From my point of view you just have to put the following now into local.json:
[...]
"token": {
"enable": {
"request": {
"inbox": true,
"outbox": true
},
"browser": true
},
[...]
},
[...]
"secret": {
"inbox": {
"string": "s3cr3t"
},
"outbox": {
"string": "s3cr3t"
},
"session": {
"string": "s3cr3t"
}
[...]
and this stays within the default.json:
[...]
"ipfilter": {
"rules": [{"address": "myDomain.de", "allowed": true},
{"address": "*", "allowed": false}],
"useforrequest": false,
"errorcode": 401
},
[...]
"token": {
[...]
"browser": {
"secretFromInbox": true
},
[...]
afterwards of course:
supervisorctl restart all
So everything else that exists as a duplicate in default.json, seems to be overwritten by the local.json
But please dont take this last remark as a fact, try it out yourself, so that your security stays intact !
P.S. My Setup is: 1 Nextcloud instance with v14, 1 Nextcloud instance with v13, 1 OnlyOffice Documents 5.2, works fine with both Nextclouds and up-to-date version of the nextcloud-onlyoffice-plugin