JWT authentication of POST request from iFrame back to host

I’m trying to add an admin page to an Atlassian Connect Express app and I can’t find a way to secure the page. I’d like to be able to prevent XSRF or a non-admin user from submitting the data.

Code from admin page:

<script type="text/javascript">
    function submitSettings() {
            url: "/test-post",
            type: "POST",
            data: { testdata: "1234" },
            dataType: "json",
            beforeSend: function (xhr) {   
                xhr.setRequestHeader("Authorization", "JWT {{token}}");
            success: function (result) {
                // Handler goes here

Code from routes.js:

app.post('/test-post"', addon.checkValidToken(), function(req, res){
        res.json({received: true});

But every time I get 401: Unauthorized: Authentication failed: query hash does not match.

If I change to using GET it works, but I need to submit more data than you can fit into a URL.

Why not use AP.request and AP.getUser to verify who is making the request?

Because if a user knows the endpoint (by watching the Network requests) they can make malicious requests.

I see. I will research this more for you.

Hi @wsdan @scallahan,

I am also experiencing this authenticating url issue. Have you found solution for this? Can you please share the solution here. You have mentioned it works when using GET. But it does not work for me when using GET too. Issue ‘Authentication verification error: 401 Invalid JWT’ still exists. How to solve this?