Library that implements new Connect installation hook for Express and similar frameworks

JulianWolf · August 30, 2021, 12:42pm

Hey there,

We have implemented the new Install Hook for Atlassian Connect for our Custom JWT Auth. solution. We are using Express.js but not ACE (Atlassian Connect Express) which does not export reusable middleware functions.

We have published our middleware as an open-source project. It is available as a npm module.

It is open source and may help people that are using Express.js, Next, Nuxt or some similar framework that is able to make use of an Express middleware function.

As basic usage might look like this:

import {composeAtlassianConnectInstallationMiddleware} from "@seibert/atlassian-connect-tooling";

// if you use this before 29th Oct 2021 remember to opt-in to the new handshake in your atlassian-connect.json by adding "apiMigrations": {"signed-install": true}.
const installAuthentication = composeAtlassianConnectInstallationMiddleware({baseUrl: "https://example.com"});

app.post('/lifecycle/installed/', [installAuthentication], async (req: Request, res: Response) => {
	// request is authenticated, process installation here. Necessary information are on request body.
	await handleInstall(req.body);
	res.send();
});

app.post('/lifecycle/uninstalled/', [installAuthentication], async (req: Request, res: Response) => {
	// request is authenticated, process uninstall here. Necessary information are on request body.
	await handleUninstall(req.body);
	res.send();
});

Security
The packages tests have full code coverage and demonstrate the rejection of invalid JWT payloads in different test suites.

Hope this helps someone

Julian

marc · August 30, 2021, 1:10pm

@JulianWolf Thanks for publishing this library.

I’ve got a follow up question: how are you handling the equivalent of addon.authenticate() and addon.checkValidToken() in your app?

JulianWolf · August 30, 2021, 1:42pm

Hey marc

The addon.authenticate() method also returns a middleware function by providing the addon object. As we don’t have this addon object available in our custom implementation and we didn’t want to mock it (which seems unstable when its about authentication) we built another middleware function for that functionality. In our code it looks like that:

app.get('/some-endpoint/', [authenticateAtlassianRequest], async (req: Request, res: Response) => {
   res.send();
});

We have plans to add this middleware functionality (for the usecase of authenticating common requests) to @seibert/atlassian-connect-tooling as well because we will use this mechanism across multiple projects.

I just looked up the checkValidToken you have mentioned because I was not aware of it. It also calls addon.authenticate() why I think the same answer applies.

Julian

marc · August 31, 2021, 8:27am

@JulianWolf There is also an older open source project GitHub - DanielHreben/atlassian-connect-auth: Helper for handling webhooks from Atlassian products . They use their own addon object. However I believe it is not update for the newer asymmetric install hooks.