Support Token Authentication Valve group_work

Summary

This patch release focuses on accessibility, UX polish, security hardening of log output, and test stability. There are no breaking API or behavioral changes for end users; existing tokens and integrations continue to work unchanged.

Highlights

Accessibility (WCAG 2.1 AA / 2 AAA)

• Resolved WCAG 2.1 AA issues in the admin UI: CRIT-01 (aria-hidden on error span breaking aria-describedby), MAJOR-02 through MAJOR-08, and MIN-05/MIN-06/MIN-12 (commits 8c5302d, 8921985).

• Improved color contrast to meet WCAG 2 AAA enhanced contrast (SC 1.4.6): success alert text darkened from #2e7d32 (4.55:1) to #155724 (7.71:1) on #e8f5e9 background (commit 64479d4).
• Updated locale strings (en.json) to support the improved accessible markup.

UX

• Added stable DOM ids to the Clear All confirmation and Cancel dialog buttons to facilitate automation and assistive tech (commit 3d8686a).

Security

• Hardened log sanitization in SupportTokenAuthenticationValve to prevent log injection (commit 11ed610):
  • Strip all ISO control characters from username before logging (previously only CR/LF).
  • Use parameterized logging in the RepositoryException catch block.

Changes since 3.0.0

Upgrade notes

• Drop-in replacement for 3.0.0. No configuration or migration steps required.

• Custom CSS overrides on .st_alert--success color should be reviewed if they relied on the previous green shade.

Full Changelog: 3_0_0...3_0_1

Admin UI

Navigate to Administration → Users and Roles → Support Token Authentication (server level) or the equivalent entry under site settings.

1. Enter a username (and optionally a site key for site-scoped users) and click Search.
2. Existing tokens are listed with their creation date, recipient, description, and expiration.
3. Fill in Recipient email, optional Description, and Expiration (minutes), then click Create Token.
4. The generated token is shown once in a copy box — copy it before navigating away.
5. Use Clear All Tokens to remove all tokens for the user.

Karaf Shell

support-token:create

Creates a token for a user.

support-token:create -u root -r support@jahia.com -e 120 -d "Bug JAHIA-1234"

support-token:list

Lists all tokens for a user (metadata only — the raw token is never stored or shown).

support-token:list -u root

support-token:clear

Removes all tokens for a user.

support-token:clear -u root

GraphQL API

All operations require admin permission.

Query — list tokens

query {
    supportTokenListTokens(username: "root") {
        createdDate
        recipient
        expiration
        description
    }
}

Returns null if the user does not exist, or an empty array if the user has no tokens.

Mutation — create token

mutation {
    supportTokenCreate(
        username: "root"
        recipient: "support@jahia.com"
        description: "Bug JAHIA-1234"
        expiration: 120
    )
}

Returns the raw token string on success, or null on failure. Store it immediately — it cannot be retrieved again.

Mutation — clear all tokens

mutation {
    supportTokenClearAll(username: "root")
}

Returns true on success.

Authentication

Once a token is created, use it to log in via the standard Jahia login form or HTTP POST:

POST /cms/login
username=<user>&password=<token>&site=<siteKey>&doLogin=true

The token is valid for expiration minutes from its creation time.

Development

Build

mvn clean install

The frontend-maven-plugin installs Node/Yarn and builds the React bundle automatically.

For frontend-only development:

yarn install
yarn build          # development build
yarn build:production
yarn lint

Tests

Tests run inside Docker. From the tests/ directory:

cp .env.example .env
# Edit .env: set JAHIA_IMAGE, JAHIA_LICENSE, SUPER_USER_PASSWORD
docker compose up --abort-on-container-exit

Cypress results are written to tests/results/.

Security Notes

• Raw tokens are never persisted. Only their bcrypt hash is stored in JCR.
• Expired tokens are kept in JCR as audit records but rejected at login. Use Clear All Tokens to purge them.
• The token management UI is inaccessible to sessions that are themselves authenticated with a support token (blocked at the auth valve level via the session attribute).

• In Jahia, go to "Administration --> Server settings --> System components --> Modules"
• Upload the JAR support-token-authentication-valve-X.X.X.jar
• Check that the module is started
• Make sure the Mail server is configured and activated in the administration

MIT License

Copyright (c) 2019 - present Florent Bourassé

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.