REST API : 403 when overrideScreenSecurity=true

229 views
Skip to first unread message

ugub...@gmail.com

unread,
Jan 30, 2017, 10:32:57 AM1/30/17
to Atlassian Connect Dev

Hello all,


I am implementing a cloud plugin. I try to update a custom field but it throws an 403 error when a set the parameter overrideScreenSecurity=true.
I am using atlassian-connect-express 2.x


I have put ADMIN scope for the plugin and the user has Administer Project permission and even Jira administrator.


The code :
AP.require('request', function(request){
request({
url: '/rest/api/2/issue/'issueKey'?overrideScreenSecurity=true',
type: 'PUT',


The error :
403 - only connect add-on users with admin scope permission are allowed to overwrite screen security.


Do you think that's a bug, or do I miss something in my configuration ?


Thanks for feedback


Best regards,

S.

Daniel Wester

unread,
Jan 30, 2017, 11:29:24 AM1/30/17
to Atlassian Connect Dev
It's more than likely the calculation of the JWT token that's getting messed up because you're mixing query strings with PUT. 

atlassian-jwt-js library uses the req.body for the calculation of the JWT hash for PUTs and POSTs ( see https://bitbucket.org/atlassian/atlassian-jwt-js/src/569573456793d62f56cca0ea472da1d5b88702eb/lib/jwt.js?at=master&fileviewer=file-view-default#jwt.js-204 ).  If I recall properly from when I last saw the AC plugin code (it's no longer available publicly so it's been a year or so - so things could have changed), on the Atlassian product side it's both query string parameters and body keys...

My suggestion would be to regenerate a jwt token manually with the query string parameter in it and see if that works.


ugub...@gmail.com

unread,
Jan 31, 2017, 9:12:38 AM1/31/17
to Atlassian Connect Dev
Hello Daniel,

I tryed your solution by creating a token and bypass connect epxress, but I now received back a 401 unauthorized. I am not an expert, maybe you can help  :-/
My code :

 var now = moment().utc(),
               jwtTokenValidityInMinutes = addon.config.jwt().validityInMinutes;
            // Simple form of [request](https://npmjs.com/package/request) object
            var updatedValueJSON = "{ \"update\" : { \"customfield_10400\" :[{ \"set\" : 99 }]}}";
            
               
               var options = {      
                method: "PUT",
                uri: "https://[servername].atlassian.net/rest/api/2/issue/PROJ-13"   ,
                query: { "overrideScreenSecurity" : true},
                    body: updatedValueJSON
            }
            var token = {
                "iss": addon.key,
                "iat": now.unix(),                      // the time the token is generated
                "exp": now.add(jwtTokenValidityInMinutes, 'minutes').unix(),    // token expiry time (recommend 3 minutes after issuing)
                "qsh": jwt.createQueryStringHash(options)   // [Query String Hash](https://developer.atlassian.com/static/connect/docs/latest/concepts/understanding-jwt.html#qsh)
            };
            var secret = d.sharedSecret;
            var token = jwt.encode(token, secret);
                        
           
            request({
              headers: {          
                 'authorization': 'JWT ' + token 
              },            
              method: 'PUT',
              uri: "https://[servername].atlassian.net/rest/api/2/issue/PROJ-13" ,
                query: { "overrideScreenSecurity" : true},
              body: updatedValueJSON
             
            }, function(error, request, body){
              console.log(body);
            });
Reply all
Reply to author
Forward
0 new messages