really skip Qsh verification in checkValidToken
Andriy Zhdanov
Branch: azhdanov/atlassian-connect-express:skipQshVerification
Branch: atlassian/atlassian-connect-express:master
Declined
Declined pull request
Somehow this PR had no reviewers, now contains conflicts and is 3 years old. Please re-raise if you'd still like this change
Closed by: boydo·2020-05-04
With this fix almost static add-on could use jwt claims from html page to authenticate further requests to add-on api backend, when necessary.
E.g. add-on requires JWT for authentication in atlassian-connect.json, but serves static html for general page, e.g.
"modules": { "generalPages": [{ "url": "/timereports.html?project.key={project.key}",
So that in JIRA add-on is loaded with jwt token in query, e.g.:
https://retimesheet.herokuapp.com/timereports.html?project.key=...&jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...
Note, jwt param includes
qsh
, for query hash.Add-on can call it's own backend from browser using atlToken, which does not include
qsh
.However in case of static page, it does not have clean atlToken without
qsh
, and it would be nice if it were possible to use JWT from original query instead in add-on api checkValidToken.It does not compromise security.