2

We are developing a BitBucket app and found out that in the PostInstallRedirect we also get the JWT as part of the querystring and we think this is a potential security issue, furthermore - we don’t use it as we already authenticate the jwt in the installation webhook.

Is there a way to remove it or at least move it to the header?

east1000
  • 1,240
  • 1
  • 10
  • 30
Mithir
  • 2,355
  • 2
  • 25
  • 37
  • Which framework (if any) are you using to handle the `PostInstallRedirect` request? – aroundtheworld Oct 05 '21 at 05:32
  • @aroundtheworld - the setup with bitbucket is with nodejs and the atlassian package. the redirect is getting to a react page but by then it's too late – Mithir Oct 05 '21 at 05:35
  • Maybe I am misunderstanding, but in that case whatever you have specified as the redirect url, from the server side, you can use middleware to remove the token before passing on the request to the rest of the application? I am using an express approach here from what I am most familiar with. – aroundtheworld Oct 05 '21 at 05:42
  • @aroundtheworld The redirect opens our UI and it logs the jwt on the URL on the browser history and is just redundant. The Webhook is calling our nodejs server and we use the token there. – Mithir Oct 05 '21 at 07:26
  • 1
    Oh, I see - strange implementation by Atlassian :/ unfortunately cannot help, although anyone who really wants to get their jwt can do so on most platforms. I would not sweat the fact the user can see it in the url much more than it is in the requests normally – aroundtheworld Oct 05 '21 at 07:50

0 Answers0