Expired JWT token in the iframe of the panel, which leads to HTTP 401 response

The “Security requirements for cloud applications” (https://developer.atlassian.com/platform/marketplace/security-requirements/) page says the following:

The application must authenticate and authorize all requests. Anonymous access to application endpoints and resources can be allowed in scenarios where it is needed.

So we have decided that all of our application resources (html, js, css, etc.) can be downloaded anonymously.

In this case the Atlassian CSRT tool (GitHub - atlassian-labs/connect-security-req-tester: A tool to check your Atlassian Connect app against Atlassian's security requirements.) reports the following:

Requirement 5 - Authentication and Authorization of Application Resources

Passed: False

Description:

One or more endpoints returned a <400 status code without authentication information. This may indicate that your app is not performing authentication and authorization checks.

Proof:

…./foo.html

Res Code: 200 Req Method: GET Auth Header: None

After this we have decided that the HTML resources cannot be accessed anonymously, a valid JWT token must be provided. And now all of our entry points are secured and the CSRT tool passes all the tests and requirements.

We have the following entries in the atlassian-connect.json:

1    "jiraIssueContents": [
2      {
3        "icon": {
4          "width": 20,
5          "height": 18,
6          "url": "/img/icon-s.png"
7        },
8        "target": {
9          "type": "web_panel",
10          "url": "/foo.html"
11        },
12        "tooltip": {
13          "value": "Foo"
14        },
15        "name": {
16          "value": "Foo"
17        },
18        "key": "foo-panel-open"
19      }
20    ],
21    "webPanels": [
22      {
23        "key": "foo-panel",
24        "location": "atl.jira.view.issue.left.context",
25        "name": {
26          "value": "Foo"
27        },
28        "url": "/foo.html"
29      }
30    ],`

When a Jira issue is opened and the rendered “Foo” button is clicked the panel opens as expected.

But if we click the “Foo” button 15 minutes (when a JWT token expires) later then the issue is opened, then the foo.html is referenced with the expired JWT token in the iframe of the panel, which leads to HTTP 401 response.

We have the following questions:

• Should the CSRT tool be implemented in a different way when it checks “Requirement 5”? This case should be marked as “passed with warnings“.
• Is there a bug in the Atlassian Cloud platform? I guess there is because a valid JWT token should be passed to the iframe when a panel is requested by the user by clicking on the button and rendered.
• What is the best practice to handle this scenario?

We serve all our static content from CDN, so I would consider this a false positive as we could never authentication those requests. AFAIK the Atlassian CSRT tool is still being tweaked, so if a AMS ticket is raised because of not meeting requirement 5, you should mark it as false positive and explain your case.

Hi there,
I’ll do my best to address your questions.

1. CSRT does a “best effort” attempt on some of the security requirements. In many cases, we cannot determine what is and what is not in scope. We instead report everything and you can then interpret these results. This is why we do not create tickets on Requirement #5 as the results are subjective and full of false positives. You are welcomed and encouraged to file a bug report/feature request for CSRT at: Issues · atlassian-labs/connect-security-req-tester · GitHub
2. You can use AP.context.getToken() in situations where you need to ensure you have a fresh and valid JWT token. This will potentially require a re-design, but the functionality does exist. You can reference these other resources for additional information:
   • Cacheable app iframes for Connect apps
   • Did AP.context.getToken just solve the issue with expired JWTs?
3. I believe this was answered in #2 via the suggestions provided.