JIRA Cloud REST API (OAuth 2.0) Error 403 on POST Requests

anon55683813 · December 17, 2018, 9:39pm

I am trying to connect my React app to the Jira Cloud API and can’t seem to get past a 403 error.

Response Error

:status: 403
Content-Type: text/html;charset=UTF-8
Access-Control-Allow-Origin: http://localhost:3000
Content-Encoding: gzip
X-XSS-Protection: 1; mode=block
Timing-Allow-Origin: *
Cache-Control: no-cache, no-store, no-transform
Date: Mon, 17 Dec 2018 21:42:01 GMT
Access-Control-Allow-Credentials: true
X-Content-Type-Options: nosniff
Vary: Origin, Accept-Encoding
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=315360000; includeSubDomains; preload

My code currently does a Auth dance using OAuth 2.0 and returns the token and cloudid. I can use this to GET issues, however POST request (like creating an issue) return with 403. I have found here that this error is returned if the user does not have the necessary permission to access the resource or run the method.

I have ensured the user has the correct scope ([write: jira-work, read: jira-work]) and verified this is reflected in the user account (in their account > connect apps tab).

My app is not linked (via ApplicationLink) or installed (via Apps, Manage Apps), is this necessary to perform POST requests?

Here is a sample of my code:

fetch(`https://api.atlassian.com/ex/jira/${jira.cloudid}/rest/api/2/issue/`, {
        method: "POST",
        headers: {
            "Content-Type": 'application/json',
            "Authorization": `Bearer ${jira.token}`
        },
        body: JSON.stringify(data)
})
.then(...)

Neither api version 2 or 3 are working for this POST request. I have explored using Basic Auth however this fails due to CORS errors.

I have verified that the POST request does work in POSTMAN (using the cloudid and token).

Can anyone confirm if this API allows for client side POST requests?

Any help would be great!

sreuter · December 24, 2018, 12:01am

Hi @anon55683813,

could you check and post the body of the response? It might have a hint.

Also, the code sample you posted has the body defined outside of the options object.

Cheers,

Sascha

anon55683813 · December 24, 2018, 12:43am

Hello @sreuter, thanks for the reply. Not sure what you mean by the body is outside of the options, the code follows the standard POST syntax for Fetch. I have updated the format a little to make this easier to see.

I have posted the response error (body) in my original post but can’t seem to see the issue (I removed some of the sensitive information like username, token etc). The only potential issue I can see is has an X-Frame-Options: SAMEORIGIN. This could imply that I have to post using same origin, hence the 403 error.

sreuter · December 24, 2018, 1:07am

Hi Charles,

apologies, I only saw the headers but not a response body above.

This should log the error from the body if there’s any:

fetch(`https://api.atlassian.com/ex/jira/${cloudid}/rest/api/3/issue`,
  {
    method: 'POST',
    headers: new Headers({
      'Authorization': `Bearer ${token}`,
      'Content-Type': 'application/json',
      'X-Atlassian-Token': 'no-check'
    }),
    body: JSON.stringify({test: 'test'})
  }
).then((body) => {
  return body.text();
}).then((bodyText) => {
  console.log(bodyText);
}).catch((err) => {console.log(err)});

By trying the same thing you mentioned I think I found what the problem is. Your request likely fails with a ‘XSRF check failed’ in the browser.

I’ve already talked to one of our security engineers and we quickly dived into the implementation code to confirm why this not working and what would need to be changed on our side. We’ve also already opened a engineering ticket to get this addressed. This will likely take a few weeks to get addressed, but I’ll keep you posted if I hear any updates!

Cheers,

Sascha

anon55683813 · December 24, 2018, 1:22am

Hello @sreuter,

Yes you are correct, the two errors I receive are:

XSRF check failed
Failed to load resource: the server responded with a status of 403 ()

That would be great, thank you! If there is any testing you would like me to do feel welcome to let me know.

anon55683813 · January 16, 2019, 12:58am

Hello @sreuter,

Checking in to see if there are any updates on this.

Thanks,
Charles

sreuter · January 24, 2019, 10:52pm

Hi @anon55683813,

the work to getting this fixed has just been picked by the respective team, I’ll let you know as soon as we have a more concrete ETA soon.

Cheers,
Sascha

sreuter · February 6, 2019, 5:35am

@anon55683813 The change has been merged and should hit production servers shortly. I’ll post another update after I got final confirmation that this has happened.

SachinPakale · July 10, 2019, 1:22pm

I am still getting the same issue - 403 Forbidden (XSRF check failed)

IdanArbel · September 26, 2020, 6:51am

hello,

this is still happening to me when trying to add a remote link. I’m working on a FIGMA plugin so the code is in the browser and i’m getting

remotelink:1 POST https://cors-anywhere.herokuapp.com/https://arbel.atlassian.net/rest/api/3/issue/FIG-1/remotelink 403 (Forbidden)
VM16656:77 XSRF check failed request response

what can I do?

AshutoshPareek · November 26, 2020, 12:26pm

I see the same issue on basic auth. Yesterday it was working fine in first attempt. But today I see this error.
GET request works fine but issue with POST

JustinHu · July 5, 2021, 6:15pm

Still experiencing this issue on basic auth with POST request in creating a JIRA ticket.