I'm developing a Weebly app - why is the :jwt in the following entry in our manifest not being replaced?

Question

does anyone have any ideas why the :jwt in the following entry in our Weebly app manifest isn't being replaced?

"callback_url" : "https://www.mymobileapp.online/home/index?vendorId=Weebly&:jwt"

The incoming request I see is:

https://www.mymobileapp.online/home/index?vendorId=Weebly&:jwt?user_id=62581379&timestamp=1479434021&site_id=163706648712782041&hmac=...our_hmac...&version=1.0.0&callback_url=https%3A%2F%2Fwww.weebly.com%2Fapp-center%2Foauth%2Fauthorize

so, as you can see, the ':jwt' is still there, and Weebly is appending it's querystring operand and parameters after it.

I've read the "Configure the Manifest for OAuth" section on the page below, and as far as I can see I'm configuring the manifest correctly. What am I missing?

https://dev.weebly.com/configure-oauth.html

Answer 1

You may have figured this out, by now, but your callback_url should NOT have the :jwt in it to begin with.. Problem solved ;)

If the user can manage the App/Settings, then you would use manage_app_url. And on the page of your website that you have set for the manage_app_url you would then listen for jwt. (then you can also use "oauth_final_destination" : "manage", if you want them to end up on your site after the install) See: https://dev.weebly.com/how-users-manage-your-app.html

**EDIT See also: https://dev.weebly.com/sso-with-jwt.html **

So for example, with PHP, on the manage_app_url page of your site you would do:

if (isset($_GET['jwt'])) {
   $app_client_id = "Your APP ID";
   $client_secret = "Your APP SECRET";
   $jtw = $_GET['jwt'];

   /**
   * You can add a leeway to account for when there is a clock skew times between
   * the signing and verifying servers. It is recommended that this leeway should not be bigger than a few minutes.
   * Source: http://self-issued.info/docs/draft-ietf-oauth-json-web-token.html#nbfDef
   */

   try {
     JWT::$leeway = 60; // $leeway in seconds
     $decoded = JWT::decode($jtw, $client_secret, array('HS256'));
     if (!empty($decoded)) {
         $decoded_array = (array) $decoded;
         // Continue with your websites code to verify the Weebly users info
     }
   }
} // END IF ISSET JWT

Answer 2

Although this response is correct, I think the original post was off as its the manage_app_url that uses the :jwt

I had the same issue, but discovered that it does not work when installing as a draft app, however, accessing the "manage app" link thru the app interface and it is correct. ie., the :jwt is replaced with the proper url.

Sop the issue is in the installing of a draft app, and not in the actual managing the app thru the front facing interface

Answer 3

Jeffery, you are absolutely correct sir. I am only adding this as an answer to expand upon yours with some additional security recommendations Weebly considers best practice.

The primary use cases when developers need to implement the JWT "JSON Web Token" are (see links in Jeffery's answer above for more details):

• Providing user-contextualized data for Weebly Apps dependent upon configuration/setting parameters to be defined/stored/manipulated outside of Weebly (external services)
• SSO (Single-Sign On) support

Two Ways the :jwt is included in the URL

Your Weebly App manifest.json file(s) may contain URLs that trigger Weebly to provide you a JWT:

• manage_app_url
• element.settings.config.external.url
• Dashboard Card Link Components --> dashboard_cards.link || dashboard_cards.default[{{SOME_COMPONENT}}].link

Developers can define the position of the JWT in these URLs using one of two approaches:

1. IMPLICITLY DEFINED: Weebly automatically appends the JWT string to the developer-defined URL (and any appropriate operands such as & or ?)
2. EXPLICITLY DEFINED: Indicated by using :jwt at any valid location within the URL values you provide in your manifest.json file

Production Security Best Practices and Considerations

Using the decode method of the PHP library above is handy and quick during development, but when developers are ready to publish their Weebly Apps to the App Center, you will want to include the maximum security possible.

1. Request Scheme Invalidation: Verify the scheme of the inbound request is using https
2. Request Domain Invalidation: Verify the headers.host of the inbound request contains the valid weebly domain and .com TLD (since requests containing the JWT should only ever come from https://www.weebly.com
3. Auto-Reject Tokens with Mismatched Signature Types: Some JWT libraries do not auto-reject tokens if the signature type is mis-matched, which allows hackers to forge requests in these case read this document from Auth0 for more information
4. IP Address Max Requests per [TIMEFRAME]: To prevent brute-force hacking or DDOS attacks on these URLs, you may want to include functionality that automatically caches multiple requests within a specific timeframe. This should be a relatively high-value in a short-period of time, since humans can have request performance limitations in valid use-cases.

While the above content about security is not currently part of official Weebly documentation, I have submitted an issue to include it in the future.

Also, I saw that we recently moved content and did not include the 301 redirects for the URLs referenced in the original question or Jeffery's answer. We just fixed that so your links work properly.

I hope this helps and the information is valuable for you.