Skip to content

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Error: Invalid document signature #890

Closed
Sabareesh-LD opened this issue Mar 14, 2024 · 2 comments
Closed

[BUG] Error: Invalid document signature #890

Sabareesh-LD opened this issue Mar 14, 2024 · 2 comments
Labels
bug

Comments

@Sabareesh-LD
Copy link

Hi,

Could you guys help me fix this issue, I have checked the previous issues that were raised related to the same issue and tried to fix it with the solution given but it doesn't help me. Iam developing the SAML Auth in NestJS

Error:

Error: Invalid document signature
at SAML.validatePostResponseAsync (/var/task/node_modules/@node-saml/node-saml/lib/saml.js:510:23)
at processTicksAndRejections (node:internal/process/task_queues:95:5)

Versions:
Node: v18.16.0
NestJs: 9.5.0
@node-saml/passport-saml: "^4.0.4"

Previous bug: #859, #839

Code:
AuthController

@Get('staff/sso/login')
  @UseGuards(SamlAuthGuard)
  async staffSsoLogin() {
    debugger
    //this route is handled by passport-saml
    return;
  }

@Post('staff/sso/callback')
@UseGuards(SamlAuthGuard)
async staffSsoCallBack(@Req() req: Request, @Res() res: Response) {
    //console.log(req);
    console.log(req.isAuthenticated());
    // console.log(req.user);
    try {
        if(req.isAuthenticated()){
            const {token} = await this.authService.redirectUrl(req.user);
            return res.redirect(`${this.config.get('HOME_PAGE_URL')}?jwt=${token}`);
        }
    } catch (error) {
        throw new HttpException('Something went wrong',404)
    }
}

SamlAuthGuard

import { Injectable } from '@nestjs/common';
import { AuthGuard } from '@nestjs/passport';

@Injectable()
export class SamlAuthGuard extends AuthGuard('saml') {}

SamlStrategy

import { PassportStrategy } from '@nestjs/passport';
import { ForbiddenException, Injectable } from '@nestjs/common';
import { Strategy, Profile } from '@node-saml/passport-saml';
import { ConfigService } from '@nestjs/config';

@Injectable()
export class SamlStrategy extends PassportStrategy(Strategy) {
  constructor(readonly config: ConfigService,) {
    super({
      issuer: htps://ecommerce.vercel.app,
      callbackUrl: https://middleware.vercel.app/auth/staff/sso/login,
      cert: MIIC8DCCAdigAwIBAgIQbLt67pz97K1Efdf************************************************mRe72OP9TkB2gWRNZYVpwvjFiWjwFvMEtb5pp1hSnfRRsDkU96pqPPWJ739T21rWx8Sq8LPOQZo/nMwsI/KFpGeXqEons/nh5NlJndP3Hzj6cS3MOQzg5hwSO3z,
      entryPoint: https://login.microsoftonline.com/***********-********-*******/saml2,
      wantAssertionsSigned: false,
      wantAuthnResponseSigned: false,      
    });
  }

  async validate(profile: Profile) {
    try {
      const User = {
        firstName: profile.firstName as string,
        lastName: profile.lastName as string,
        email: profile.email as string,
        nameID: profile.nameID as string,
        issuer: profile.issuer as string,
        phone: profile.phone as string,
      };
      return User;
    } catch (e) {
      throw new ForbiddenException('invalid user attributes');
    }
  }
}

Iam not sure where iam missing something or how to debug and fix it.
@srd90
Copy link

srd90 commented Mar 14, 2024
edited
Loading

Based on your example code you try to configure node-saml with wantAuthnResponseSigned: false.

Stacktrace that you posted

Error: Invalid document signature
at SAML.validatePostResponseAsync (/var/task/node_modules/@node-saml/node-saml/lib/saml.js:510:23)

comes from @node-saml/node-saml library's these JS lines:

if (this.options.wantAuthnResponseSigned === true && validSignature === false) {
    throw new Error("Invalid document signature");
}

see: https://www.npmjs.com/package/@node-saml/node-saml/v/4.0.5?activeTab=code and lib/saml.js line 510

And if you search for @node-saml/node-saml codebase with information provided at stacktrace you shall see these TS lines:

if (this.options.wantAuthnResponseSigned === true && validSignature === false) {
  throw new Error("Invalid document signature");
}

https://github.com/node-saml/node-saml/blob/v4.0.5/src/saml.ts#L695-L697

If wantAuthnResponseSigned would have had value false from node-saml point of view it would have considered missing or invalid document level signature as "soft error" and proceeded to check whether assertion is signed.

Use e.g. step debugger to find out why your effective node-saml configuration is not what you want it to be.

@srd90
Copy link

srd90 commented Mar 16, 2024

@Sabareesh-LD btw. why did you report this #890 as an issue/bug instead of using discussions? You said it yourself at the issue report that you are seeking debug help and content of your bug report doesn't seem to have any indication of bug related to node-saml / passport-saml.

@node-saml node-saml locked and limited conversation to collaborators Mar 25, 2024
@cjbarth cjbarth converted this issue into discussion #892 Mar 25, 2024

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@srd90 @Sabareesh-LD