UNPKG

@seibert/atlassian-connect-tooling

Version:

Provides authentication & utility methods for Atlassian Connect apps running on Express.

154 lines (149 loc) 7.26 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
/// <reference types="node" /> /// <reference types="qs" /> /// <reference types="range-parser" /> import { Request as AtlassianJwtRequest } from 'atlassian-jwt'; import { NextFunction, Request as ExpressRequest, Response as ExpressResponse } from 'express-serve-static-core'; import { JwtPayload } from 'jsonwebtoken'; export interface AtlassianConnectConfig { baseUrl: string; } export type TenantDataWithSharedSecret = { sharedSecret: string; } & unknown; export type TenantDataWithClientKey = { clientKey: string; } & unknown; export type TenantByClientKeySupplier = (clientKey: string) => Promise<TenantDataWithSharedSecret | null>; export interface AtlassianConnectAuthenticationMiddlewareConfig { fetchTenantByClientKey: TenantByClientKeySupplier; requestsForQshValidation?: AtlassianJwtRequest[]; } export type AuthenticatedInstallationRequest = ExpressRequest & { validatedJwtPayload: JwtPayload; }; /** * Returns a middleware that can be used for authentication of install and uninstall lifecycle hook requests in Atlassian Connect ecosystem. * The composed middleware verifies the requests as outlined in the Atlassian Connect documentation using a asymmetric encryption and a RSA public key * provided from an Atlassian Host. * * @see https://community.developer.atlassian.com/t/action-required-atlassian-connect-installation-lifecycle-security-improvements/49046 * @see https://developer.atlassian.com/cloud/confluence/understanding-jwt/ * * You have to provide the baseUrl of your app. This is most probably the host you provide as a "baseUrl" in your atlassian-connect.json. * * Example usage: * * app.post('/lifecycle/installed/', [composeAtlassianConnectInstallationMiddleware({baseUrl: ATLASSIAN_CONNECT_FILE.baseUrl})], async (req: Request & ReqWithFirebaseUser, res: Response) => { * console.log('Atlassian Connect Lifecycle Hook triggered: /installed', req.body); * await persistInstallation(db, req.body); * res.send(); * }); * * @param baseUrl * baseUrl from your atlassian-connect.json. */ export declare function composeAtlassianConnectInstallationMiddleware({ baseUrl }: AtlassianConnectConfig): (req: AuthenticatedInstallationRequest, res: ExpressResponse, next: NextFunction) => void; export type AuthenticatedAtlassianRequest = ExpressRequest & { atlassianVerified: { userAccountId: string; clientKey: string; tenant: TenantDataWithSharedSecret; jwtPayload: JwtPayload; }; }; /** * Returns a middleware that can be used for authentication of user requests. * The composed middleware verifies the requests as outlined in the Atlassian Connect documentation using a JWT signed with the sharedSecret of a tenant. * * @see https://developer.atlassian.com/cloud/confluence/understanding-jwt/ * @param baseUrl * BaseUrl from your atlassian-connect.json. * @param fetchTenantByClientKey * Method that asynchronously returns the data that you have stored for the tenant given its clientKey. Returned data has to contain at least a "sharedSecret". * Return null if no matching tenant can be found by your implementation. * @param requestsForQshValidation (optional) * The default behaviour of the returned middleware is to use the actual Express request that is passed into it to validate the given JWTs query hash (qsh claim). * You can optionally choose to validate the given qsh against another fictitious requests. If one request matches the qsh, the request is assumed to be authenticated. * This functionality can be used in combination with createJwtForRequestAuthorization which allows you to create JWTs for such fictitious requests. * A client can receive such JWTs and use it to make requests to endpoints protected by the returned middleware. * * @see create-jwt.ts for code examples */ export declare function composeAtlassianRequestAuthenticationMiddleware({ baseUrl, fetchTenantByClientKey, requestsForQshValidation }: AtlassianConnectConfig & AtlassianConnectAuthenticationMiddlewareConfig): (req: AuthenticatedAtlassianRequest, res: ExpressResponse, next: NextFunction) => void; /** * Creates a JWT that can be used for authentication of requests by providing it in the Authorization header as "JWT xxx". * @param tenantData * Data object you have stored for the Atlassian tenant. It has to contain a sharedSecret (used for JWT signing) and a * clientKey (used as the JWT audience). * @param issuer * Issuer string to be passed as the JWTs iss claim. Should be set to the app-key if you use this token for api calls * in server-to-server communication with atlassian host products. * @param expirationInSeconds * JWT expiration time in seconds. defaults to 300. * @param method * HTTP method of the signed request (GET, POST, ...). defaults to GET. * @param pathname * Pathname of the signed request (sth. like "/rest/api/content"), used to generate query hash (qsh claim). * @param body * Body of the signed request, used to generate query hash (qsh claim). * @param query * Query params of the signed request, used to generate query hash (qsh claim). * @param baseUrl * BaseUrl of the requests. Gets passed as baseUrl param to Atlassians jwt library. Can be omitted if pathname is set correctly * @param additionalClaims * Additional claims to be appended to JWT payload. Can be used to override aspects of the JWT or to enrich it with additional context information like a userId * * @example * usage for api calls to confluence * ```ts * const jwt = createJwtForRequestAuthorization({ * issuer: "my-app-key", * request: {pathname: "rest/api/content", method: "GET"}, * tenantData: { * clientKey: "tenant-key-of-installation-cb1f7a7ee297", * sharedSecret: "sharedSecretOfClientFromInstallationProcess" * } * }); * ``` * * @example * usage for authentication against middleware function from authenticate-middleware.ts with fictitious path * ```ts * // 1. generate jwt * const jwt = createJwtForRequestAuthorization({ * issuer: "tenant-key-of-installation-cb1f7a7ee297", * request: {pathname: "/admin-only", method: "GET"}, * tenantData: { * clientKey: "tenant-key", * sharedSecret: "tenants-shared-secret" * } * }); * * // ... pass it to the client ... * * // 2. validate with middleware * const middleware = composeAtlassianRequestAuthenticationMiddleware({ * baseUrl: "https://your.apps.base.url", * fetchTenantByClientKey: (clientKey: string) => Promise.resolve({ * clientKey: "tenant-key", * sharedSecret: "tenants-shared-secret" * }), * requestsForQshValidation: [{method: "GET", pathname: "/admin-only"}] * }); * * // 3. use middleware for authentication * app.post("/some/endpoint/", [middleware], async(req: Request, res: Response) => { * res.send(); * }); * ``` **/ export declare function createJwtForRequestAuthorization({ tenantData, issuer, expirationInSeconds, request: { method, pathname, body, query }, baseUrl, additionalClaims, }: CreateJwtForRequestParams): string; export interface CreateJwtForRequestParams { tenantData: TenantDataWithSharedSecret & TenantDataWithClientKey; issuer: string; expirationInSeconds?: number; request: Partial<AtlassianJwtRequest>; baseUrl?: string; additionalClaims?: Partial<JwtPayload>; } export {};