Good day!
Faced with the fact that I can not find in the API a tool for obtaining the xsrf token of another user.
As you know, the transition link looks something like this:
https://myjira.com/secure/WorkflowUIDispatcher.jspa?id=1234567&action=81&atl_token=ABCD-E1FG-2HIJ-KLMN_6fa77287541d758ec0b972fc9fccdbe1e41275ed_lin
The url contains the atl_token parameter. In it we have xsrf token. Conventionally, the value of this parameter consists of three parts, separated by an underscore.
ABCD-E1FG-2HIJ-KLMN _ 6af6c93cd1fac06aad5da3b212829dd668872aa5 _ lin
The first part "ABCD-E1FG-2HIJ-KLMN" is unchanged for all users, like postfix "lin". Between them is a unique token for each user, example "6af6c93cd1fac06aad5da3b212829dd668872aa5".
If the goal is to get your own xsrf token, then just call the method:
String token = new JiraWebActionSupport().getXsrfToken();
Why might this be needed? For example, you can generate and send a URL to the transition to e-mail in order to execute it immediately from the body of the letter. Actually, I'm trying to implement a post-function with such functionality. The post function works correctly, but only if I use the above method to get a token and send an email to myself. If you send a URL designed as a button to another user, then the other user, when trying to navigate through the URL/button, receives a warning "XSRF Security Token Missing". This is due to the fact that Jira sees a completely different, alien token when requested.
An idea came up, since I have not yet found a ready-made and working tool in the API, and perhaps it doesn’t exist at all, to get a part of the token unique for each user from the database. My problem is that at the moment I don’t know in which table the actual unique token is stored, which is substituted when generating the xsrf token and the value of the atl_token parameter in the URL. The idea is that any user, having received a target personal email to his work mail, can make one of the proposed transitions from the body of the letter by clicking on the buttons / urls attached to the letter, making this transition exactly the same as if he had clicked this the jump button in Jira itself.
This idea only works if the user who calls the post function sends an email to himself with his unique token in the "atl_token" url parameter.
How to get the necessary part of the token or the whole token of another user, or in which table is the desired value stored?
I would be grateful for any help/hint.
This question is a sub-question:
https://community.atlassian.com/t5/Jira-Core-Server-questions/xsrf-token-specific-user/qaq-p/1983159
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.