I’m reading the documentation on the Bitbucket API proxy module. Specifically, I’m looking at the diagram under the How it works section:
#3 - The proxy forwards the request to your app’s backend service.
How does myapp.com
veify that a call it receives is actually an authenticated call from api.bitbucket.io
? I’ve setup a proof-of-concept proxy configuration:
"modules": {
"proxy":{
"/api/repository":{
"destination":"/api/repository"
}
}
}
And trigger it using this code:
AP.proxyRequest({
url: '/api/repository',
success: function (data) {
console.log(data);
},
error: function(err) {
console.log(err);
}
});
I can see in my logs the request made to /api/repository
but I cannot see anything in the request that I can use to authenticate that the request is actually from api.bitbucket.io
.
I’m assuming I’m missing something obvious because it seems like a pretty serious and obvious security flaw in the API proxy module but I cannot for the life of me workout what I’m missing