Securing REST calls
150 views
Skip to first unread message
Richard Simko
Jan 24, 2016, 5:14:51 PM1/24/16
to Atlassian Connect Dev
The ACE readme claims that using the handlebars helper {{token}} I can get access to a JWT which I can then use to secure calls from the iFrame to my server. However this doesn't seem to work as intended. Using the method provided for REST calls:
I get a token not containing a qsh claim, which the server complain about. On the server side I get the following error:
beforeSend: function (request) {
request.setRequestHeader("Authorization", "JWT {{token}}");
}
I get a token not containing a qsh claim, which the server complain about. On the server side I get the following error:
Authentication verification error: 401 JWT claim did not contain the query string hash (qsh) claim
Which obviously is true, having verified the content using https://jwt.io
Now my question is, am I supposed to populate the token with my own claims? If so, then specifying that in the documentation would be nice, from what I understand the token can be used as provided. If not then I guess I should report a bug concerning this.
Travis Smith
Jan 25, 2016, 2:31:25 PM1/25/16
to atlassian-...@googlegroups.com
Richard,
Per https://answers.atlassian.com/questions/35754312/how-to-secure-rest-routes-using-atlassian-connect-express, you need to use addon.checkValidToken() as your middleware with the {{token}}. It does not contain a QSH claim -- the token will not work with endpoints secured with the addon.authenticate() middleware.
Cheers,
--
You received this message because you are subscribed to the Google Groups "Atlassian Connect Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to atlassian-connec...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
-Travis
kts...@gmail.com
Oct 23, 2016, 7:10:36 PM10/23/16
to Atlassian Connect Dev
Hi, I had the same problem and the answer helped me too, but I am also facing another issue.
The {{token}} is actually sent as {{token}} in the header and it is not replaced by the actual token. I have to save the token in the html as a meta, read it and put it in the request header instead.
How have you made the {{token}} render in your javascript ?
thank you
Michael Staas
Oct 24, 2016, 1:46:25 AM10/24/16
to Atlassian Connect Dev
Hi there,
The handlebars substitution only occurs in the views/*.hbs files.
The way you suggest you solved this with the meta tag and sending the header back to your addon via ajax is appropriate.
Cheers
Reply all
Reply to author
Forward
0 new messages