Aller au contenu principal
Jahia Store
FR

Support Token Authentication Valve

community
Télécharger 3.1.1

Informations

Identifiant du module
support-token-authentication-valve
Identifiant de groupe
org.jahia.community
Statut
community
Catégorie
Authentication
Auteur
Florent BOURASSE
Site web du développeur
http://www.jahia.com
Nécessite Jahia
8.2.2.1
Mis à jour
2026-07-09
Source
scm:git:git@github.com:Jahia/support-token-authentication-valve.git
Étiquettes
  • cloud
  • support

The purpose of this module is to create a temporary token for a user that will be used by a Support Team to login. This way, it's not needed to disclose the real password (when it's known).

Captures d'écran

Versions

Maintenance and feature release: fine-grained access control, admin-UI polish, a key authentication fix for privileged users, and additional security hardening. Compatible with Jahia 8.2.

⚠️ Breaking change — GraphQL API

GraphQL operations are now grouped under a single supportToken namespace instead of flat root fields. Update your queries and mutations:

Before

query    { supportTokenListTokens(username: "jdoe") { recipient expiration } } mutation { supportTokenCreate(username: "jdoe", recipient: "support@acme.com") } mutation { supportTokenClearAll(username: "jdoe") }

 

After

query    { supportToken { listTokens(username: "jdoe") { recipient expiration } } } mutation { supportToken { create(username: "jdoe", recipient: "support@acme.com") } } mutation { supportToken { clearAll(username: "jdoe") } }

 

✨ Features

  • Fine-grained RBAC — a module-specific supportTokenAdmin permission and an assignable support-token-authentication-valve-administrator role let you delegate token administration without granting full server admin. (#13, #14)
  • Admin UI improvements
    • Active and expired tokens are now shown in separate tables, each sorted newest-first.
    • The panel has a proper vertical scrollbar anchored to the window edge, so long token lists stay reachable.
    • The Create new token form now appears above the token tables.

🐛 Fixes

  • Login with a generated token now works for ACL-restricted users (notably root). The valve previously read the token history using the login request's unprivileged session, so protected user nodes failed verification and were rejected with BAD_PASSWORD — even though creation succeeded. It now reads through a JCR system session, consistent with the rest of the module.
  • Audit notification email now shows the correct expiration date.
  • Token nodes no longer carry jmix:publication / jmix:autoPublish.
  • Corrected a misleading warning message in the support-token:list Karaf command.

🔒 Security & hardening

  • Token expiry now fails closed — a token with a missing or non-positive expiration is treated as expired, never permanent.
  • Sessions established via a support token are flagged and blocked from token-management operations (create/clear).
  • No misleading "success" response when the target user does not exist.
  • Pinned vulnerable transitive dependencies (#22); bumped test dependencies (tmp, qs, uuid).

✅ Tests & quality

  • New end-to-end coverage for token login — valid token, expired token, wrong token, no-token, and the root regression case.
  • Regression tests for the fine-grained permission gate. (#14)
  • Resolved residual SonarQube issues. (#15)

Full changelog: 3_0_1...3_1_1

Nécessite Jahia 8.2.2.1Mis à jour 2026-07-09

Summary

This patch release focuses on accessibility, UX polish, security hardening of log output, and test stability. There are no breaking API or behavioral changes for end users; existing tokens and integrations continue to work unchanged.

Highlights

Accessibility (WCAG 2.1 AA / 2 AAA)

  • Resolved WCAG 2.1 AA issues in the admin UI: CRIT-01 (aria-hidden on error span breaking aria-describedby), MAJOR-02 through MAJOR-08, and MIN-05/MIN-06/MIN-12 (commits 8c5302d8921985).

  • Improved color contrast to meet WCAG 2 AAA enhanced contrast (SC 1.4.6): success alert text darkened from #2e7d32 (4.55:1) to #155724 (7.71:1) on #e8f5e9 background (commit 64479d4).
  • Updated locale strings (en.json) to support the improved accessible markup.

UX

  • Added stable DOM ids to the Clear All confirmation and Cancel dialog buttons to facilitate automation and assistive tech (commit 3d8686a).

Security

  • Hardened log sanitization in SupportTokenAuthenticationValve to prevent log injection (commit 11ed610):
    • Strip all ISO control characters from username before logging (previously only CR/LF).
    • Use parameterized logging in the RepositoryException catch block.

Changes since 3.0.0

Commit Type Description
11ed610 security Harden log sanitization in support token auth valve
1b90aea test Update Cypress tests for confirmation dialog; regenerate yarn.lock
3d8686a feat Add ids to Clear All confirm and Cancel dialog buttons
64479d4 a11y Fix WCAG 2 AAA enhanced contrast violations (SC 1.4.6)
8921985 a11y Resolve WCAG 2.1 AA issues (CRIT-01, MAJOR-02..08, MIN-05/06/12)
8c5302d a11y Resolve WCAG 2.1 AA accessibility issues in admin UI

Upgrade notes

  • Drop-in replacement for 3.0.0. No configuration or migration steps required.

  • Custom CSS overrides on .st_alert--success color should be reviewed if they relied on the previous green shade.

Full Changelog3_0_0...3_0_1

Nécessite Jahia 8.2.2.1Mis à jour 2026-06-02
Nécessite Jahia 8.2.2.1Mis à jour 2026-05-11