Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AMS-26036: Update static routes to perform jwt validation #208

Merged
merged 2 commits into from
Jan 29, 2024
Merged

AMS-26036: Update static routes to perform jwt validation #208

merged 2 commits into from
Jan 29, 2024

Conversation

Roystbeef
Copy link
Collaborator

We got a ticket from atlassian's security team RE: returning <400 status for https://figma-for-jira.figma.com/static/admin and https://figma-for-jira.figma.com/static/issue-panel/issue-panel.html when passed invalid jwts

This is a non-issue since we're not doing any server-side rendering on these routes and subsequent requests do perform JWT validation.

But it doesn't hurt to validate the token before serving these static html files

Test Plan

  • Assert that the legacy and admin config page still work
  • Deploy on staging first and verify that everything still works before deploying to prod

akostevich-atlassian
akostevich-atlassian reviewed Jan 29, 2024
View reviewed changes
src/web/middleware/jira/jira-query-symmetric-jwt-auth-middleware.ts Outdated
* @see https://developer.atlassian.com/cloud/jira/platform/understanding-jwt-for-connect-apps/#types-of-jwt-token
* @see https://community.developer.atlassian.com/t/action-required-atlassian-connect-vulnerability-allows-bypass-of-app-qsh-verification-via-context-jwts/47072
*/
export const jiraQuerySymmetricJwtAuthMiddleware: RequestHandler = (
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nitpick (non-blocking): Consider renaming this to jiraContextSymmetricJwtFromQueryAuthMiddleware to highlight that it verifies a context symmetric JWT.

We could also name our middlewares based on their purpose instead of the token type (e.g., staticPageAuthMiddleware) but we will need to rename other middlewares as well for consistency.

akostevich-atlassian
akostevich-atlassian approved these changes Jan 29, 2024
View reviewed changes
Copy link
Collaborator

@akostevich-atlassian akostevich-atlassian left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great job, Roy! 🚀

@Roystbeef Roystbeef merged commit 246679e into main Jan 29, 2024
2 checks passed
@Roystbeef Roystbeef deleted the roy/iframe-jwt-validation branch January 29, 2024 20:06
This was referenced Feb 12, 2024
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@akostevich-atlassian akostevich-atlassian akostevich-atlassian approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Roystbeef @akostevich-atlassian