Feature: Add fallback for pdf() function to use user-based JWT for au…

…thentication if no session is available Deprecation: Deprecates usage of pdf() function in superuser-context (e.g. cronjob or doPrivileged) in favor of user-based context (via doAs())
structr · Feb 20, 2024 · 19d711e · 19d711e
1 parent bbc1dcb
commit 19d711e
Show file tree

Hide file tree

Showing 2 changed files with 38 additions and 4 deletions.
diff --git a/structr-base/src/main/java/org/structr/rest/auth/JWTHelper.java b/structr-base/src/main/java/org/structr/rest/auth/JWTHelper.java
@@ -356,17 +356,22 @@ private static boolean refreshTokenTimedOut(String refreshToken) {
 
     private static Map<String, String> createTokensForUserWithSecret(Principal user, Date accessTokenExpirationDate, Date refreshTokenExpirationDate, String instanceName) throws FrameworkException {
 
-        final String secret = Settings.JWTSecret.getValue();
+        final String secret    = Settings.JWTSecret.getValue();
         final String jwtIssuer = Settings.JWTIssuer.getValue();
 
+        if (secret.length() < 32) {
+
+            throw new FrameworkException(500, "The configured secret is too weak (must be at least 32 characters) - see " + Settings.JWTSecret.getKey());
+        }
+
         try {
 
             final Algorithm alg = Algorithm.HMAC256(secret.getBytes(StandardCharsets.UTF_8));
             return createTokens(user, alg, accessTokenExpirationDate, refreshTokenExpirationDate, instanceName, jwtIssuer);
 
         } catch (JWTCreationException ex) {
 
-            throw new FrameworkException(500, "The configured secret is too weak (must be at least 32 characters)");
+            throw new FrameworkException(500, ex.getMessage(), ex);
         }
     }
 

diff --git a/structr-modules/structr-pdf-module/src/main/java/org/structr/pdf/function/PDFFunction.java b/structr-modules/structr-pdf-module/src/main/java/org/structr/pdf/function/PDFFunction.java
@@ -23,11 +23,13 @@
 import com.github.jhonnymertz.wkhtmltopdf.wrapper.configurations.XvfbConfig;
 import com.github.jhonnymertz.wkhtmltopdf.wrapper.params.Param;
 import jakarta.servlet.http.HttpSession;
+import java.util.Calendar;
 import org.eclipse.jetty.server.session.Session;
 import org.structr.api.config.Settings;
 import org.structr.common.error.FrameworkException;
 import org.structr.core.entity.Principal;
 import org.structr.core.entity.SuperUser;
+import org.structr.rest.auth.JWTHelper;
 import org.structr.schema.action.ActionContext;
 import org.structr.schema.action.Function;
 
@@ -105,16 +107,43 @@ public Object apply(ActionContext ctx, Object caller, Object[] sources) throws F
 
 		if (currentUser instanceof SuperUser) {
 
+			logger.warn("Deprecation Warning! Using the pdf() function in a superuser context (e.g. cron job or doPrivileged) is deprecated. In future versions this will result in an error. This can be easily remedied by using the $.doAs() function to create the pdf as a dedicated user.");
+
 			parameterList.add(new Param("--custom-header", "X-User", "superadmin"));
 			parameterList.add(new Param("--custom-header", "X-Password", Settings.SuperUserPassword.getValue()));
 			parameterList.add(new Param("--custom-header-propagation"));
 
 		} else {
 
 			final HttpSession session = ctx.getSecurityContext().getSession();
-			final String sessionId    = (session instanceof Session) ? ((Session) session).getExtendedId() : session.getId();
 
-			parameterList.add(new Param("--cookie", "JSESSIONID", sessionId));
+			if (session != null) {
+
+				final String sessionId = (session instanceof Session) ? ((Session) session).getExtendedId() : session.getId();
+
+				parameterList.add(new Param("--cookie", "JSESSIONID", sessionId));
+
+			} else {
+
+				try {
+
+					// Fallback: Create token for user with minimal lifetime and no refresh token
+					final Calendar accessTokenExpirationDate = Calendar.getInstance();
+					accessTokenExpirationDate.add(Calendar.MINUTE, 1);
+
+					final Map<String, String> tokens = JWTHelper.createTokensForUser(currentUser, accessTokenExpirationDate.getTime(), null);
+
+					parameterList.add(new Param("--cookie", "access_token", tokens.get("access_token")));
+
+				} catch (Throwable t) {
+
+					// only log in error case to reduce verbosity
+					logger.info("pdf(): No session information available and fallback method of creating a JWT for user also failed. Please see log output.");
+
+					// simply re-throw
+					throw t;
+				}
+			}
 		}
 
 		if (userParameter != null) {