How to authenticate calls API proxy module

I’m reading the documentation on the Bitbucket API proxy module. Specifically, I’m looking at the diagram under the How it works section:

#3 - The proxy forwards the request to your app’s backend service.

How does myapp.com veify that a call it receives is actually an authenticated call from api.bitbucket.io? I’ve setup a proof-of-concept proxy configuration:

"modules": {
     "proxy":{
          "/api/repository":{
               "destination":"/api/repository"
          }
     }
}

And trigger it using this code:

AP.proxyRequest({
   url: '/api/repository',
   success: function (data) {
       console.log(data);
   },
    error: function(err) {
        console.log(err);
    }
});

I can see in my logs the request made to /api/repository but I cannot see anything in the request that I can use to authenticate that the request is actually from api.bitbucket.io.

I’m assuming I’m missing something obvious because it seems like a pretty serious and obvious security flaw in the API proxy module but I cannot for the life of me workout what I’m missing :confounded:

Hi @AlexDess,
there should be an Authorization header included in the request which is a JWT token, which you can decode with your app secret.

Let me know if this helps

That’s what I thought! :slight_smile:

But I cannot see it in my logs. I can see other headers but not that one. I’m logging what my application code in an AWS Lambda function sees. That Lambda is behind an API Gateway & a CloudFront distribution. Maybe it is being stripped by one of those. I’ll see if I can check closer to BB.

Thanks for your help :pray: