Merge branch 'development'

Author: lmajano

ModuleConfig.cfc

@@ -18,14 +18,14 @@ component {
 	this.entryPoint        = "cbsecurity";
 	// Helpers
 	this.applicationHelper = [ "helpers/mixins.cfm" ];
-	// Dependencies
-	this.dependencies      = [ "cbauth", "jwtcfml", "cbcsrf" ];
+	// Dependencies that must be loaded first.
+	this.dependencies      = [];
 
 	/**
 	 * Module Config
 	 */
 	function configure(){
-		settings = {
+		variables.settings = {
 			/**
 			 * --------------------------------------------------------------------------
 			 * Authentication Services
@@ -114,7 +114,7 @@ component {
 		};
 
 		// Security Interceptions
-		interceptorSettings = {
+		variables.interceptorSettings = {
 			customInterceptionPoints : [
 				// Validator Events
 				"cbSecurity_onInvalidAuthentication",

box.json

@@ -1,6 +1,6 @@
 {
     "name":"ColdBox Security",
-    "version":"3.6.0",
+    "version":"3.7.0",
     "location":"https://downloads.ortussolutions.com/ortussolutions/coldbox-modules/cbsecurity/@build.version@/[email protected]@.zip",
     "author":"Ortus Solutions.com <[email protected]>",
     "slug":"cbsecurity",

changelog.md

@@ -9,6 +9,25 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Changed
+
+- Increased VARCHAR field sizes in `DBLogger` table schema to accommodate longer URLs and user agent strings. Fields `host`, `path`, `queryString`, `referer`, and `userAgent` now use VARCHAR(1024) to prevent truncation of data.
+- Updated `DBLogger` insert statements to truncate `host`, `path`, `queryString`, `referer`, and `userAgent` values to 1024 characters using `left()` function to prevent database errors.
+
+### Fixed
+
+- Allow for sub-modules to load AFTER cbsecurity loads.
+- Make sure the jwt token is not null when doing discovery in the JwtService.
+- Fixed `isSafeRedirectUrl()` host comparison for non-default ports by stripping port from host before comparing with URI host.
+- ACF Compatibility: Fixed `dateTimeFormat` usage for `logDate` in activity view to prevent conversion errors in Adobe ColdFusion.
+
+### Added
+
+- Added `TokenRejectionException` handling in JWT handler to properly handle token rejection errors.
+- Updated JWT handler error message calls to match specification.
+- Added test cases for non-default port scenarios in `isSafeRedirectUrl()` validation.
+- Added test validation for JWT response messages.
+
 ## [3.6.0] - 2025-12-08
 
 ### Security

handlers/Jwt.cfc

@@ -14,13 +14,7 @@ component extends="coldbox.system.RestHandler" {
 	function refreshToken( event, rc, prc ){
 		// If endpoint not enabled, just 404 it
 		if ( !variables.jwtService.getSettings().jwt.enableRefreshEndpoint ) {
-			event
-				.getResponse()
-				.setErrorMessage(
-					"Refresh Token Endpoint Disabled",
-					404,
-					"Disabled"
-				);
+			event.getResponse().setErrorMessage( "Refresh Token Endpoint Disabled", 404 );
 			return;
 		}
 
@@ -33,31 +27,20 @@ component extends="coldbox.system.RestHandler" {
 				.setData( prc.newTokens )
 				.addMessage( "Tokens refreshed! The passed in refresh token has been invalidated" );
 		} catch ( RefreshTokensNotActive e ) {
-			event.getResponse().setErrorMessage( "Refresh Tokens Not Active", 404, "Disabled" );
+			event.getResponse().setErrorMessage( "Refresh Tokens Not Active", 404 );
 		} catch ( TokenNotFoundException e ) {
 			event
 				.getResponse()
 				.setErrorMessage(
 					"The refresh token was not passed via the header or the rc. Cannot refresh the unrefreshable!",
-					400,
-					"Missing refresh token"
+					400
 				);
 		} catch ( TokenInvalidException e ) {
-			event
-				.getResponse()
-				.setErrorMessage(
-					"Invalid Token - #e.message#",
-					401,
-					"Invalid Token"
-				);
+			event.getResponse().setErrorMessage( "Invalid Token", 401 );
 		} catch ( TokenExpiredException e ) {
-			event
-				.getResponse()
-				.setErrorMessage(
-					"Token Expired - #e.message#",
-					400,
-					"Token Expired"
-				);
+			event.getResponse().setErrorMessage( "Token Expired", 400 );
+		} catch ( TokenRejectionException e ) {
+			event.getResponse().setErrorMessage( "Invalid Token", 401 );
 		}
 	}
 

interceptors/Security.cfc

@@ -827,7 +827,9 @@ component accessors="true" extends="coldbox.system.Interceptor" {
 			}
 
 			// Get the current request's host for comparison
-			var currentHost = variables.cbSecurity.getRealHost();
+			// Normalize host: urlToValidate.getHost() does not include port
+			// Strip port from .getRealHost() for compare
+			var currentHost = listFirst( variables.cbSecurity.getRealHost(), ":" );
 
 			// Compare hosts (case-insensitive)
 			return compareNoCase( urlToValidate.getHost(), currentHost ) == 0;

models/CBSecurity.cfc

@@ -164,7 +164,7 @@ component threadsafe singleton accessors="true" {
 		}
 
 		// cbcsrf settings incorporation
-		variables.moduleSettings.cbcsrf.settings.append( variables.settings.csrf, false );
+		variables.moduleSettings.cbcsrf.settings.append( variables.settings.csrf, true );
 		// DBLogger Configuration
 		variables.dbLogger.configure();
 		// Log it

models/jwt/JwtService.cfc

@@ -817,7 +817,7 @@ component accessors="true" singleton threadsafe {
 		);
 
 		// If we found it, return it, else try other headers
-		if ( jwtToken.len() ) {
+		if ( !isNull( jwtToken ) && jwtToken.len() ) {
 			return jwtToken;
 		}
 

models/util/DBLogger.cfc

@@ -159,12 +159,12 @@ component accessors="true" singleton threadsafe {
 				action      : { cfsqltype : "varchar", value : arguments.action },
 				blockType   : { cfsqltype : "varchar", value : arguments.blockType },
 				ip          : { cfsqltype : "varchar", value : arguments.ip },
-				host        : { cfsqltype : "varchar", value : arguments.host },
+				host        : { cfsqltype : "varchar", value : left( arguments.host, 1024 ) },
 				httpMethod  : { cfsqltype : "varchar", value : arguments.httpMethod },
-				path        : { cfsqltype : "varchar", value : arguments.path },
-				queryString : { cfsqltype : "varchar", value : arguments.queryString },
-				referer     : { cfsqltype : "varchar", value : arguments.referer },
-				userAgent   : { cfsqltype : "varchar", value : arguments.userAgent },
+				path        : { cfsqltype : "varchar", value : left( arguments.path, 1024 ) },
+				queryString : { cfsqltype : "varchar", value : left( arguments.queryString, 1024 ) },
+				referer     : { cfsqltype : "varchar", value : left( arguments.referer, 1024 ) },
+				userAgent   : { cfsqltype : "varchar", value : left( arguments.userAgent, 1024 ) },
 				userId      : { cfsqltype : "varchar", value : arguments.userId },
 				rule        : {
 					cfsqltype : "longvarchar",
@@ -403,12 +403,12 @@ component accessors="true" singleton threadsafe {
 						action VARCHAR(20) NOT NULL,
 						blockType VARCHAR(20) NOT NULL,
 						ip VARCHAR(100) NOT NULL,
-						host VARCHAR(255) NOT NULL,
+						host VARCHAR(1024) NOT NULL,
 						httpMethod VARCHAR(25) NOT NULL,
-						path VARCHAR(255) NOT NULL,
-						queryString VARCHAR(255) NOT NULL,
-						referer VARCHAR(255),
-						userAgent VARCHAR(255) NOT NULL,
+						path VARCHAR(1024) NOT NULL,
+						queryString VARCHAR(1024) NOT NULL,
+						referer VARCHAR(1024),
+						userAgent VARCHAR(1024) NOT NULL,
 						userId VARCHAR(36),
 						securityRule #getTextColumnType()#,
 						PRIMARY KEY (id)

test-harness/box.json

@@ -13,5 +13,9 @@
         "route-visualizer":"*"
     },
     "installPaths":{
+        "coldbox":"coldbox/",
+        "BCrypt":"modules/BCrypt/",
+        "testbox":"testbox/",
+        "route-visualizer":"modules/route-visualizer/"
     }
 }

test-harness/tests/specs/integration/JWTSpec.cfc

@@ -188,11 +188,21 @@ component extends="coldbox.system.testing.BaseTestCase" appMapping="/root" {
 					} );
 					given( "An activated endpoint and an invalid refresh token", function(){
 						then( "it should kick me out", function(){
+							var oUser  = variables.userService.retrieveUserByUsername( "test" );
+							var tokens = variables.jwtService.fromUser( oUser );
 							variables.jwtService.getSettings().jwt.enableRefreshEndpoint = true;
+
+							// Force invalidate the refresh token
+							variables.jwtService.invalidate( tokens.refresh_token );
+
 							var event = this.post(
 								"/cbsecurity/refreshtoken",
-								{ "x-refresh-token" : variables.invalid_token }
+								{ "x-refresh-token" : tokens.refresh_token }
 							);
+
+							var jsonResponse = deserializeJSON( event.getRenderedContent() );
+							expect( jsonResponse.messages[ 1 ] ).toBe( event.getResponse().getMessagesString() );
+
 							expect( event.getResponse().getStatusCode() ).toBe(
 								401,
 								event.getResponse().getMessagesString()