[BUG] Error: Invalid document signature
Sabareesh-LD opened this issue · comments
Hi,
Could you guys help me fix this issue, I have checked the previous issues that were raised related to the same issue and tried to fix it with the solution given but it doesn't help me. Iam developing the SAML Auth in NestJS
Error:
Error: Invalid document signature
at SAML.validatePostResponseAsync (/var/task/node_modules/@node-saml/node-saml/lib/saml.js:510:23)
at processTicksAndRejections (node:internal/process/task_queues:95:5)
Versions:
Node: v18.16.0
NestJs: 9.5.0
@node-saml/passport-saml: "^4.0.4"
Code:
AuthController
@Get('staff/sso/login')
@UseGuards(SamlAuthGuard)
async staffSsoLogin() {
debugger
//this route is handled by passport-saml
return;
}
@Post('staff/sso/callback')
@UseGuards(SamlAuthGuard)
async staffSsoCallBack(@Req() req: Request, @Res() res: Response) {
//console.log(req);
console.log(req.isAuthenticated());
// console.log(req.user);
try {
if(req.isAuthenticated()){
const {token} = await this.authService.redirectUrl(req.user);
return res.redirect(`${this.config.get('HOME_PAGE_URL')}?jwt=${token}`);
}
} catch (error) {
throw new HttpException('Something went wrong',404)
}
}
SamlAuthGuard
import { Injectable } from '@nestjs/common';
import { AuthGuard } from '@nestjs/passport';
@Injectable()
export class SamlAuthGuard extends AuthGuard('saml') {}
SamlStrategy
import { PassportStrategy } from '@nestjs/passport';
import { ForbiddenException, Injectable } from '@nestjs/common';
import { Strategy, Profile } from '@node-saml/passport-saml';
import { ConfigService } from '@nestjs/config';
@Injectable()
export class SamlStrategy extends PassportStrategy(Strategy) {
constructor(readonly config: ConfigService,) {
super({
issuer: htps://ecommerce.vercel.app,
callbackUrl: https://middleware.vercel.app/auth/staff/sso/login,
cert: MIIC8DCCAdigAwIBAgIQbLt67pz97K1Efdf************************************************mRe72OP9TkB2gWRNZYVpwvjFiWjwFvMEtb5pp1hSnfRRsDkU96pqPPWJ739T21rWx8Sq8LPOQZo/nMwsI/KFpGeXqEons/nh5NlJndP3Hzj6cS3MOQzg5hwSO3z,
entryPoint: https://login.microsoftonline.com/***********-********-*******/saml2,
wantAssertionsSigned: false,
wantAuthnResponseSigned: false,
});
}
async validate(profile: Profile) {
try {
const User = {
firstName: profile.firstName as string,
lastName: profile.lastName as string,
email: profile.email as string,
nameID: profile.nameID as string,
issuer: profile.issuer as string,
phone: profile.phone as string,
};
return User;
} catch (e) {
throw new ForbiddenException('invalid user attributes');
}
}
}
Iam not sure where iam missing something or how to debug and fix it.
Based on your example code you try to configure node-saml with wantAuthnResponseSigned: false
.
Stacktrace that you posted
Error: Invalid document signature at SAML.validatePostResponseAsync (/var/task/node_modules/@node-saml/node-saml/lib/saml.js:510:23)
comes from @node-saml/node-saml
library's these JS lines:
if (this.options.wantAuthnResponseSigned === true && validSignature === false) {
throw new Error("Invalid document signature");
}
see: https://www.npmjs.com/package/@node-saml/node-saml/v/4.0.5?activeTab=code and lib/saml.js
line 510
And if you search for @node-saml/node-saml
codebase with information provided at stacktrace you shall see these TS lines:
if (this.options.wantAuthnResponseSigned === true && validSignature === false) {
throw new Error("Invalid document signature");
}
https://github.com/node-saml/node-saml/blob/v4.0.5/src/saml.ts#L695-L697
If wantAuthnResponseSigned
would have had value false
from node-saml point of view it would have considered missing or invalid document level signature as "soft error" and proceeded to check whether assertion is signed.
Use e.g. step debugger to find out why your effective node-saml configuration is not what you want it to be.
@Sabareesh-LD btw. why did you report this #890 as an issue/bug instead of using discussions? You said it yourself at the issue report that you are seeking debug help and content of your bug report doesn't seem to have any indication of bug related to node-saml / passport-saml.