[jira] [Commented] (NIFI-13326) UI web token (JWT) decoding error

Thu, 20 Jun 2024 13:53:06 -0700 


    [ 
https://issues.apache.org/jira/browse/NIFI-13326?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17856604#comment-17856604
 ] 

ASF subversion and git services commented on NIFI-13326:
--------------------------------------------------------

Commit f6735069be6af390b3c80e310244d1391a96890d in nifi's branch 
refs/heads/main from Night Gryphon
[ https://gitbox.apache.org/repos/asf?p=nifi.git;h=f6735069be ]

NIFI-13326 Fixed JWT Base64 Decoding in NiFi Registry

This closes #8977

Signed-off-by: David Handermann <[email protected]>


> UI web token (JWT) decoding error
> ---------------------------------
>
>                 Key: NIFI-13326
>                 URL: https://issues.apache.org/jira/browse/NIFI-13326
>             Project: Apache NiFi
>          Issue Type: Bug
>          Components: Core UI
>    Affects Versions: 2.0.0-M2, 2.0.0-M3
>         Environment: Linux Ubuntu 22.04
>            Reporter: Night Gryphon
>            Priority: Major
>         Attachments: UI_base64_bug.png
>
>          Time Spent: 0.5h
>  Remaining Estimate: 0h
>
> With some combinations of JWT contents UI can not decode received JWT because 
> different base64 modifications are used by server and client.
> At the server side JWT is generated using URL-SAFE base64 encoding which 
> replace '+' and '/' characters with '-' and '_' respectively.
> But at UI side JWT is decoded with JQuery standard base64 decode function as 
> regular non URL-Safe data and '-' and '_' characters are dropped by incoming 
> filter which corrupts encoded data.
> The error is within getJwtPayload() function located at
>  * 
> nifi-framework-bundle\nifi-framework\nifi-web\nifi-web-frontend\src\main\nifi\src\app\service\auth.service.ts
>  * 
> nifi-registry\nifi-registry-core\nifi-registry-web-ui\src\main\webapp\services\nf-storage.service.js
> Function getJwtPayload() calls JQuery base64 atob() function without 
> appopriate JWT data preparation by replacing '-' and '_' characters back to 
> '+' and '/'. This cause JWT data loss and javascript fails at parsing JWT 
> json data
> The example of affected UI script is nf-login-all.js which fails after 
> successful user login and receiving token 
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to