Broken OnlyOffice in Seafile CE 8.0.2

Installing 8.0.2 broke my OnlyOffice integration. Trying to open any document leads to: “Sicherheitstoken des Dokuments ist nicht korrekt. Wenden Sie sich an Ihren Systemadministrator” (in english: “The documents security token is not correct. Please contact your system administrator.”

The security token is defined in seahub_settings.py:
# Enable Only Office
ENABLE_ONLYOFFICE = True
VERIFY_ONLYOFFICE_CERTIFICATE = True
ONLYOFFICE_APIJS_URL = ‘https://mydomain.mydyndns.com/onlyofficeds/web-apps/apps/api/documents/api.js’
ONLYOFFICE_FILE_EXTENSION = (‘doc’, ‘docx’, ‘ppt’, ‘pptx’, ‘xls’, ‘xlsx’, ‘odt’, ‘fodt’, ‘odp’, ‘fodp’, ‘ods’, ‘fods’)
ONLYOFFICE_EDIT_FILE_EXTENSION = (‘docx’, ‘pptx’, ‘xlsx’)
ONLYOFFICE_JWT_SECRET = ‘mySecret’

For OnlyOffice I use a custom local.json where the security token is defined:
{
“services”: {
“CoAuthoring”: {
“sql”: {
“type”: “postgres”,
“dbHost”: “localhost”,
“dbPort”: “5432”,
“dbName”: “onlyoffice”,
“dbUser”: “onlyoffice”,
“dbPass”: “onlyoffice”
},
“redis”: {
“host”: “localhost”
},
“token”: {
“enable”: {
“request”: {
“inbox”: true,
“outbox”: true
},
“browser”: true
},
“inbox”: {
“header”: “Authorization”
},
“outbox”: {
“header”: “Authorization”
}
},
“secret”: {
“inbox”: {
“string”: “mySecret”
},
“outbox”: {
“string”: “mySecret”
},
“session”: {
“string”: “mySecret”
}
}
}
},
“rabbitmq”: {
“url”: “amqp://guest:guest@localhost”
}
}

OnlyOffice docker is started like this:
sudo docker run -dit -p 88:80 -v /home/seafile/conf/local.json:/etc/onlyoffice/documentserver/local.json --restart always --name oods onlyoffice/documentserver

Deactivating the security token brings OnlyOffice back to life, but of course I’m not keen on leaving the access unsecured.

Where should I start investigating?

Can confirm the same issue. Upgrading to 8.0.2 breaks OnlyOffice handling if using a security token.

1 Like

Good to hear that it seems to be a general problem. Did you find any solution?

Not yet. For now, I’ve disabled the security token (my onlyoffice installation is protected by other means so it’s not critical)

I see. Can you give me a hint on how to secure my installation without token?

In my case, everything is behind an nginx reverse proxy, and access controlled by Lemonldap NG websso

A nginx reverse proxy is what I’ve already in use. But in my configuration the document servers undisclosed port is mapped to a subdirectory which is accessible over the inernet:
location /onlyofficeds {
proxy_pass http://127.0.0.1:88/;

Would it be possible to skip this and set localhost:88 as ONLYOFFICE_APIJS_URL in seahub_settings.py?

@Tjelfe and @dani

Ok, I thought I was like LukeSkyWalker in front of the elements…

Meanwhile I filed an issue: https://github.com/haiwen/seafile/issues/2417