Merge pull request #412 from GlobalAppTesting/move-jwt-to-headers

Moves JWT to headers instead of query string
sumoheavy · Apr 26, 2024 · c80cfb3 · c80cfb3
2 parents 8aab814 + f82e82e
commit c80cfb3
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 105 deletions.
diff --git a/lib/jira/jwt_client.rb b/lib/jira/jwt_client.rb
@@ -4,64 +4,38 @@ module JIRA
   class JwtClient < HttpClient
     def make_request(http_method, url, body = '', headers = {})
       @http_method = http_method
+      jwt_header = build_jwt_header(url)
 
-      super(http_method, url, body, headers)
+      super(http_method, url, body, headers.merge(jwt_header))
     end
 
     def make_multipart_request(url, data, headers = {})
       @http_method = :post
+      jwt_header = build_jwt_header(url)
 
-      super(url, data, headers)
-    end
-
-    class JwtUriBuilder
-      attr_reader :request_url, :http_method, :shared_secret, :site, :issuer
-
-      def initialize(request_url, http_method, shared_secret, site, issuer)
-        @request_url = request_url
-        @http_method = http_method
-        @shared_secret = shared_secret
-        @site = site
-        @issuer = issuer
-      end
-
-      def build
-        uri = URI.parse(request_url)
-        new_query = URI.decode_www_form(String(uri.query)) << ['jwt', jwt_header]
-        uri.query = URI.encode_www_form(new_query)
-
-        return uri.to_s unless uri.is_a?(URI::HTTP)
-
-        uri.request_uri
-      end
-
-      private
-
-      def jwt_header
-        claim = Atlassian::Jwt.build_claims \
-          issuer,
-          request_url,
-          http_method.to_s,
-          site,
-          (Time.now - 60).to_i,
-          (Time.now + 86_400).to_i
-
-        JWT.encode claim, shared_secret
-      end
+      super(url, data, headers.merge(jwt_header))
     end
 
     private
 
     attr_reader :http_method
 
-    def request_path(url)
-      JwtUriBuilder.new(
+    def build_jwt_header(url)
+      jwt = build_jwt(url)
+
+      {'Authorization' => "JWT #{jwt}"}
+    end
+
+    def build_jwt(url)
+      claim = Atlassian::Jwt.build_claims \
+        @options[:issuer],
         url,
         http_method.to_s,
-        @options[:shared_secret],
         @options[:site],
-        @options[:issuer]
-      ).build
+        (Time.now - 60).to_i,
+        (Time.now + 86_400).to_i
+
+      JWT.encode claim, @options[:shared_secret]
     end
   end
-end
+end
diff --git a/spec/jira/client_spec.rb b/spec/jira/client_spec.rb
@@ -232,7 +232,7 @@
 
     before(:each) do
       stub_request(:get, 'https://localhost:2990/jira/rest/api/2/project')
-          .with(query: hash_including(:jwt))
+          .with(headers: {"Authorization" => /JWT .+/})
           .to_return(status: 200, body: '[]', headers: {})
     end
 
@@ -248,7 +248,7 @@
     context 'with a incorrect jwt key' do
       before do
         stub_request(:get, 'https://localhost:2990/jira/rest/api/2/project')
-            .with(query: hash_including(:jwt))
+            .with(headers: {"Authorization" => /JWT .+/})
             .to_return(status: 401, body: '[]', headers: {})
       end
 

diff --git a/spec/jira/jwt_uri_builder_spec.rb b/spec/jira/jwt_uri_builder_spec.rb