private hipchat addon

Andreas Behr June 29, 2016

Hi there,

I am building a HipChat addon but I must guarantee that only my HipChat Space can access it.

Somehow the docs seem lo leave out anything on how to restrict access. 

Is there way for example to restrict access to a specific room?

I am using the atlassian-connect-hipchat module.

 

Thanks

Andy

2 answers

1 vote
Andreas Behr June 30, 2016

Yes I considered that too but then someone can still install the addon.

So I thought of intercepting the call to /installable:

app.post('/installable', function (req, res, next) {
    if (req.body.roomId == _allowedRoom && req.body.groupId == _allowedGroup) {
      console.log('install allowed');
      next();
    } else {
      console.log('install not allowed');
      res.status(403).send('Sorry, not allowed!');
    }
  });
0 votes
rich
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 30, 2016

In your case, when HipChat calls your add-on, a JWT token ("signed_request" query parameter on most calls, sometimes it's in a header). This JWT token contains the room_id. Here's an example of the JWT token:

Screen Shot 2016-06-30 at 6.23.07 AM.png

On the right side, you'll notice that the payload has a the room_id inside the "context" parameter. In the atlassian-connect-hipchat node module, you'll be able to access this data via the `req.identity` object inside a route, but to do that, you'll need to make sure you secure that route with the `addon.authenticate()` middleware. Here's an example:

app.get('/secured/route', addon.authenticate(), function(req, res) {
  // You can access room, group, user info in here...
  var userId = req.identity.userId;
  var roomId = req.identity.roomId;
  var groupId = req.identity.groupId;
  res.json(req.identity);
});

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events