How to check if the first installation callback has been sent from an Atlassian instance?

In this section of the docs it’s written that :

Because there was no previous shared secret the recipient cannot validate a JWT token. This means that you should anticipate that there will be no Authorization header present.

How can I check the validity of this request? Anyone could be sending installation requests to my app. How would I know that they come from an actual confluence instance?

The only way to actually validate this is by using the credentials provided in the JWT (sharedSecret) and calling the Jira REST API of the provided instance baseUrl. You can use the /myself endpoint to get the identity of the app system user.

2 Likes

Hey remie,
thanks for answering. This sounds promising. I couldn’t find a link to any documentation about myself. Mind providing me with a link? :slight_smile:

Sure! Here you go: https://developer.atlassian.com/cloud/jira/platform/rest/v3/api-group-myself/#api-rest-api-3-myself-get

1 Like

Word of warning - using the Jira REST API during the installation process will probably fail since the installation hasn’t been completed at that point… (You’re in the middle of setting up the app at that point).

Not sure how big of an actual problem this concern is. It is a theoretical problem - sure. But I have yet to hear about anyone having a huge amount of “fake” installations.

I would be careful about premature optimization in this area since you could potentially block valid installations.

There really isn’t a good way to verify the installations in the current structure of Connect. (If I’m spoofing the installation payload - I can just as well spoof a rest call).

3 Likes

What @danielwester says :point_up: