JWT format is invalid when /installed is called when reinstalling a Bitbucket app

(cross posting from here, because I think this is actually the correct place for the question)


Problem

I am seeing a JWT format error when re-installing a Bitbucket connect app:

{} Authentication verification error (401): Invalid JWT: Unexpected token m in JSON at position 0

To reproduce:

  1. Create, run and install the sample Bitbucket connect app according to the “getting started” guide at Getting started
  2. Re-install the app by re-visiting the installation link from step 9 of the “getting started” guide.

Expected:

The application is re-installed without error.

Actual:

The call to /installed results in a 401 error being thrown:

{} Authentication verification error (401): Invalid JWT: Unexpected token m in JSON at position 0
POST /installed 401 33234.738 ms - 53

Notes:

Looking at the incoming request, I can see the Authorisation header looks like this:

Authorization: JWT b'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJhcmk6Y2xvdWQ6Yml0YnVja2V0OjphcHAve2I2YzRiNzcwLWZjMDgtNDcxMS05NTdkLTU2MGExMzU4YjM4ZH0vZXhhbXBsZS1hcHAtMTIzNDU2IiwiZXhwIjoxNjU3MzAwMDg0LCJpYXQiOjE2NTcyOTY0ODQsInFzaCI6IjRhMmUxZGU4Y2E3NGU2Y2FmZTg4NjJkMzMyZmEzYWM3YThlNTFlNjkyYmM2ZDc5OGVhNGRmZWRjMTQ5NDhiZjQiLCJhdWQiOiJhcmk6Y2xvdWQ6Yml0YnVja2V0OjphcHAve2I2YzRiNzcwLWZjMDgtNDcxMS05NTdkLTU2MGExMzU4YjM4ZH0vZXhhbXBsZS1hcHAtMTIzNDU2In0.PLgvhYcfdObBX6eEbxHzJxoajeNcjCaJBuGGdwtlzjQ'

Notice that the JWT starts with b' and also ends with a single quote. This is causing an error in the atlassian-jwt/dist/lib/jwt.js module when decoding the JWT.

If you remove the leading b' and trailing quote, then the JWT format looks correct.

Something on the Atlassian/Bitbucket side seems to be generating wrapped/invalid JWTs when making that /installed API call.

2 Likes

Hello @pwoolley2015,

I checked the information you provided, and I engaged our engineering team. They are investigating this issue now.

I will update this thread as soon as more information is available from their side.

Regards,

Thiago.

1 Like

Resolved by a fix on Atlassian’s side.

2 Likes