MDTZ-1461 static resource auth #211
Conversation
| * @see https://developer.atlassian.com/cloud/jira/platform/understanding-jwt-for-connect-apps/#types-of-jwt-token | ||
| * @see https://community.developer.atlassian.com/t/action-required-atlassian-connect-vulnerability-allows-bypass-of-app-qsh-verification-via-context-jwts/47072 | ||
| */ | ||
| export const jiraIframeSymmetricJwtAuthenticationMiddleware: RequestHandler = ( |
There was a problem hiding this comment.
note: Represents a replacement for the deleted jiraContextSymmetricJwtFromQueryAuthenticationMiddleware (introduced within #208) as the correct way to authenticate requests from iframes.
The new middleware uses a different verifier (jiraIframeOrServerToServerSymmetricJwtTokenVerifier instead of jiraContextSymmetricJwtFromQueryAuthenticationMiddleware) and apples minor fixes to how a request is handled.
However, the middleware is not currently used and can be safely removed if the team agrees on serving static content without authentication. However, if we decide that the authentication is required, this middleware can be used to handle this.
| jiraAdminOnlyAuthorizationMiddleware, | ||
| ); | ||
|
|
||
| staticRouter.use( |
There was a problem hiding this comment.
note: Currently, all requests to /static/issue-panel.html fail with HTTP 401. The issue is caused by a bug in the original jiraContextSymmetricJwtFromQueryAuthenticationMiddleware.
| export const staticRouter = Router(); | ||
|
|
||
| staticRouter.use( | ||
| '/admin/index.html', |
There was a problem hiding this comment.
note: The auth issue is not reproducible with the admin page. This happens since the admin page is served from /static/admin but not /static/admin/index.html (see here) therefore, and therefore, this configuration is ignored for requests from Jira.
There was a problem hiding this comment.
🤦🏻♂️ the confirmation bias in me testing this code
Changes
HTTP 401error. Please, see the comments below for more detail.Notes
The issue is resolved by allowing serving static content (e.g., HTML, CSS, etc.) with no authentication/authorization. While the authentication has been recently introduced within #208, we might need to re-evaluate this decision for the following reasons:
HTTP 401from iframes -- it looks like a generic error, so returningHTTP 401does not bring much value to users.Please, see the comments below for more detail.