thecatontheflat / atlassian-connect-bundle Goto Github PK
View Code? Open in Web Editor NEWSymfony Bundle for Atlassian Connect platform
License: MIT License
Symfony Bundle for Atlassian Connect platform
License: MIT License
I'm trying to install this app and I'm getting this error on jira side.
The app descriptor failed to validate against the schema. Please confirm this app is intended for use with JIRA and then contact the app vendor.
: object has missing required properties (["authentication"])
I know that I can get this error go away by setting:
atlassian_connect:
prod:
authentication:
type: none
Then installation works but I'm not getting tenant oauth_client_id
and shared_secret
.
If I set type: jwt
then I get shared_secret
. But still no oauth_client_id
.
Now I figured to get oauth_client_id
I need to request specific scopes:
scopes: ['READ', 'WRITE', 'ACT_AS_USER']
So all is working just missing documentation. Please add to docs that
oauth_client_id
need to add scope
authentication
needs to be set so installation will work and maybe set it to jwt
as defaultTry to use typed properties as much as we can. As PHP version 7.4 is still supported, union types cannot be used yet.
Dear Atlassian Connect vendor,
We've found a vulnerability in one or more of your add-ons, managed by the vendor at this email address. It lets an attacker overwrite the shared secret for an existing installation by crafting a malicious install callback. This will break the add-on on the targeted host product. It will also enable the attacker to sign JWTs with the new secret to authenticate with the add-on service and access protected data for that installation.
Fixing the vulnerability:
After a connect add-on is installed on a host product for the first time, the host will secure every subsequent install callback using a JSON Web Token (JWT) signed with the existing shared secret (not the new shared secret in the request body). The JWT will be included in the Authorization
header like so: Authorization: JWT signed.base64-encoded-jwt.goes-here
To fix the vulnerability, make sure that:
Install callback requests for existing installations have the Authorization: header
The JWT in the header is signed with the existing shared secret from the previous registration.
The shared secret is updated to the new shared secret in the payload once the install callback has been verified (because the client will sign JWTs with the new secret from that point on).
You can test your fix using the attached python script (there are two versions: one for python 2.7 and one for python 3.5). The script attempts the shared secret overwrite against a specially-prepared test host, so will not affect your customers.
Thanks again for developing with Atlassian Connect, and please let us know if you have any questions.
Regards,
The Atlassian Connect Team
PS. Your add-on appeared not to be using the atlassian-connect-express framework. If it is using atlassian-connect-express, please simply update to version 1.0.9 of the library.
Is there a way to use refresh tokens? Reloading the entire JIRA page is slow and submitted form data is also lost in case the token expires between rendering a form and submitting it.
If there is no option to use refresh tokens, can we at least get a way to bypass immediate termination to implement some kind of fallback that could e.g. displays cached data?
Hi @thecatontheflat,
I've installed this bundle on Symfony 4.2 with flex by composer. It throws the following error:
[KO]
Script cache:clear returned with error code 1
!!
!! In AtlassianConnectExtension.php line 26:
!!
!! Notice: Undefined index: prod
I guess I should change the configuration, but it looks weird that just installing it throws an error.
Is it prepared to work with Symfony 4.2 with Flex?
Thanks in advance!
We should move to PHP CS fixer as it has default styles available for Symfony and psr2.
Also, docblocks are not required anymore when types are implemented decently.
Starting from Symfony 6.0 only the new authenticator should be supported.
In config: the dev
and prod
keys are being used to define the connect config json. We can remove this and use the Symfony mechanism to overwrite config by suggesting users to add config/dev/atlassian-connect.yaml
. To overwrite config in dev.
Last tag 0.1.0 - is outdated, current master version seems to be pretty stable - what about adding new tag?
It would be nice to rebuild plugin like https://sonata-project.org/bundles/easy-extends/2-x/doc/reference/why.html So tenant entity could be easily extended.
It may break bc though.
The LicenseListener uses the Router to get all routes to then check if the option "requires_license" is set, however, getRouteCollection()
should never be used as it is an expensive call.
See this merge and this issue.
The proper way to do this would be by using the defaults
settings in the route.
I'm afraid changing this would be a breaking change though.
Add Psalm to tools. This will reduce obvious bugs and improve typing.
Atlassian added pretty cool feature, ACT_AS_USER
From what I see, this feature would require this bundle changes.
@thecatontheflat
It looks like good improvement for your toggl plugin (plugin will be able to submit time for users in background), will you be interested in adding ACT_AS_USER to this bundle?
More of a question/suggestion
Could we have a 3.x
branch with the current release and then a 4.x branch where we only allow PHP: ^8.0. (symfony 6 is 8 and up)
@Bukashk0zzz It seems to work (the badge appears on the readme), but for some reason it does not show up in the PR. Can it be project configuration issue?
Would be nice to have tests
just try composer require step and it will fail.
I think the reason is because cache:clear runs before the config files are copied.
I added the config files manually and it worked as expected.
something wrong with the compiler pass I believe.
will try to submit a PR for it.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.