Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

MM-15455 Some improvments to cloud connect flow. #55

Merged
merged 1 commit into from
May 10, 2019
Merged

MM-15455 Some improvments to cloud connect flow. #55

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion server/instance_cloud.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -165,7 +165,7 @@ func (jci jiraCloudInstance) parseHTTPRequestJWT(r *http.Request) (*jwt.Token, s
// HMAC secret is a []byte
return []byte(jci.AtlassianSecurityContext.SharedSecret), nil
})
if err != nil {
if err != nil || !token.Valid {
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It will return an error if not valid, but just for sanity. (they check this in their docs)

return nil, "", errors.WithMessage(err, "failed to validatte JWT")
}

Expand Down
5 changes: 5 additions & 0 deletions server/user.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,11 @@ func httpUserConnect(ji Instance, w http.ResponseWriter, r *http.Request) (int,
return http.StatusUnauthorized, errors.New("not authorized")
}

// Users shouldn't be able to make multiple connections.
if jiraUser, err := ji.GetPlugin().LoadJIRAUser(ji, mattermostUserId); err == nil && len(jiraUser.Key) != 0 {
return http.StatusBadRequest, errors.New("Already connected to a JIRA account. Please use /jira disconnect to disconnect.")
}

redirectURL, err := ji.GetUserConnectURL(mattermostUserId)
if err != nil {
return http.StatusInternalServerError, err
Expand Down
7 changes: 1 addition & 6 deletions server/user_cloud.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,8 +19,6 @@ const (
argMMToken = "mm_token"
)

const requireUserApproval = true

func httpACUserRedirect(jci *jiraCloudInstance, w http.ResponseWriter, r *http.Request) (int, error) {
if r.Method != http.MethodGet {
return http.StatusMethodNotAllowed,
Expand All @@ -32,10 +30,7 @@ func httpACUserRedirect(jci *jiraCloudInstance, w http.ResponseWriter, r *http.R
return http.StatusBadRequest, err
}

submitURL := path.Join(jci.Plugin.GetPluginURLPath(), routeACUserConnected)
if requireUserApproval {
submitURL = path.Join(jci.Plugin.GetPluginURLPath(), routeACUserConfirm)
}
submitURL := path.Join(jci.Plugin.GetPluginURLPath(), routeACUserConfirm)
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The confirmation is required to be secure. Otherwise you can trick people into clicking the link.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jasonblais is requesting the opposite :) Can you two please resolve it? (I'm 3/5 that security should win, and we should have the explicit warning/confirmation)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yup. Will chat with @jasonblais

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Chatted with @crspeller, given the level of a security vulnerability if this button wasn't added, I'm good with this change.

Approving PR.


return jci.Plugin.respondWithTemplate(w, r, "text/html", struct {
SubmitURL string
Expand Down