JSD comment images through API

JSM Development JSM Cloud
#1

Hello!

We have run into an issue that we believe to be a bug/inconsistency in the Atlassian API.

Our software integrates with JSD and we have a view where we render JSD requests and request comments. If a comment contains attached images we proxy these through our backend to avoid issues with cross-site cookies being blocked in Safari.

In the addon we make a request to the image with a call similar to this

addon.httpClient.asUserByAccountId(userAccountId).get({
  method: 'get',
  url: '/secure/{"thumbnail" or "attachment"}/{commentId}/myimage.png?fromIssue={issueId}',
  headers: {
    'X-ExperimentalApi': 'opt-in',
    'x-atlassian-force-account-id': 'true'
  },
  resolveWithFullResponse: true
});

This request responds with status code 200 and an HTML page with title “Access Denied - Jira”. Removing the asUserByAccountId call from the request above will successfully return the image but we want to make the request as the logged in user because otherwise a user would have access to all images if they have know the URL.

We also tried adding /servicedesk/customershim to the path but this will instead respond with a redirect to the JSD login page.

If we make a request using asUserByAccountId to /rest/servicedeskapi/request/{requestId}/comment/{commentId}?expand=attachment it will return an object with a link to the image which makes it feel that it should be possible for the addon to fetch the image as the same user.

For Confluence images we can make the same kind of request to /download/attachments/* and in that case it works with asUserByAccountId

Summary:

  • We can fetch comment attachment and thumbnails images from /secure/* using addon credentials but not using user credentials
  • The user has access to the comment where the images are attached
  • We can fetch the attachment object from the rest API using user credentials and this object refers to the images
  • Given that the user has access to the comment where the images are attached it feels natural that the addon should be able to fetch the image data using user credentialsIs there some other way that can be used to fetch the images from an addon as a user?