Addon.authenticate vs addon.checkValidToken - differences? when to use which?

ZbigniewPiecuch · May 9, 2022, 12:00pm

Hello
Possibly a noob question, but I’m checking my code and noticed that I use

addon.authenticate(true)

in almost all backend entries (both the ones that are requested by Jira and the ones that I fetch from front end). Only for uninstall I use addon.authenticateInstall() as is done here: Bitbucket
But also on the same page there is

addon.checkValidToken()

used/recommended in the “How to send a signed HTTP request from the iframe back to the add-on service” section.

I’ve tried to search what are the differences between the two function and I still don’t know

Anyone could explain differences between authenticate and checkValidToken functions or point to a page where it is described?
Maybe some guidance when to use which.

ZbigniewPiecuch · May 17, 2022, 7:34am

Checking the source code it looks like both of the methods do the same. The only difference is that checkValidToken additionally checks if AC_OPTS environment variable is set to no-token-verfication and if it is, then authentication is not performed.

marc · May 17, 2022, 10:09am

Make sure you use addon.authenticate() (i.e. without true) for backend calls from Jira.

ZbigniewPiecuch · May 18, 2022, 11:54am

Thanks, that’s very useful and already implemented.

I’m assuming the same is for getting the atlassian-connect.json from backend, so it should be:

app.get('/', addon.authenticate(), (req, res) => {
    res.redirect('/atlassian-connect.json');
  });

and the addon.authenticateInstall() method should not be used there?

marc · May 18, 2022, 12:18pm

@ZbigniewPiecuch atlassian-connect.json should be available without authentication I believe.

ZbigniewPiecuch · May 20, 2022, 10:05am

Yes, ultimately I have that way.
Thanks again.