How can I secure my confluence app’s install endpoint from calls that do not genuinely originate from Atlassian?
My understanding is that on first install of an app there is no JWT token because there was no previous shared secret between the connect app and Atlassian for that customer’s install. See security for connect apps.
Since confluence apps must persist the
sharedSecret on app install my concern is that anyone on the internet can post to my install endpoint and I’ll end up persisting junk data in my database. I’ve obfuscated my install url but it’s easy to discover by reading my app’s descriptor
atlassian-connect.json. As far as I know the filename for the app descriptor can’t be obfuscated, is that correct?
Is there anything I can do to secure the install endpoint on first call so only genuine calls from Atlassian are accepeted? A few possible ideas spring to mind
- A shared secret between Atlassian and my developer account which can be used as an auth bearer token.
- IP address list of Atlassian hosts, I know this might be brittle