JWT authentication of POST request from iFrame back to host

wsdan · April 29, 2018, 10:34am

I’m trying to add an admin page to an Atlassian Connect Express app and I can’t find a way to secure the page. I’d like to be able to prevent XSRF or a non-admin user from submitting the data.

Code from admin page:

<script type="text/javascript">
    function submitSettings() {
        $.ajax({
            url: "/test-post",
            type: "POST",
            data: { testdata: "1234" },
            dataType: "json",
            beforeSend: function (xhr) {   
                xhr.setRequestHeader("Authorization", "JWT {{token}}");
            },
            success: function (result) {
                // Handler goes here
            }
        });

Code from routes.js:

app.post('/test-post"', addon.checkValidToken(), function(req, res){
        res.json({received: true});
    });

But every time I get 401: Unauthorized: Authentication failed: query hash does not match.

If I change to using GET it works, but I need to submit more data than you can fit into a URL.

scallahan · April 30, 2018, 11:34pm

Why not use AP.request and AP.getUser to verify who is making the request?

wsdan · May 1, 2018, 7:43am

Because if a user knows the endpoint (by watching the Network requests) they can make malicious requests.

scallahan · May 1, 2018, 8:20pm

I see. I will research this more for you.

hariprasath · October 11, 2018, 8:41am

Hi @wsdan @scallahan,

I am also experiencing this authenticating url issue. Have you found solution for this? Can you please share the solution here. You have mentioned it works when using GET. But it does not work for me when using GET too. Issue ‘Authentication verification error: 401 Invalid JWT’ still exists. How to solve this?