I can’t install Connect App on Bitbucket when using the atlassian-connect-express version 7.6.0.
It does work with older versions, for example version 7.4.8.
With version 7.6.0 I get a 401 error on the /installed endpoint:
Logs:
Installation verification error: 401 Unexpected or missing JWT token, failed to verify installation.
POST /installed 401 58.864 ms - 63
When I look at the relevant code in the connect-express module, it seems that the authentication mechanism got removed.
In version 7.4.8, there are two paths for the authentication.
// in verifyInstallation.js, authenticateInstall
if (
addon.config.signedInstall() === "force" ||
(signedInstallFromDescriptor && isJWTAsymmetric(addon, req))
) {
...
} else {
... // The 'old' code path is taken on installation.
}
In version 7.6.0, only the asymmetric code path exists:
// in verifyInstallation.js, authenticateInstall
if (isJWTAsymmetric(addon, req)) {
} else {
// The 'old' fallback path removed. But this is always taken.
sendError(
"Unexpected or missing JWT token, failed to verify installation."
);
}
I’m not sure what I’m missing. Is there a app descriptor entry I need to add to take the ‘modern’ path?
I think this related to the Atlassian Connect Lifecycle improvements: Action Required - Atlassian Connect installation lifecycle security improvements
I tried to add the apiMigrations.signed-install
, but it is explicitly removed by the framework when running a Bitbucket app.
So, I’m not sure how to use the latest Connect Express version for a Bitbucket app.
I can’t get the older non-signed install requests accepted and I can’t enabled the signed install requests from Bitbucket?
Am I missing something obvious? Or is this an oversight and Atlassian Connect Express 7.6.0 isn’t compatible with Bitbucket.