skip verification parameter

MeisterLabs · Jul 26, 2021 · 034221b · 034221b
1 parent 0fc92fe
commit 034221b
Show file tree

Hide file tree

Showing 2 changed files with 43 additions and 4 deletions.
diff --git a/README.md b/README.md
@@ -96,6 +96,45 @@ pp current_jwt_token.base_url
 
 If you need detailed user information you need to obtain it from the instance and process it respecting GDPR.
 
+#### How to send a signed HTTP request from the iframe back to the add-on service
+
+The initial call to load the iframe content is secured by JWT. However, the loaded content cannot
+sign subsequent requests. A typical example is content that makes AJAX calls back to the add-on. Cookie sessions cannot
+be used, as many browsers block third-party cookies by default. AJA provides middleware that
+works without cookies and helps making secure requests from the iframe.
+
+Standard JWT tokens are used to authenticate requests from the iframe back to the add-on service. A route can be secured
+using the following code:
+
+```ruby
+include AtlassianJwtAuthentication
+
+before_filter only: [:protected] do |controller|
+ controller.send(:verify_jwt, 'your-add-on-key', skip_qsh_verification: true)
+end
+```
+
+In order to secure your route, the token must be part of the HTTP request back to the add-on service. This can be done
+by using the standard `jwt` query parameter:
+
+```html
+<a href="/protected?jwt={{token}}">See more</a>
+```
+
+The second option is to use the Authorization HTTP header, e.g. for AJAX requests:
+
+```javascript
+beforeSend: function(request) {
+  request.setRequestHeader("Authorization", "JWT {{token}}");
+}
+```
+
+You can embed the token anywhere in your iframe content using the `token` content variable. For example, you can embed
+it in a meta tag, from where it can later be read by a script:
+
+```html
+<meta name="token" content="{{token}}">
+
 #### Add-on licensing
 If your add-on has a licensing model you can use the `ensure_license` filter to check for a valid license.
 As with the `verify_jwt` filter, this simply responds with an unauthorized header if there is no valid license

diff --git a/lib/atlassian-jwt-authentication/filters.rb b/lib/atlassian-jwt-authentication/filters.rb
@@ -66,8 +66,8 @@ def on_add_on_uninstalled
       true
     end
 
-    def verify_jwt(addon_key)
-      _verify_jwt(addon_key, true)
+    def verify_jwt(addon_key, skip_qsh_verification: false)
+      _verify_jwt(addon_key, true, skip_qsh_verification: skip_qsh_verification)
     end
 
     def ensure_license
@@ -107,7 +107,7 @@ def ensure_license
 
     private
 
-    def _verify_jwt(addon_key, consider_param = false)
+    def _verify_jwt(addon_key, consider_param = false, skip_qsh_verification: false)
       self.current_jwt_token = nil
       self.current_account_id = nil
       self.current_jwt_context = nil
@@ -136,7 +136,7 @@ def _verify_jwt(addon_key, consider_param = false)
 
       jwt_auth, account_id, context, qsh_verified = jwt_verification.verify
 
-      unless jwt_auth && qsh_verified
+      unless jwt_auth && (qsh_verified || skip_qsh_verification)
         render_unauthorized
         return false
       end