Merge pull request #1 from EchoesHQ/fix-signed-installation

Fix signed installation token validation
EchoesHQ · Jan 14, 2022 · d3fb94b · d3fb94b
2 parents 7ac6e02 + cbc088d
commit d3fb94b
Showing 1 changed file with 4 additions and 2 deletions.
diff --git a/apicommunication/transport.go b/apicommunication/transport.go
@@ -432,9 +432,11 @@ func ValidateInstallRequest(r *http.Request, st storage.Store) error {
 			if err != nil {
 				return nil, fmt.Errorf("reading public key from atlassian: %w", err)
 			}
-			return kidPKey, nil
+			// The JWT is signed with a private key using the RS256 algorithm.
+			// Reference: https://developer.atlassian.com/cloud/jira/platform/security-for-connect-apps/#signed-installation-callback-requests
+			return jwt.ParseRSAPublicKeyFromPEM(kidPKey)
 		}
-		return []byte{}, nil
+		return nil, nil
 	})
 	if err != nil {
 		if _, ok := err.(*jwt.ValidationError); ok {