REST API access from web browser javascript

Dave Varon November 15, 2019

There appear to be a few variations on how this works, depending on the origin of the request to the api.  The docs might make sense to some people, but not to me.  

I ran a node.js script locally and could connect to jira cloud using axios with an 'auth' config.  Some have noted that email address is important here, rather than username, if that is even an option anymore.

axios.get( {
...,
auth: { username: me@domain.com, password: <apikey> },
...
})

When I tried to use this same method after browserify, i.e., connect to the REST API from a javascript in a web browser, I was indirecty informed (because it didn't work) that I was required to use Oauth23LO.  Fine, np.  I doctored up my script to do the dance:

  1. get the "authorization code" using the "client id" from my external app config,  
  2. then get the "access token" using the "client id", "secret", and newly minted "authorization code"
  3. then get "cloud id" to stuff it in the rest url using the "access token"
  4. then use the 'api.atlassian.net' host instead of my jira cloud hostname,

but it still didn't work, because evidently one still must include the "access token" in the request header.

The only examples in REST API docs that i could find are for scripts and/or serverside proxies which apparently use similar syntax to the above (and one must question whether 3LO is actually necessary with a proxy--it's not, is it?)  Nevertheless, the community has a spate of posts from folks with similar issues.  (Some using Connect, and others, not.)  Somewhere between the 15th and 20th of these posts I was encouraged to try putting my auth token in an auth bearer header.

axios.get( {
...,
headers: { ..., 'Authorization':'Bearer <access_token>' },
...
})

This works in the browser, and apparently, it's secure.  However, it's so cumbersome to set up I assume anyone slightly lazier than me will just pass around apikeys, or hard code them in proxy scripts and commit them to bitbucket.

1 comment

Comment

Log in or Sign up to comment
DPKJ
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
November 15, 2019

@Dave VaronMay I know the purpose (not exact but just a hint) for which you want to call Jira API in browser? Because I can only think of two use cases,

Case 1 - You are building a plugin for Jira and want to call rest API

If this is the case,

 

Case 2 - You want to access Jira API in front-end of your external site,

  • I think this is bad idea because you will end in CORS related issues.
  • But still if you want to continue on this and manages to resolve CORS issues with some hacks,
  • I suggests setting a form to ask for username and access key
  • this way you don't to hard code it.
Dave Varon November 15, 2019

I've built a web-based bulk issue linking tool. It enables me to choose a target outward issue, and then an arbitrary selection of inward issues and create links of a specific type between the outward and inward issues with a minimum number of clicks, i.e., All pertinent issues load at launch from a filter, then 1 click per outward issue, 1 click per each inward, 1 click to create all the links, and then repeat for the next outward or link type.  I am linking upwards of 1000 "inward" issues to approximately 40 or 50 outwards.

I use JIRA Cloud as a qualified electronic change management system that is part of an FDA validated stack. I need to pull a traceability matrix in a specific format using a saved filter, issuelinks of specific linktypes, and custom css. 

I've used the JSAPI in other cases, e.g., a JIRA Cloud esignature addon for this very system.

DPKJ
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
November 16, 2019

@Dave VaronI think you need to have some sort of wrapper back-end system, that gives you wrapper over Jira API's, and you consume Jira API's via that.

 

JIRA <-----> YOUR_BACKEND <------> YOUR_FRONTEND

Dave Varon November 16, 2019

Indeed. That is what i typically do for production systems.  In fact I created the YADA data hub framework in part to solve problems like this, and use it heavily with an internal JIRA server using oauth 1.0a, as well as other web services and a postgres db.  

In retrospect it may have been quicker to set up any server side proxy, as you suggest, and YADA would be my goto.

Regrettably I started with a local node script and needed to port it. Quick and dirty progressed to long and sweaty.  Live and learn (or don't learn, as is common.)

Let's not obscure the larger point here:  my use case is not weird.  I built a darn tootin standalone tool to compensate for what many consider a missing feature in Jira: bulk issue linking.  Getting that tool to work locally was an ordeal because of omissions in the documentation.

Like # people like this
TAGS
AUG Leaders

Atlassian Community Events