dosubot[bot] commented on issue #722: URL: https://github.com/apache/hugegraph-toolchain/issues/722#issuecomment-4152393766
<!-- Greeting --> Hi @jturkar! I'm [Dosu](https://go.dosu.dev/dosubot) and I’m helping the hugegraph-toolchain team. <!-- Answer --> This looks like the same issue reported in [#721](https://github.com/apache/hugegraph-toolchain/issues/721) — data import via Hubble fails with `Invalid token` when `StandardAuthenticator` is enabled [[1]](https://github.com/apache/hugegraph-toolchain/issues/721). There are multiple contributing causes: 1. **Random JWT key regenerated on every server restart** — By default, HugeGraph server generates a new random JWT signing key at startup [[2]](https://github.com/apache/hugegraph/blob/9126c80e414c073b60fc074361b211cfb409e0eb/hugegraph-server/hugegraph-core/src/main/java/org/apache/hugegraph/config/AuthOptions.java#L72-L78). If the server restarts during an import, all previously issued tokens become invalid, causing `TokenGenerator.verify()` to throw `Invalid token` [[3]](https://github.com/apache/hugegraph/blob/9126c80e414c073b60fc074361b211cfb409e0eb/hugegraph-server/hugegraph-core/src/main/java/org/apache/hugegraph/auth/TokenGenerator.java#L59-L71). 2. **No token refresh in Hubble's import pipeline** — Hubble reads the token once when the import task starts and reuses it for the entire duration with no refresh or re-authentication [[4]](https://github.com/apache/hugegraph-toolchain/blob/bc49e6683fcc8f00e32d290cd558a0320c1850a3/hugegraph-hubble/hubble-be/src/main/java/org/apache/hugegraph/service/load/LoadTaskService.java#L362-L363) [[5]](https://github.com/apache/hugegraph-toolchain/blob/bc49e6683fcc8f00e32d290cd558a0320c1850a3/hugegraph-hubble/hubble-be/src/main/java/org/apache/hugegraph/entity/load/LoadTask.java#L162-L169). Long-running imports are vulnerable to token expiration. **Recommended fix** — Set a **persistent** JWT secret in your `rest-server.properties` so tokens survive server restarts: ```properties auth.token_secret=YourPersistent32CharacterSecretKey ``` This is also the recommended mitigation for [CVE-2024-43441](https://github.com/apache/incubator-hugegraph-doc/pull/439) and should be applied to all v1.5.0+ deployments. **Immediate workaround** — If you need to get data imported right away, temporarily disable authentication by removing the `auth.authenticator` config and `PASSWORD` environment variable [[1]](https://github.com/apache/hugegraph-toolchain/issues/721). Also ensure your toolchain version includes the auth API path fix from [PR #689](https://github.com/apache/incubator-hugegraph-toolchain/pull/689), which updated auth endpoints to be compatible with the 1.7.0 server. <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot?utm_source=github&utm_medium=bot-comment&utm_campaign=github-assistant&utm_content=brand-link).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/fb967999-947c-4214-8cb2-40595fe28f17?feedback_type=great_response&utm_source=github&utm_medium=bot-comment&utm_campaign=github-assistant&utm_content=feedback-great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/fb967999-947c-4214-8cb2-40595fe28f17?feedback_type=irrelevant_answer&utm_source=github&utm_medium=bot-comment&utm_campaign=github-assistant&utm_content=feedback-irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/fb967999-947c-4214-8cb2-40595fe28f17?feedback_type=incorrect_sources&utm_source=github&utm_medium=bot-comment&utm_campaign=github-assistant&utm_content=feedback-incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/fb967999-947c-4214-8cb2-40595fe28f17?feedback_type=too_verbose&utm_source=github&utm_medium=bot-comment&utm_campaign=github-assistant&utm_content=feedback-too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/fb967999-947c -4214-8cb2-40595fe28f17?feedback_type=hallucination&utm_source=github&utm_medium=bot-comment&utm_campaign=github-assistant&utm_content=feedback-hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/fb967999-947c-4214-8cb2-40595fe28f17?feedback_type=bug_report&utm_source=github&utm_medium=bot-comment&utm_campaign=github-assistant&utm_content=feedback-bug_report) | [Other](https://app.dosu.dev/response-feedback/fb967999-947c-4214-8cb2-40595fe28f17?feedback_type=other&utm_source=github&utm_medium=bot-comment&utm_campaign=github-assistant&utm_content=feedback-other)</sup> [](https://app.dosu.dev/e5e246fa-a522-4d8a-ab3c-e2588b5b501b/ask?utm_source=github&utm_medium=bot-comment&utm_campaign=github-assistant&utm_content=chat-badge) [](https://cursor.com/link/prompt?text=This%20looks%20like%20the%20same%20issue%20reported%20in%20%5B%23721%5D%28https%3A//github.com/apache/hugegraph-toolchain/issues/721%29%20%E2%80%94%20data%20import%20via%20Hubble%20fails%20with%20%60Invalid%20token%60%20when%20%60StandardAuthenticator%60%20is%20enabled%20%5B%5B1%5D%5D%28https%3A//github.com/apache/hugegraph-toolchain/issues/721%29.%0A%0AThere%20are%20multiple%20contributing%20causes%3A%0A%0A1.%20%2A%2ARandom%20JWT%20key%20regenerated%20on%20every%20server%20restart%2A%2A%20%E2%80%94%20By%20default%2C%20HugeGraph%20server%20generates%20a%20new%20random%20JWT%20signing%20key%20at%20startup%20%5B%5B2%5D%5D%28https%3A//github.com/apache/hugegraph/blob/9126c80e4 14c073b60fc074361b211cfb409e0eb/hugegraph-server/hugegraph-core/src/main/java/org/apache/hugegraph/config/AuthOptions.java%23L72-L78%29.%20If%20the%20server%20restarts%20during%20an%20import%2C%20all%20previously%20issued%20tokens%20become%20invalid%2C%20causing%20%60TokenGenerator.verify%28%29%60%20to%20throw%20%60Invalid%20token%60%20%5B%5B3%5D%5D%28https%3A//github.com/apache/hugegraph/blob/9126c80e414c073b60fc074361b211cfb409e0eb/hugegraph-server/hugegraph-core/src/main/java/org/apache/hugegraph/auth/TokenGenerator.java%23L59-L71%29.%0A%0A2.%20%2A%2ANo%20token%20refresh%20in%20Hubble%27s%20import%20pipeline%2A%2A%20%E2%80%94%20Hubble%20reads%20the%20token%20once%20when%20the%20import%20task%20starts%20and%20reuses%20it%20for%20the%20entire%20duration%20with%20no%20refresh%20or%20re-authentication%20%5B%5B4%5D%5D%28https%3A//github.com/apache/hugegraph-toolchain/blob/bc49e6683fcc8f00e32d290cd558a0320c1850a3/hugegraph-hubble/hubble-be/src/main/java/org/apache/hugegraph/service/loa d/LoadTaskService.java%23L362-L363%29%20%5B%5B5%5D%5D%28https%3A//github.com/apache/hugegraph-toolchain/blob/bc49e6683fcc8f00e32d290cd558a0320c1850a3/hugegraph-hubble/hubble-be/src/main/java/org/apache/hugegraph/entity/load/LoadTask.java%23L162-L169%29.%20Long-running%20imports%20are%20vulnerable%20to%20token%20expiration.%0A%0A%2A%2ARecommended%20fix%2A%2A%20%E2%80%94%20Set%20a%20%2A%2Apersistent%2A%2A%20JWT%20secret%20in%20your%20%60rest-server.properties%60%20so%20tokens%20survive%20server%20restarts%3A%0A%0A%60%60%60properties%0Aauth.token_secret%3DYourPersistent32CharacterSecretKey%0A%60%60%60%0A%0AThis%20is%20also%20the%20recommended%20mitigation%20for%20%5BCVE-2024-43441%5D%28https%3A//github.com/apache/incubator-hugegraph-doc/pull/439%29%20and%20should%20be%20applied%20to%20all%20v1.5.0%2B%20deployments.%0A%0A%2A%2AImmediate%20workaround%2A%2A%20%E2%80%94%20If%20you%20need%20to%20get%20data%20imported%20right%20away%2C%20temporarily%20disable%20authentication%20by%20removing %20the%20%60auth.authenticator%60%20config%20and%20%60PASSWORD%60%20environment%20variable%20%5B%5B1%5D%5D%28https%3A//github.com/apache/hugegraph-toolchain/issues/721%29.%0A%0AAlso%20ensure%20your%20toolchain%20version%20includes%20the%20auth%20API%20path%20fix%20from%20%5BPR%20%23689%5D%28https%3A//github.com/apache/incubator-hugegraph-toolchain/pull/689%29%2C%20which%20updated%20auth%20endpoints%20to%20be%20compatible%20with%20the%201.7.0%20server.) [](https://go.dosu.dev/discord-bot?utm_source=github&utm_medium=bot-comment&utm_campaign=github-assistant&utm_content=join-discord) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/hugegraph-toolchain/issues/722) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
