Authentication in ajax call for jira cloud app

ajax
ajs
authentication

#1

Hello,
In my app, I need to make an ajax call to one of my script (end point in my app) from one of the pages of the app. With my initial workaround, I was able to create the following code in the calling page. This code can reach the script/end point (user-skill.php) and can retrieve the data.

AJS.$(document).on('click', '.aui-button', function() {
            var that = this;
            person_id = AJS.$(this).data('person-id');
            $.get('user-skill.php?developer='+person_id).done(function(){
                AP.navigator.reload();
             }).fail(function() {
                alert( "error" );
            });
        });

I want to put some security in my user-skill.php to make sure all calls are a valid call from an authenticated user in jira cloud. Is there any way I can I do this or in another word, how can I retrieve user context in my script when called via ajax.

Is the $.get() is making calls between jira cloud server to app server? or is it a direct call from the iframe? if this is a direct call from the iframe, is there any way I can make a similar call from jira cloud server to app server where context info (or jwt token) will be sent?


#2

When the page is first loaded from your service, it is sent with a JWT token that contains the ID of the user that triggered the page load that includes your app. If this is a fetch of data that happens on page load then you should use that.

If this is a request that happens after page load to your app, and you are not using one of the standard Atlassian provided frameworks for Atlassian App development, then you are going to have to re-implement page-token support yourself.

Essentially, you leave a signed token on the page after page load and use that as a temporary (it should time out) token that the frontend can use to access your service on behalf of the user.

See here for more: https://bitbucket.org/atlassian/atlassian-connect-express/src/master/#markdown-header-how-to-send-a-signed-http-request-from-the-iframe-back-to-the-add-on-service


#3

Thanks for your reply.

What you explained in the second and third paragraph of your answer, is the case I am looking for. The ajax call is made from the loaded page. And I understand the page-token security. But, I am not sure if that is the right type of security we should relay on. The reason I am saying this is because, we can certainly put the token in the meta tag or somewhere in the page, but that token then intercepted easily by intruder. and can be reused with a forged HTTP call to the same app end point. And this will make the system insecure via the app.

The ideal solution would be to have an option via AP to make the ajax call. That can actually secure this, I guess. Is there any way to do it at this point, or is there any plan to integrate such feature in the future.

Thanks


#4

There is nothing on the short term backlog to make Atlassian Cloud proxy HTTP requests to your app for you for security purposes.