Hi Maxim,
can you please provide some more clarification on the security, as currently it doesn't seem to work smoothly:
1) I am using Docker image of Document Editor v4.3.3 (latest available one as of today) and integrating it with our web-based system.
2) I have updated default.json (according to this guide:
https://api.onlyoffice.com/editors/signature/) by replacing all "secret" with my own secret and enabling security features (by setting all three parameters to "true")
3) I have generated JWT for the whole config (all values), signed it with the same secret, and added the resulting JWT to "token" property of the "config" object which is passed to the "new DocsAPI.DocEditor(ooEditorDivId, config);"
4) Looks like "Document editing service" is able to verify signature of the JWT, as once I am changing the signature key on one end only - "Document editing service" gives me error about token, and when both secret keys are the same - document loads fine for editing
5)
The issue: It seems that "Document editing service" doesn't use values from the signed JWT, it continues using values from the plain "config" object, which is easily could be altered on the end-user side (in the end-user browser).
The issue could be reproduced as following:
Our Server side (our "Document storage service" implementation):
1) "config" object is generated, and contains values like:
config.editorConfig.user.id = "properUserID";
config.editorConfig.user.name = "Proper User Name";
2) JWT for the config is generated (for the whole config object) and added to the "token" property:
config.token = getJWT(config);
3) config object is passed to the end-user browser side;
End-user side:
4) User loads page with documents available for editing
5) User opens Chrome Development Console -> Sources -> finds the JS which creates DocEditor JS Object:
- Code: Select all
var docEditor = new DocsAPI.DocEditor(ooEditorDivId, config);

Example print screen

- Chrome console initial
- OO_issue1_image1.jpg (37.79 KiB) Viewed 2067 times
6) End-user alters this JS file to the following state:
- Code: Select all
...
config.editorConfig.user.id = "userID-ALTERED";
config.editorConfig.user.name = "User Name - ALTERED";
var docEditor = new DocsAPI.DocEditor(ooEditorDivId, config);
And instead of "
Proper User Name" Document Editor gets "User Name - ALTERED" (ids got altered as well - just see the console log).

Print screen with altered pages
Result on the page:

- Chrome console JS altered
- OO_issue1_image2.jpg (71.79 KiB) Viewed 2067 times
Result in the "Document storage service" end, request to the callBack url:

- CallbakUrl request altered
- OO_issue1_image3.jpg (63.86 KiB) Viewed 2067 times
According to this page:
https://api.onlyoffice.com/editors/security it is stated that:
ONLYOFFICE Document Server validates the token. The data from the payload are considered valid and is used instead of the corresponding data from the main parameters. If the token is invalid, the command is not executed.So how to achieve this behavior? Have I missed something?
Thank you in advance for your quick response!