thecatontheflat / atlassian-connect-bundle Goto Github PK

I'm trying to install this app and I'm getting this error on jira side.

The app descriptor failed to validate against the schema. Please confirm this app is intended for use with JIRA and then contact the app vendor.
  : object has missing required properties (["authentication"])

I know that I can get this error go away by setting:

atlassian_connect:
    prod:
        authentication:
            type: none

Then installation works but I'm not getting tenant oauth_client_id and shared_secret.

If I set type: jwt then I get shared_secret. But still no oauth_client_id.

Now I figured to get oauth_client_id I need to request specific scopes:

    scopes: ['READ', 'WRITE', 'ACT_AS_USER']

So all is working just missing documentation. Please add to docs that

• to get oauth_client_id need to add scope
• authentication needs to be set so installation will work and maybe set it to jwt as default

Try to use typed properties as much as we can. As PHP version 7.4 is still supported, union types cannot be used yet.

Dear Atlassian Connect vendor,

We've found a vulnerability in one or more of your add-ons, managed by the vendor at this email address. It lets an attacker overwrite the shared secret for an existing installation by crafting a malicious install callback. This will break the add-on on the targeted host product. It will also enable the attacker to sign JWTs with the new secret to authenticate with the add-on service and access protected data for that installation.

Fixing the vulnerability:

After a connect add-on is installed on a host product for the first time, the host will secure every subsequent install callback using a JSON Web Token (JWT) signed with the existing shared secret (not the new shared secret in the request body). The JWT will be included in the Authorization header like so: Authorization: JWT signed.base64-encoded-jwt.goes-here

To fix the vulnerability, make sure that:

Install callback requests for existing installations have the Authorization: header
The JWT in the header is signed with the existing shared secret from the previous registration.
The shared secret is updated to the new shared secret in the payload once the install callback has been verified (because the client will sign JWTs with the new secret from that point on).
You can test your fix using the attached python script (there are two versions: one for python 2.7 and one for python 3.5). The script attempts the shared secret overwrite against a specially-prepared test host, so will not affect your customers.

Thanks again for developing with Atlassian Connect, and please let us know if you have any questions.

Regards,

The Atlassian Connect Team

PS. Your add-on appeared not to be using the atlassian-connect-express framework. If it is using atlassian-connect-express, please simply update to version 1.0.9 of the library.

Is there a way to use refresh tokens? Reloading the entire JIRA page is slow and submitted form data is also lost in case the token expires between rendering a form and submitting it.

If there is no option to use refresh tokens, can we at least get a way to bypass immediate termination to implement some kind of fallback that could e.g. displays cached data?

Hi @thecatontheflat,
I've installed this bundle on Symfony 4.2 with flex by composer. It throws the following error:
[KO]
Script cache:clear returned with error code 1
!!
!! In AtlassianConnectExtension.php line 26:
!!
!! Notice: Undefined index: prod

I guess I should change the configuration, but it looks weird that just installing it throws an error.

Is it prepared to work with Symfony 4.2 with Flex?

Thanks in advance!

We should move to PHP CS fixer as it has default styles available for Symfony and psr2.
Also, docblocks are not required anymore when types are implemented decently.

Starting from Symfony 6.0 only the new authenticator should be supported.

In config: the dev and prod keys are being used to define the connect config json. We can remove this and use the Symfony mechanism to overwrite config by suggesting users to add config/dev/atlassian-connect.yaml. To overwrite config in dev.

Last tag 0.1.0 - is outdated, current master version seems to be pretty stable - what about adding new tag?

It would be nice to rebuild plugin like https://sonata-project.org/bundles/easy-extends/2-x/doc/reference/why.html So tenant entity could be easily extended.

It may break bc though.

The LicenseListener uses the Router to get all routes to then check if the option "requires_license" is set, however, getRouteCollection() should never be used as it is an expensive call.

See this merge and this issue.

The proper way to do this would be by using the defaults settings in the route.

I'm afraid changing this would be a breaking change though.

Add Psalm to tools. This will reduce obvious bugs and improve typing.

Atlassian added pretty cool feature, ACT_AS_USER

From what I see, this feature would require this bundle changes.

@thecatontheflat
It looks like good improvement for your toggl plugin (plugin will be able to submit time for users in background), will you be interested in adding ACT_AS_USER to this bundle?

More of a question/suggestion

Could we have a 3.x branch with the current release and then a 4.x branch where we only allow PHP: ^8.0. (symfony 6 is 8 and up)

@Bukashk0zzz It seems to work (the badge appears on the readme), but for some reason it does not show up in the PR. Can it be project configuration issue?

Would be nice to have tests

just try composer require step and it will fail.
I think the reason is because cache:clear runs before the config files are copied.
I added the config files manually and it worked as expected.
something wrong with the compiler pass I believe.
will try to submit a PR for it.