Hi there,
I am building a HipChat addon but I must guarantee that only my HipChat Space can access it.
Somehow the docs seem lo leave out anything on how to restrict access.
Is there way for example to restrict access to a specific room?
I am using the atlassian-connect-hipchat module.
Thanks
Andy
Yes I considered that too but then someone can still install the addon.
So I thought of intercepting the call to /installable:
app.post('/installable', function (req, res, next) { if (req.body.roomId == _allowedRoom && req.body.groupId == _allowedGroup) { console.log('install allowed'); next(); } else { console.log('install not allowed'); res.status(403).send('Sorry, not allowed!'); } });
In your case, when HipChat calls your add-on, a JWT token ("signed_request" query parameter on most calls, sometimes it's in a header). This JWT token contains the room_id. Here's an example of the JWT token:
Screen Shot 2016-06-30 at 6.23.07 AM.png
On the right side, you'll notice that the payload has a the room_id inside the "context" parameter. In the atlassian-connect-hipchat node module, you'll be able to access this data via the `req.identity` object inside a route, but to do that, you'll need to make sure you secure that route with the `addon.authenticate()` middleware. Here's an example:
app.get('/secured/route', addon.authenticate(), function(req, res) { // You can access room, group, user info in here... var userId = req.identity.userId; var roomId = req.identity.roomId; var groupId = req.identity.groupId; res.json(req.identity); });
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.