Hi Leo @LeonardoDiniz ,
first of all, thank you for the prompt feedback (@ccurti and @sash011 , for you, too).
I’ve just revised the situation and figured out the real workflow in our app and therefore I need to amend my original description. Sorry for the initial inaccuracies.
- The first two steps and the respective REST requests (create customer request, add attachments to it) are executed on behalf of the user, i.e. the JSM customer.
- The 3rd reuest - that is, the one that tries to download one of the attachments and fails - is executed in name of the add-on.
Some general info:
- our app uses JWT tokens for authentication (exceptionally), so OAuth2 scopes should not play a role here
- our app has the following app scopes specified in its
atlassian-connect.json
descriptor: "READ", "WRITE", "ADMIN", "ACT_AS_USER", "ACCESS_EMAIL_ADDRESSES"
- request type applied in the failing unit test: “Ask a question”
In regard to the information above, I think, the app should be able to download practically any attachment of any issue/customer request, regardless, who and how created/uploaded it. And this approach worked for us till 20th January. [One reason to do so - i.e. to act on behalf of the app - is to ensure that the attachment will be downloaded in any use case, regardless which user initiated the action.]
However, after a minor change in the source code I also made an attempt with the other option, namely when we execute the download request on behalf of the user that uploaded it. And it resulted in a response with status code 401 and with a message "Client must be authenticated to access this resource."
, which sounds pretty weird knowing that the same user created the customer request and the attachments in the same session.
When executing the request as addon-user (the full response can be inspected in the JSM-API_failing_test_log.txt
attached):
[warn] c.m.c.j.j.s.JIRAServiceImpl - Could not download attachment, status: 403, url: https://metainf-stage.atlassian.net/rest/servicedeskapi/request/59321/attachment/30044, body:
When executing the request on behalf of a real user:
[warn] c.m.c.j.j.s.JIRAServiceImpl - Could not download attachment, status: 401, url: https://metainf-stage.atlassian.net/rest/servicedeskapi/request/59323/attachment/30048, body: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>401Client must be authenticated to access this resource.
To summarize my findings, we use JWT tokens and we do execute REST API request either directly on behalf of the app or on behalf of a user (for thre latter one, we retrieve the JWT token via the JwtBearerAccessTokenProvider.getAccessToken(AcHost acHost, String accountId)
method provided by the Play framework). So, is it possible at all to download any attachment on behalf of the app after these security changes?
Unfortunately, there is no public API endpoint defined for retrieving an attachment content (at least not indicated in the official JSM Cloud API documentation), so we cannot extrapolate, which app/user scopes may be required to do this now, or what have changed.
I hope, this info will help you.
Thanks for your further support and I’m looking forward to hearing from you,
Marton
JSM-API_failing_test_log.txt (68.2 KB)