[jira] [Commented] (NIFI-13326) UI web token (JWT) decoding error

Thu, 06 Jun 2024 05:14:04 -0700 


    [ 
https://issues.apache.org/jira/browse/NIFI-13326?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17852757#comment-17852757
 ] 

Matt Gilman commented on NIFI-13326:
------------------------------------

[~nightgryphon] Thanks for following up. The version of the updated UI in the 
2.0.0-M3 release still contained it. It has since been removed [1]. I suspect 
the decoding within the Registry is still an issue.

[1] 
https://github.com/apache/nifi/pull/8843/files#diff-fecb9efd093fb8a50781886269ce5c3418a487d1bbcc282650360d475905c3c2L73-L85

> UI web token (JWT) decoding error
> ---------------------------------
>
>                 Key: NIFI-13326
>                 URL: https://issues.apache.org/jira/browse/NIFI-13326
>             Project: Apache NiFi
>          Issue Type: Bug
>          Components: Core UI
>    Affects Versions: 2.0.0-M2, 2.0.0-M3
>         Environment: Linux Ubuntu 22.04
>            Reporter: Night Gryphon
>            Priority: Major
>         Attachments: UI_base64_bug.png
>
>
> With some combinations of JWT contents UI can not decode received JWT because 
> different base64 modifications are used by server and client.
> At the server side JWT is generated using URL-SAFE base64 encoding which 
> replace '+' and '/' characters with '-' and '_' respectively.
> But at UI side JWT is decoded with JQuery standard base64 decode function as 
> regular non URL-Safe data and '-' and '_' characters are dropped by incoming 
> filter which corrupts encoded data.
> The error is within getJwtPayload() function located at
>  * 
> nifi-framework-bundle\nifi-framework\nifi-web\nifi-web-frontend\src\main\nifi\src\app\service\auth.service.ts
>  * 
> nifi-registry\nifi-registry-core\nifi-registry-web-ui\src\main\webapp\services\nf-storage.service.js
> Function getJwtPayload() calls JQuery base64 atob() function without 
> appopriate JWT data preparation by replacing '-' and '_' characters back to 
> '+' and '/'. This cause JWT data loss and javascript fails at parsing JWT 
> json data
> The example of affected UI script is nf-login-all.js which fails after 
> successful user login and receiving token 
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to