really skip Qsh verification in checkValidToken
Andriy Zhdanov
Branch: azhdanov/atlassian-connect-express:skipQshVerification
Branch: atlassian/atlassian-connect-express:master
Declined
Declined pull request
Somehow this PR had no reviewers, now contains conflicts and is 3 years old. Please re-raise if you'd still like this change
Closed by: boydo·2020-05-04
With this fix almost static add-on could use jwt claims from html page to authenticate further requests to add-on api backend, when necessary.
E.g. add-on requires JWT for authentication in atlassian-connect.json, but serves static html for general page, e.g.
"modules": { "generalPages": [{ "url": "/timereports.html?project.key={project.key}",So that in JIRA add-on is loaded with jwt token in query, e.g.:
https://retimesheet.herokuapp.com/timereports.html?project.key=...&jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...Note, jwt param includes
qsh, for query hash.Add-on can call it's own backend from browser using atlToken, which does not include
qsh.However in case of static page, it does not have clean atlToken without
qsh, and it would be nice if it were possible to use JWT from original query instead in add-on api checkValidToken.It does not compromise security.