Skip to content

Webvowl viewer doesn't have access anymore to API endpoint

Summary

Webvowl viewer doesn't have access anymore to API endpoint due to issue with JWT signing key. This key is hardcoded and has too little chars.

What is the current bug behavior?

When clicking the link to view an ontology in WebVOWL you open the following link: GET /api/v1/specification/ontology/{specId}/version/{versionId}/webvowl.

Then you get the following error:

{
    "error": 500,
    "msg": "An error occured. For more information see server log files",
    "notifications": {
        "errors": [],
        "warnings": [],
        "infos": [],
        "successes": [],
        "invariants": [],
        "signals": []
    },
    "html": null
}

What is the expected correct behavior?

301 redirect to configured WebVOWL deployment.

Context information

  • Version info: v2.19.1
  • Environment: all

Relevant logs and/or screenshots

image

<h4>Error/Exception</h4><div><strong>Type:</strong> Lcobucci\JWT\Signer\InvalidKeyProvided</div><div><strong>Message:</strong> Key provided is shorter than 256 bits, only 128 bits provided</div><div><strong>File:</strong> /var/www/lib/lcobucci/jwt/src/Signer/InvalidKeyProvided.php</div><div><strong>Line:</strong> 39</div><div><strong>Trace:</strong><pre>#0 /var/www/lib/lcobucci/jwt/src/Signer/Hmac.php(19): Lcobucci\JWT\Signer\InvalidKeyProvided::tooShort(256, 128)
#1 /var/www/lib/lcobucci/jwt/src/Token/Builder.php(119): Lcobucci\JWT\Signer\Hmac-&gt;sign(&#039;eyJ0eXAiOiJKV1Q...&#039;, Object(Lcobucci\JWT\Signer\Key\InMemory))
#2 /var/www/src/SemanticTreehouse/Controller/OntologyController.php(52): Lcobucci\JWT\Token\Builder-&gt;getToken(Object(Lcobucci\JWT\Signer\Hmac\Sha256), Object(Lcobucci\JWT\Signer\Key\InMemory))
#3 [internal function]: SemanticTreehouse\Controller\OntologyController-&gt;redirectToWebVOWL(Object(Slim\Http\Request), Object(Slim\Http\Response), Array)
#4 /var/www/lib/slim/slim/Slim/Handlers/Strategies/RequestResponse.php(40): call_user_func(Array, Object(Slim\Http\Request), Object(Slim\Http\Response), Array)
#5 /var/www/lib/slim/slim/Slim/Route.php(281): Slim\Handlers\Strategies\RequestResponse-&gt;__invoke(Array, Object(Slim\Http\Request), Object(Slim\Http\Response), Array)
#6 /var/www/lib/slim/slim/Slim/MiddlewareAwareTrait.php(117): Slim\Route-&gt;__invoke(Object(Slim\Http\Request), Object(Slim\Http\Response))
#7 /var/www/lib/slim/slim/Slim/Route.php(268): Slim\Route-&gt;callMiddlewareStack(Object(Slim\Http\Request), Object(Slim\Http\Response))
#8 /var/www/lib/slim/slim/Slim/App.php(503): Slim\Route-&gt;run(Object(Slim\Http\Request), Object(Slim\Http\Response))
#9 /var/www/lib/ampersandtarski/prototype/src/Ampersand/API/Middleware/LogPerformanceMiddleware.php(26): Slim\App-&gt;__invoke(Object(Slim\Http\Request), Object(Slim\Http\Response))
#10 [internal function]: Ampersand\API\Middleware\LogPerformanceMiddleware-&gt;__invoke(Object(Slim\Http\Request), Object(Slim\Http\Response), Object(Slim\App))
#11 /var/www/lib/slim/slim/Slim/DeferredCallable.php(57): call_user_func_array(Object(Ampersand\API\Middleware\LogPerformanceMiddleware), Array)
#12 [internal function]: Slim\DeferredCallable-&gt;__invoke(Object(Slim\Http\Request), Object(Slim\Http\Response), Object(Slim\App))
#13 /var/www/lib/slim/slim/Slim/MiddlewareAwareTrait.php(70): call_user_func(Object(Slim\DeferredCallable), Object(Slim\Http\Request), Object(Slim\Http\Response), Object(Slim\App))
#14 /var/www/lib/ampersandtarski/prototype/src/Ampersand/API/Middleware/InitAmpersandAppMiddleware.php(54): Slim\App-&gt;Slim\{closure}(Object(Slim\Http\Request), Object(Slim\Http\Response))
#15 [internal function]: Ampersand\API\Middleware\InitAmpersandAppMiddleware-&gt;__invoke(Object(Slim\Http\Request), Object(Slim\Http\Response), Object(Closure))
#16 /var/www/lib/slim/slim/Slim/DeferredCallable.php(57): call_user_func_array(Object(Ampersand\API\Middleware\InitAmpersandAppMiddleware), Array)
#17 [internal function]: Slim\DeferredCallable-&gt;__invoke(Object(Slim\Http\Request), Object(Slim\Http\Response), Object(Closure))
#18 /var/www/lib/slim/slim/Slim/MiddlewareAwareTrait.php(70): call_user_func(Object(Slim\DeferredCallable), Object(Slim\Http\Request), Object(Slim\Http\Response), Object(Closure))
#19 /var/www/lib/ampersandtarski/prototype/src/Ampersand/API/Middleware/PostMaxSizeMiddleware.php(27): Slim\App-&gt;Slim\{closure}(Object(Slim\Http\Request), Object(Slim\Http\Response))
#20 [internal function]: Ampersand\API\Middleware\PostMaxSizeMiddleware-&gt;__invoke(Object(Slim\Http\Request), Object(Slim\Http\Response), Object(Closure))
#21 /var/www/lib/slim/slim/Slim/DeferredCallable.php(57): call_user_func_array(Object(Ampersand\API\Middleware\PostMaxSizeMiddleware), Array)
#22 [internal function]: Slim\DeferredCallable-&gt;__invoke(Object(Slim\Http\Request), Object(Slim\Http\Response), Object(Closure))
#23 /var/www/lib/slim/slim/Slim/MiddlewareAwareTrait.php(70): call_user_func(Object(Slim\DeferredCallable), Object(Slim\Http\Request), Object(Slim\Http\Response), Object(Closure))
#24 /var/www/lib/ampersandtarski/prototype/src/Ampersand/API/Middleware/JsonRequestParserMiddleware.php(22): Slim\App-&gt;Slim\{closure}(Object(Slim\Http\Request), Object(Slim\Http\Response))
#25 [internal function]: Ampersand\API\Middleware\JsonRequestParserMiddleware-&gt;__invoke(Object(Slim\Http\Request), Object(Slim\Http\Response), Object(Closure))
#26 /var/www/lib/slim/slim/Slim/DeferredCallable.php(57): call_user_func_array(Object(Ampersand\API\Middleware\JsonRequestParserMiddleware), Array)
#27 [internal function]: Slim\DeferredCallable-&gt;__invoke(Object(Slim\Http\Request), Object(Slim\Http\Response), Object(Closure))
#28 /var/www/lib/slim/slim/Slim/MiddlewareAwareTrait.php(70): call_user_func(Object(Slim\DeferredCallable), Object(Slim\Http\Request), Object(Slim\Http\Response), Object(Closure))
#29 /var/www/lib/ampersandtarski/prototype/src/Ampersand/API/Middleware/LogPerformanceMiddleware.php(26): Slim\App-&gt;Slim\{closure}(Object(Slim\Http\Request), Object(Slim\Http\Response))
#30 [internal function]: Ampersand\API\Middleware\LogPerformanceMiddleware-&gt;__invoke(Object(Slim\Http\Request), Object(Slim\Http\Response), Object(Closure))
#31 /var/www/lib/slim/slim/Slim/DeferredCallable.php(57): call_user_func_array(Object(Ampersand\API\Middleware\LogPerformanceMiddleware), Array)
#32 [internal function]: Slim\DeferredCallable-&gt;__invoke(Object(Slim\Http\Request), Object(Slim\Http\Response), Object(Closure))
#33 /var/www/lib/slim/slim/Slim/MiddlewareAwareTrait.php(70): call_user_func(Object(Slim\DeferredCallable), Object(Slim\Http\Request), Object(Slim\Http\Response), Object(Closure))
#34 /var/www/lib/slim/slim/Slim/MiddlewareAwareTrait.php(117): Slim\App-&gt;Slim\{closure}(Object(Slim\Http\Request), Object(Slim\Http\Response))
#35 /var/www/lib/slim/slim/Slim/App.php(392): Slim\App-&gt;callMiddlewareStack(Object(Slim\Http\Request), Object(Slim\Http\Response))
#36 /var/www/lib/slim/slim/Slim/App.php(297): Slim\App-&gt;process(Object(Slim\Http\Request), Object(Slim\Http\Response))
#37 /var/www/bootstrap/framework.php(186): Slim\App-&gt;run()
#38 /var/www/public/api/v1/index.php(3): require_once(&#039;/var/www/bootst...&#039;)
#39 {main}</pre>

Possible fixes

Fix the TODO in AbstractController::__construct().

We can use the env variable STH_SECRET_HASHKEY here. This is intended for this type of usage. Currently already used in IdentityProviderFactory::getStateToken().

abstract class AbstractController extends \Ampersand\Controller\AbstractController
{
    protected $jwtConf;

    public function __construct(ContainerInterface $container)
    {
        parent::__construct($container);

        $this->jwtConf = Configuration::forSymmetricSigner(
            new Sha256(),
            InMemory::plainText('QlMbMDxOhv6nhtt2') // TODO: get from environment var
        );
    }