our top priority.

Thanks for your answer. I really don’t have much of a clue, but all information like url, state, changes, user etc. is passed to my callback url and these are in the clear text. In addition, the token is also handed over where all the information is included. But I can also read the information without the token. Or am I still missing a setting somewhere?

Yes I know but I tried to install 7.4 or now 7.5 on a fresh debian and I don’t know whats the problem is, but it does not work. But maybe this is anohter topic :wink: