fix #3556 - pad token secret to 32 characters to resolve IDX1-720, change id of "secret" input to reduce chance of form autocomplete causing issues

2023-12-18 09:51:18 -05:00 · 2023-12-18 09:51:18 -05:00 · c5d4e237ad
commit c5d4e237ad
parent 7c206af757
3 changed files with 37 additions and 24 deletions
--- a/Oqtane.Client/Modules/Admin/Users/Index.razor
+++ b/Oqtane.Client/Modules/Admin/Users/Index.razor
@ -372,10 +372,10 @@ else
 					</Section>
 					<Section Name="Token" Heading="Token Settings" ResourceKey="TokenSettings">
 						<div class="row mb-1 align-items-center">
-							<Label Class="col-sm-3" For="secret" HelpText="If you want to want to provide API access, please specify a secret which will be used to encrypt your tokens. The secret should be 16 characters or more to ensure optimal security. Please note that if you change this secret, all existing tokens will become invalid and will need to be regenerated." ResourceKey="Secret">Secret:</Label>
+							<Label Class="col-sm-3" For="jwtsecret" HelpText="If you want to want to provide API access, please specify a secret which will be used to encrypt your tokens. The secret should be 16 characters or more to ensure optimal security. Please note that if you change this secret, all existing tokens will become invalid and will need to be regenerated." ResourceKey="Secret">Secret:</Label>
 							<div class="col-sm-9">
 								<div class="input-group">
-									<input type="@_secrettype" id="secret" class="form-control" @bind="@_secret" />
+									<input type="@_secrettype" id="jwtsecret" class="form-control" @bind="@_secret" />
 									<button type="button" class="btn btn-secondary" @onclick="@ToggleSecret">@_togglesecret</button>
 								</div>
 							</div>
@ -619,7 +619,6 @@ else
 				settings = SettingService.SetSetting(settings, "ExternalLogin:CreateUsers", _createusers, true);
                settings = SettingService.SetSetting(settings, "ExternalLogin:VerifyUsers", _verifyusers, true);

-				if (!string.IsNullOrEmpty(_secret) && _secret.Length < 16) _secret = (_secret + "????????????????").Substring(0, 16);
 				settings = SettingService.SetSetting(settings, "JwtOptions:Secret", _secret, true);
 				settings = SettingService.SetSetting(settings, "JwtOptions:Issuer", _issuer, true);
 				settings = SettingService.SetSetting(settings, "JwtOptions:Audience", _audience, true);
--- a/Oqtane.Client/Modules/Controls/RichTextEditor.razor
+++ b/Oqtane.Client/Modules/Controls/RichTextEditor.razor
@ -1,3 +1,4 @@
+@using System.Text.RegularExpressions
@namespace Oqtane.Modules.Controls
@inherits ModuleControlBase
@inject ISettingService SettingService
@ -5,7 +6,7 @@

 <div class="row" style="margin-bottom: 50px;">
    <div class="col">
-        <TabStrip>
+        <TabStrip ActiveTab="@_activeTab">
            <TabPanel Name="Rich" Heading="Rich Text Editor" ResourceKey="RichTextEditor">
 				@if (_richfilemanager)
 				{
@ -105,6 +106,7 @@
 </div>

@code {
+    private string _activeTab = "Rich";
    private ElementReference _editorElement;
    private ElementReference _toolBar;
    private bool _richfilemanager = false;
@ -150,31 +152,37 @@

    protected override void OnParametersSet()
    {
-		_richhtml = Content;
-		_rawhtml = Content;
-		_originalrawhtml = _rawhtml; // preserve for comparison later
-	}
+        _richhtml = Content;
+        _rawhtml = Content;
+        _originalrawhtml = _rawhtml; // preserve for comparison later
+    }

-	protected override async Task OnAfterRenderAsync(bool firstRender)
-	{
-		await base.OnAfterRenderAsync(firstRender);
+    protected override async Task OnAfterRenderAsync(bool firstRender)
+    {
+        await base.OnAfterRenderAsync(firstRender);

-		var interop = new RichTextEditorInterop(JSRuntime);
+        var interop = new RichTextEditorInterop(JSRuntime);

-		if (firstRender)
-		{
-			await interop.CreateEditor(
-				_editorElement,
-				_toolBar,
-				ReadOnly,
-				Placeholder,
-				Theme,
-				DebugLevel);
+        if (firstRender)
+        {
+            await interop.CreateEditor(
+                _editorElement,
+                _toolBar,
+                ReadOnly,
+                Placeholder,
+                Theme,
+                DebugLevel);

-			await interop.LoadEditorContent(_editorElement, _richhtml);
+            await interop.LoadEditorContent(_editorElement, _richhtml);
+
+            // preserve a copy of the rich text content (Quill sanitizes content so we need to retrieve it from the editor)
+            _originalrichhtml = await interop.GetHtml(_editorElement);
+            if (_originalrichhtml != _originalrawhtml)
+            {
+                _activeTab = "Raw";
+                StateHasChanged();
+            }

-			// preserve a copy of the rich text content (Quill sanitizes content so we need to retrieve it from the editor)
-			_originalrichhtml = await interop.GetHtml(_editorElement);
 		}
 	}

--- a/Oqtane.Server/Security/JwtManager.cs
+++ b/Oqtane.Server/Security/JwtManager.cs
@ -17,6 +17,9 @@ namespace Oqtane.Security
    {
        public string GenerateToken(Alias alias, ClaimsIdentity identity, string secret, string issuer, string audience, int lifetime)
        {
+            // ensure secret is 256 bits
+            if (secret.Length < 32) secret = (secret + "????????????????????????????????").Substring(0, 32);
+
            var tokenHandler = new JwtSecurityTokenHandler();
            var key = Encoding.ASCII.GetBytes(secret);
            var tokenDescriptor = new SecurityTokenDescriptor
@ -35,6 +38,9 @@ namespace Oqtane.Security
        {
            if (!string.IsNullOrEmpty(token))
            {
+                // ensure secret is 256 bits
+                if (secret.Length < 32) secret = (secret + "????????????????????????????????").Substring(0, 32);
+
                var tokenHandler = new JwtSecurityTokenHandler();
                var key = Encoding.ASCII.GetBytes(secret);
                try