I have used this video to properly understand how JWT QSH is created from a SHA hashed conical request
I also have gone through, this site Understanding JWT. https://developer.atlassian.com/cloud/jira/platform/understanding-jwt-for-connect-apps/.
I have replicated everything done there, and still confused. I have never been able to reproduce the qsh.
if (verifiedClaims.qsh) {
const { baseUrl } = payload;
const url = JWTHelper.decodeUrlToMatchJWTQueryStringHash(baseUrl);
logger.debug(`url[${url}]`);
const req = jwt.fromMethodAndUrl("GET", url);
logger.debug(`req[${JSON.stringify(req)}]`);
let expectedHash = jwt.createQueryStringHash(req);
logger.debug(`expectedHash[${expectedHash}]`);
let signatureHashVerified = verifiedClaims.qsh === expectedHash;
logger.json("signatureHashVerified", { qsh: verifiedClaims.qsh, expectedHash, signatureHashVerified });
if (!signatureHashVerified) {
// If signatureVerified is false, then check the url if its a PUT/POST
expectedHash = jwt.createQueryStringHash(req, url);
signatureHashVerified = verifiedClaims.qsh === expectedHash;
logger.json("signatureHashVerified", { qsh: verifiedClaims.qsh, expectedHash, signatureHashVerified });
if (verifiedClaims.qsh !== expectedHash && verifiedClaims.qsh !== "context-qsh") {
const canonicalRequest = jwt.createCanonicalRequest(req, true, url);
logger.error(
'Auth failure: Query hash mismatch: Received: "' + verifiedClaims.qsh + '" but calculated "' + expectedHash + '". ' +
'Canonical query was: "' + canonicalRequest);
throw new Error("Authentication failed: query hash does not match.");
}
}
}
The code above is from the Link, understanding jwt. I am using atlassian-jwt npm package
atlassian-jwt - npm.
Please where am I getting it all wrong, from my codes or from any perspective what can I do to fix the issue and verify qsh