Cherry pick branch 'genexuslabs:fix/sdt-jwt-token-size' into beta

claudiamurialdo · claudiamurialdo · commit 354e39ab20fc · 2025-06-17T15:48:31.000-03:00
(cherry picked from commit 27c268b) # Conflicts: # dotnet/src/dotnetframework/GxClasses/Security/WebSecurity.cs
diff --git a/dotnet/src/dotnetframework/GxClasses/Middleware/GXHttp.cs b/dotnet/src/dotnetframework/GxClasses/Middleware/GXHttp.cs
@@ -1661,21 +1661,29 @@ protected string GetObjectAccessWebToken(String cmpCtx)
 			return GetSecureSignedToken(cmpCtx, string.Empty, this.context);
 		}
 
-		protected string GetSecureSignedToken(String cmpCtx, object Value, IGxContext context)
+		protected string GetSecureSignedToken(String cmpCtx, object value, IGxContext context)
 		{
-			return GetSecureSignedToken(cmpCtx, Serialize(Value), context);
+			if (value is IGxJSONSerializable)
+				return GetSecureSignedHashedToken(cmpCtx, SecureTokenHelper.GetTokenValue(value as IGxJSONSerializable), context);
+			else
+				return GetSecureSignedToken(cmpCtx, Serialize(value), context);
 		}
 
 		protected string GetSecureSignedToken(String cmpCtx, GxUserType Value, IGxContext context)
 		{
-			return GetSecureSignedToken(cmpCtx, Serialize(Value), context);
+			return GetSecureSignedHashedToken(cmpCtx, SecureTokenHelper.GetTokenValue(Value), context);
 		}
 
 
 		protected string GetSecureSignedToken(string cmpCtx, string value, IGxContext context)
 		{
 			return WebSecurityHelper.Sign(PgmInstanceId(cmpCtx), string.Empty, value, SecureTokenHelper.SecurityMode.Sign, context);
 		}
+		private string GetSecureSignedHashedToken(string cmpCtx, TokenValue tokenValue, IGxContext context)
+		{
+			return WebSecurityHelper.Sign(PgmInstanceId(cmpCtx), string.Empty, tokenValue, SecureTokenHelper.SecurityMode.Sign, context);
+		}
+		
 		protected bool VerifySecureSignedToken(string cmpCtx, Object value, string pic, string signedToken, IGxContext context)
 		{
 			GxUserType SDT = value as GxUserType;
diff --git a/dotnet/src/dotnetframework/GxClasses/Security/WebSecurity.cs b/dotnet/src/dotnetframework/GxClasses/Security/WebSecurity.cs
@@ -24,14 +24,23 @@ public static string StripInvalidChars(string input)
         {
 			if (string.IsNullOrEmpty(input))
 				return input;
-            var output = new string(input.Where(c => !char.IsControl(c)).ToArray());
+			string output = new string(input.Where(c => !char.IsControl(c)).ToArray());
             return output.Trim();
         }
 
         public static string Sign(string pgmName, string issuer, string value, SecurityMode mode, IGxContext context)
         {            
             return SecureTokenHelper.Sign(new WebSecureToken { ProgramName = pgmName, Issuer = issuer, Value = string.IsNullOrEmpty(value) ? string.Empty: StripInvalidChars(value) }, mode, GetSecretKey(context));
         }
+		internal static string Sign(string pgmName, string issuer, TokenValue tokenValue, SecurityMode mode, IGxContext context)
+		{
+			return SecureTokenHelper.Sign(new WebSecureToken {
+				ProgramName = pgmName,
+				Issuer = issuer,
+				ValueType = tokenValue.ValueType,
+				Value = string.IsNullOrEmpty(tokenValue.Value) ? string.Empty : StripInvalidChars(tokenValue.Value) },
+				mode, GetSecretKey(context));
+		}
 
         private static string GetSecretKey(IGxContext context)
         {
@@ -88,30 +97,63 @@ public static bool Verify(string pgmName, string issuer, string value, string jw
 
 		internal static bool VerifySecureSignedSDTToken(string cmpCtx, IGxCollection value, string signedToken, IGxContext context)
 		{
-			WebSecureToken Token = SecureTokenHelper.getWebSecureToken(signedToken, GetSecretKey(context));
-			if (Token == null)
+			WebSecureToken token = SecureTokenHelper.getWebSecureToken(signedToken, GetSecretKey(context));
+			if (token == null)
 				return false;
-			IGxCollection PayloadObject = (IGxCollection)value.Clone();
-			PayloadObject.FromJSonString(Token.Value);
-			return GxUserType.IsEqual(value, PayloadObject);
+			if (token.ValueType == SecureTokenHelper.ValueTypeHash) 
+			{
+				return VerifyTokenHash(value.ToJSonString(), token);
+			}
+			else
+			{
+				IGxCollection PayloadObject = (IGxCollection)value.Clone();
+				PayloadObject.FromJSonString(token.Value);
+				return GxUserType.IsEqual(value, PayloadObject);
+			}
 		}
 
 		internal static bool VerifySecureSignedSDTToken(string cmpCtx, GxUserType value, string signedToken, IGxContext context)
 		{
-			WebSecureToken Token = SecureTokenHelper.getWebSecureToken(signedToken, GetSecretKey(context));
-			if (Token == null)
+			WebSecureToken token = SecureTokenHelper.getWebSecureToken(signedToken, GetSecretKey(context));
+			if (token == null)
 				return false;
-			GxUserType PayloadObject = (GxUserType)value.Clone();
-			PayloadObject.FromJSonString(Token.Value);
-			return GxUserType.IsEqual(value, PayloadObject);
-		}
+			if (token.ValueType == ValueTypeHash) 
+			{
+				return VerifyTokenHash(value.ToJSonString(), token); 
+			}
+			else
+			{
+				GxUserType PayloadObject = (GxUserType)value.Clone();
+				PayloadObject.FromJSonString(token.Value);
+				return GxUserType.IsEqual(value, PayloadObject);
+			}
 
+		}
 
+		private static bool VerifyTokenHash(string payloadJsonString, WebSecureToken token)
+		{
+			string hash = GetHash(payloadJsonString);
+			if (hash != token.Value)
+			{
+				GXLogging.Error(_log, $"WebSecurity Token Verification error - Hash mismatch '{hash}' <> '{token.Value}'");
+				GXLogging.Debug(_log, "Payload TokenOriginalValue: " + payloadJsonString);
+				return false;
+			}
+			return true;
+		}
 	}
+	internal class TokenValue
+	{
+		internal string Value { get; set; }
+		internal string ValueType { get; set; }
+	}
+
 	[SecuritySafeCritical]
 	public static class SecureTokenHelper
     {
-        private static readonly ILog _log = LogManager.GetLogger(typeof(GeneXus.Web.Security.SecureTokenHelper));
+		static readonly IGXLogger _log = GXLoggerFactory.GetLogger(typeof(SecureTokenHelper).FullName);
+		internal const string ValueTypeHash = "hash";
+		const int MaxTokenValueLength = 1024;
 
         public enum SecurityMode
         {
@@ -143,6 +185,7 @@ internal static WebSecureToken getWebSecureToken(string signedToken, string secr
 				WebSecureToken outToken = new WebSecureToken();
 				var claims = handler.ValidateToken(signedToken, validationParameters, out securityToken);
 				outToken.Value = claims.Identities.First().Claims.First(c => c.Type == WebSecureToken.GXVALUE).Value;
+				outToken.ValueType = claims.Identities.First().Claims.First(c => c.Type == WebSecureToken.GXVALUE_TYPE)?.Value ?? string.Empty;
 				return outToken;
 			}
 		}
@@ -160,7 +203,8 @@ public static string Sign(WebSecureToken token, SecurityMode mode, string secret
 							new Claim(WebSecureToken.GXISSUER, token.Issuer),
 							new Claim(WebSecureToken.GXPROGRAM, token.ProgramName),
 							new Claim(WebSecureToken.GXVALUE, token.Value),
-							new Claim(WebSecureToken.GXEXPIRATION, token.Expiration.Subtract(new DateTime(1970, 1, 1)).TotalSeconds.ToString())
+							new Claim(WebSecureToken.GXEXPIRATION, token.Expiration.Subtract(new DateTime(1970, 1, 1)).TotalSeconds.ToString()),
+							new Claim(WebSecureToken.GXVALUE_TYPE, token.ValueType ?? string.Empty)
 							}),
 						notBefore: DateTime.UtcNow,
 						expires: token.Expiration,
@@ -208,10 +252,38 @@ internal static bool Verify(string jwtToken, WebSecureToken outToken, string sec
 				}
 			}
 			return ok;
-		}          
-    }
+		}
+		internal static TokenValue GetTokenValue(IGxJSONSerializable obj)
+		{
+	
+			string jsonString = obj.ToJSonString();
 
-    [DataContract]
+			if (jsonString.Length > MaxTokenValueLength)
+			{
+				string hash = GetHash(jsonString);
+				GXLogging.Debug(_log, $"GetTokenValue: TokenValue is too long, using hash: {hash} instead of original value.");
+				GXLogging.Debug(_log, $"Server TokenOriginalValue:" + jsonString);
+				return new TokenValue() { Value = hash, ValueType = ValueTypeHash };
+			}
+			else
+			{
+				GXLogging.Debug(_log, $"GetTokenValue:" + jsonString);
+				return new TokenValue() { Value = jsonString };
+			}
+		}
+		internal static string GetHash(string jsonString)
+		{
+			using (var sha256 = System.Security.Cryptography.SHA256.Create())
+			{
+				byte[] hashBytes = sha256.ComputeHash(Encoding.UTF8.GetBytes(jsonString));
+				jsonString = Convert.ToBase64String(hashBytes);
+				return jsonString;
+			}
+		}
+
+	}
+
+	[DataContract]
     public abstract class SecureToken : IGxJSONSerializable
     {
         public abstract string ToJSonString();
@@ -241,8 +313,9 @@ public class WebSecureToken: SecureToken
         internal const string GXPROGRAM = "gx-pgm";
         internal const string GXVALUE = "gx-val";
         internal const string GXEXPIRATION = "gx-exp";
+		internal const string GXVALUE_TYPE = "gx-val-type";
 
-        [DataMember(Name = GXISSUER, IsRequired = true, EmitDefaultValue = false)]
+		[DataMember(Name = GXISSUER, IsRequired = true, EmitDefaultValue = false)]
         public string Issuer { get; set; }
 
 		[DataMember(Name = GXPROGRAM, IsRequired = true, EmitDefaultValue = false)]
@@ -254,7 +327,9 @@ public class WebSecureToken: SecureToken
         [DataMember(Name = GXEXPIRATION, EmitDefaultValue = false)]
         public DateTime Expiration { get; set; }
 
-        public WebSecureToken()
+		[DataMember(Name = GXVALUE_TYPE, EmitDefaultValue = false)]
+		public string ValueType { get; set; }
+		public WebSecureToken()
         {
             Expiration = DateTime.Now.AddDays(15);			
 		}
@@ -267,6 +342,7 @@ public override bool FromJSonString(string s)
                 this.Value = wt.Value;
                 this.ProgramName = wt.ProgramName;
                 this.Issuer = wt.Issuer;
+				this.ValueType = wt.ValueType;
                 return true;
             }
             catch (Exception)

Original file line number	Diff line number	Diff line change
`@@ -1661,21 +1661,29 @@ protected string GetObjectAccessWebToken(String cmpCtx)`
`1661`	`1661`	`return GetSecureSignedToken(cmpCtx, string.Empty, this.context);`
`1662`	`1662`	`}`
`1663`	`1663`
`1664`		`- protected string GetSecureSignedToken(String cmpCtx, object Value, IGxContext context)`
	`1664`	`+ protected string GetSecureSignedToken(String cmpCtx, object value, IGxContext context)`
`1665`	`1665`	`{`
`1666`		`- return GetSecureSignedToken(cmpCtx, Serialize(Value), context);`
	`1666`	`+ if (value is IGxJSONSerializable)`
	`1667`	`+ return GetSecureSignedHashedToken(cmpCtx, SecureTokenHelper.GetTokenValue(value as IGxJSONSerializable), context);`
	`1668`	`+ else`
	`1669`	`+ return GetSecureSignedToken(cmpCtx, Serialize(value), context);`
`1667`	`1670`	`}`
`1668`	`1671`
`1669`	`1672`	`protected string GetSecureSignedToken(String cmpCtx, GxUserType Value, IGxContext context)`
`1670`	`1673`	`{`
`1671`		`- return GetSecureSignedToken(cmpCtx, Serialize(Value), context);`
	`1674`	`+ return GetSecureSignedHashedToken(cmpCtx, SecureTokenHelper.GetTokenValue(Value), context);`
`1672`	`1675`	`}`
`1673`	`1676`
`1674`	`1677`
`1675`	`1678`	`protected string GetSecureSignedToken(string cmpCtx, string value, IGxContext context)`
`1676`	`1679`	`{`
`1677`	`1680`	`return WebSecurityHelper.Sign(PgmInstanceId(cmpCtx), string.Empty, value, SecureTokenHelper.SecurityMode.Sign, context);`
`1678`	`1681`	`}`
	`1682`	`+ private string GetSecureSignedHashedToken(string cmpCtx, TokenValue tokenValue, IGxContext context)`
	`1683`	`+ {`
	`1684`	`+ return WebSecurityHelper.Sign(PgmInstanceId(cmpCtx), string.Empty, tokenValue, SecureTokenHelper.SecurityMode.Sign, context);`
	`1685`	`+ }`
	`1686`	`+`
`1679`	`1687`	`protected bool VerifySecureSignedToken(string cmpCtx, Object value, string pic, string signedToken, IGxContext context)`
`1680`	`1688`	`{`
`1681`	`1689`	`GxUserType SDT = value as GxUserType;`