From a7314655fd85e9972b585671f540e02d980661c8 Mon Sep 17 00:00:00 2001
From: Boris Gvozdev <bgvozdev@atlassian.com>
Date: Wed, 1 Jun 2022 10:54:50 +1000
Subject: [PATCH 01/11] ARC-1355: passing JWT as a cookie value to
 github/configure page

---
 src/jira/util/jwt.ts                  |  10 ++-
 src/middleware/jira-jwt-middleware.ts |   2 +-
 src/middleware/jirahost-middleware.ts | 110 +++++++++++++++++++++-----
 static/js/jira-configuration.js       |   3 +-
 views/session.hbs                     |   7 +-
 5 files changed, 108 insertions(+), 24 deletions(-)

diff --git a/src/jira/util/jwt.ts b/src/jira/util/jwt.ts
index a538ab8e64..818b7707f0 100644
--- a/src/jira/util/jwt.ts
+++ b/src/jira/util/jwt.ts
@@ -30,8 +30,6 @@ export enum TokenType {
 
 export function extractJwtFromRequest(req: Request): string | undefined {
 	const tokenInQuery = req.query?.[JWT_PARAM];
-
-	// JWT appears in both parameter and body will result query hash being invalid.
 	const tokenInBody = req.body?.[JWT_PARAM];
 	if (tokenInQuery && tokenInBody) {
 		req.log.info("JWT token can only appear in either query parameter or request body.");
@@ -39,7 +37,6 @@ export function extractJwtFromRequest(req: Request): string | undefined {
 	}
 	let token = tokenInQuery || tokenInBody;
 
-	// if there was no token in the query-string then fall back to checking the Authorization header
 	const authHeader = req.headers?.[AUTH_HEADER];
 	if (authHeader?.startsWith("JWT ")) {
 		if (token) {
@@ -50,6 +47,13 @@ export function extractJwtFromRequest(req: Request): string | undefined {
 		}
 	}
 
+	if (!token) {
+		token = req.cookies?.[JWT_PARAM];
+		if (token) {
+			req.log.info("JWT token found in cookies (last resort)");
+		}
+	}
+
 	// JWT is missing in query and we don't have a valid body.
 	if (!token) {
 		req.log.info("JWT token is missing in the request");
diff --git a/src/middleware/jira-jwt-middleware.ts b/src/middleware/jira-jwt-middleware.ts
index 6e71f5807a..54ae2af074 100644
--- a/src/middleware/jira-jwt-middleware.ts
+++ b/src/middleware/jira-jwt-middleware.ts
@@ -2,7 +2,7 @@ import { Installation } from "models/installation";
 import { NextFunction, Request, Response } from "express";
 import { sendError, TokenType, verifySymmetricJwtTokenMiddleware } from "../jira/util/jwt";
 
-const verifyJiraJwtMiddleware = (tokenType: TokenType) => async (
+export const verifyJiraJwtMiddleware = (tokenType: TokenType) => async (
 	req: Request,
 	res: Response,
 	next: NextFunction
diff --git a/src/middleware/jirahost-middleware.ts b/src/middleware/jirahost-middleware.ts
index 5b45be3a00..b762aecc5b 100644
--- a/src/middleware/jirahost-middleware.ts
+++ b/src/middleware/jirahost-middleware.ts
@@ -1,27 +1,101 @@
 // setup route middlewares
-import { NextFunction, Request, Response } from "express";
-import { postInstallUrl } from "routes/jira/jira-atlassian-connect-get";
+import {NextFunction, Request, Response} from "express";
+import {verifyJiraJwtMiddleware} from "middleware/jira-jwt-middleware";
+import {TokenType} from "~/src/jira/util/jwt";
+// import {postInstallUrl} from "routes/jira/jira-atlassian-connect-get";
 
+
+const extractJiraHost = (req: Request): string | null => {
+	return (req.query.xdm_e as string) || req.body?.jiraHost || req.cookies.jiraHost;
+}
+
+const isExtractedFromCookie = (req: Request): boolean => {
+	return !(req.query.xdm_e as string) && !req.body?.jiraHost && req.cookies.jiraHost;
+}
+
+const detectJwtTokenType = (req: Request): TokenType => {
+	if (req.query.xdm_e) {
+		return TokenType.normal;
+	}
+	return TokenType.context;
+}
+
+//
+// Updates res.locals.jiraHost based on values in the request if JWT validation is OK.
+//
+// Q: Could I provide a fake jiraHost but a valid JWT, would it impersonate me as someone else?
+// A: No. Each Jira has its own connect shared secret. When a fake jiraHost is provided, a wrong shared secret is
+//    fetched and JWT validation will fail.
+//
+//
 export const jirahostMiddleware = (req: Request, res: Response, next: NextFunction) => {
-	if (req.cookies.jiraHost) {
-		// Save jirahost to secure session
-		req.session.jiraHost = req.cookies.jiraHost;
-		// delete jirahost from cookies.
+	const requestJiraHost = extractJiraHost(req);
+	const takenFromCookies = isExtractedFromCookie(req);
+
+	if (requestJiraHost) {
+
+		res.locals.jiraHost = requestJiraHost;
+
+		// JWT validation makes sure "res.locals.jiraHost" is legit, not the cookie value. To avoid
+		// any temptation to use it later, let's remove it straight away!
 		res.clearCookie("jiraHost");
-	}
 
-	if (req.path == postInstallUrl && req.method == "GET") {
-		// Only save xdm_e query when on the GET post install url (iframe url)
-		res.locals.jiraHost = req.query.xdm_e as string;
-	} else if ((req.path == postInstallUrl && req.method != "GET") || req.path == "/jira/sync") {
-		// Only save the jiraHost from the body for specific routes that use it
-		res.locals.jiraHost = req.body?.jiraHost;
+		const jwtTokenType = detectJwtTokenType(req);
+		verifyJiraJwtMiddleware(jwtTokenType)(req, res, () => {
+
+			// Cannot hold and rely on cookies because the issued context JWTs are short-lived
+			// (enough to validate once but not enough for long-running routines)
+			if (takenFromCookies) {
+				req.session.jiraHost = res.locals.jiraHost;
+			}
+			// Cleaning up outside of "if" to unblock cookies if they were corrupted somehow
+			// on any other successful validation (e.g. when /jira/configuration is refreshed)
+			res.clearCookie("jwt");
+
+			next();
+		});
 	} else {
-		// Save jiraHost from session for any other URLs
-		res.locals.jiraHost = req.session.jiraHost;
+		next();
 	}
 
-	req.addLogFields({ jiraHost: res.locals.jiraHost });
-
-	next();
+	//
+	//
+	// let jwtTokenType: (TokenType | null) = TokenType.context;
+	// let fromCookies = false;
+	//
+	// if (req.path == postInstallUrl && req.method == "GET") {
+	// 	// Only save xdm_e query when on the GET post install url (iframe url)
+	// 	res.locals.jiraHost = req.query.xdm_e as string;
+	// 	jwtTokenType = TokenType.normal;
+	// } else if ((req.path == postInstallUrl && req.method != "GET") || req.path == "/jira/sync") {
+	// 	// Only save the jiraHost from the body for specific routes that use it
+	// 	res.locals.jiraHost = req.body?.jiraHost;
+	// } else if (req.cookies.jiraHost) {
+	// 	res.locals.jiraHost = req.cookies.jiraHost;
+	// 	// JWT validation makes sure "res.locals.jiraHost" is legit, not the cookie value. To avoid
+	// 	// any temptation to use it later, let's remove it straight away!
+	// 	res.clearCookie("jiraHost");
+	// 	fromCookies = true;
+	// } else {
+	// 	res.locals.jiraHost = req.session.jiraHost;
+	// 	jwtTokenType = null;
+	// }
+	//
+	// req.addLogFields({ jiraHost: res.locals.jiraHost });
+	//
+	// if (jwtTokenType) {
+	// 	verifyJiraJwtMiddleware(jwtTokenType)(req, res, () => {
+	// 		// Cannot hold and rely on cookies because the issued context JWTs are short-lived
+	// 		// (enough to validate once but not enough for long-running routines)
+	// 		if (fromCookies) {
+	// 			req.session.jiraHost = res.locals.jiraHost;
+	// 		}
+	// 		// Cleaning up outside of "if" to unblock cookies if they were corrupted somehow
+	// 		// on any other successful validation (e.g. when /jira/configuration is refreshed)
+	// 		res.clearCookie("jwt");
+	// 		next();
+	// 	});
+	// } else {
+	// 	next();
+	// }
 };
diff --git a/static/js/jira-configuration.js b/static/js/jira-configuration.js
index 2d1d3fcdcd..24055fce93 100644
--- a/static/js/jira-configuration.js
+++ b/static/js/jira-configuration.js
@@ -16,9 +16,10 @@ function openChildWindow(url) {
 
 $(".add-organization-link").click(function(event) {
 	event.preventDefault();
-	window.AP.context.getToken(function() {
+	window.AP.context.getToken(function(token) {
 		const child = openChildWindow("/session/github/configuration");
 		child.window.jiraHost = jiraHost;
+		child.window.jwt = token;
 	});
 });
 
diff --git a/views/session.hbs b/views/session.hbs
index 6af601ae6f..5b26bd496c 100644
--- a/views/session.hbs
+++ b/views/session.hbs
@@ -46,8 +46,13 @@
 <script nonce="{{nonce}}">
   $(function() {
     if (window.jiraHost) {
-      // Set jiraHost value to cookie
+      {{!--/*
+            We cannot pass jwt as a query string parameter because of security considerations!
+            (E.g. they can be stored in browser's session or hijacked.)
+            More secure is to pass it using the cookies.
+      */--}}
       document.cookie = "jiraHost=" + window.jiraHost + "; path=/; max-age=" + 60 * 5 + "; samesite=none; secure";
+      document.cookie = "jwt=" + window.jwt + "; path=/; max-age=" + 60 * 5 + "; samesite=none; secure";
     }
     window.location = "{{redirectUrl}}";
   });

From 8f1e91c1a029d800a8b3e3772ccdd3e9129755f9 Mon Sep 17 00:00:00 2001
From: Boris Gvozdev <bgvozdev@atlassian.com>
Date: Wed, 1 Jun 2022 14:49:28 +1000
Subject: [PATCH 02/11] ARC-1355: only take jiraHost from a subset of requests

---
 src/middleware/jirahost-middleware.ts | 40 +++++++++++++++------------
 1 file changed, 23 insertions(+), 17 deletions(-)

diff --git a/src/middleware/jirahost-middleware.ts b/src/middleware/jirahost-middleware.ts
index b762aecc5b..0e1b45337a 100644
--- a/src/middleware/jirahost-middleware.ts
+++ b/src/middleware/jirahost-middleware.ts
@@ -2,15 +2,20 @@
 import {NextFunction, Request, Response} from "express";
 import {verifyJiraJwtMiddleware} from "middleware/jira-jwt-middleware";
 import {TokenType} from "~/src/jira/util/jwt";
-// import {postInstallUrl} from "routes/jira/jira-atlassian-connect-get";
+import {postInstallUrl} from "routes/jira/jira-atlassian-connect-get";
 
 
-const extractJiraHost = (req: Request): string | null => {
-	return (req.query.xdm_e as string) || req.body?.jiraHost || req.cookies.jiraHost;
-}
-
-const isExtractedFromCookie = (req: Request): boolean => {
-	return !(req.query.xdm_e as string) && !req.body?.jiraHost && req.cookies.jiraHost;
+const extractUnsafeJiraHost = (req: Request): string | null => {
+	if (req.path == postInstallUrl && req.method == "GET") {
+		// Only save xdm_e query when on the GET post install url (iframe url)
+		return req.query.xdm_e as string;
+	} else if ((req.path == postInstallUrl && req.method != "GET") || req.path == "/jira/sync") {
+		// Only save the jiraHost from the body for specific routes that use it
+		return req.body?.jiraHost;
+	} else if (req.cookies.jiraHost) {
+		return req.cookies.jiraHost;
+	}
+	return null;
 }
 
 const detectJwtTokenType = (req: Request): TokenType => {
@@ -29,19 +34,19 @@ const detectJwtTokenType = (req: Request): TokenType => {
 //
 //
 export const jirahostMiddleware = (req: Request, res: Response, next: NextFunction) => {
-	const requestJiraHost = extractJiraHost(req);
-	const takenFromCookies = isExtractedFromCookie(req);
-
-	if (requestJiraHost) {
+	const unsafeJiraHost = extractUnsafeJiraHost(req);
 
-		res.locals.jiraHost = requestJiraHost;
+	req.addLogFields({ jiraHost: unsafeJiraHost });
 
-		// JWT validation makes sure "res.locals.jiraHost" is legit, not the cookie value. To avoid
-		// any temptation to use it later, let's remove it straight away!
-		res.clearCookie("jiraHost");
+	// JWT validation makes sure "res.locals.jiraHost" is legit, not the cookie value. To avoid
+	// any temptation to use it later, let's remove it straight away!
+	const takenFromCookies = unsafeJiraHost === req.cookies.jiraHost;
+	res.clearCookie("jiraHost");
 
-		const jwtTokenType = detectJwtTokenType(req);
-		verifyJiraJwtMiddleware(jwtTokenType)(req, res, () => {
+	if (unsafeJiraHost) {
+		// Even though it is unsafe, we are verifying it straight away below (in "verifyJwtBlahBlah" call)
+		res.locals.jiraHost = unsafeJiraHost;
+		verifyJiraJwtMiddleware(detectJwtTokenType(req))(req, res, () => {
 
 			// Cannot hold and rely on cookies because the issued context JWTs are short-lived
 			// (enough to validate once but not enough for long-running routines)
@@ -55,6 +60,7 @@ export const jirahostMiddleware = (req: Request, res: Response, next: NextFuncti
 			next();
 		});
 	} else {
+		res.locals.jiraHost = req.session.jiraHost;
 		next();
 	}
 

From c46150f8305c641cd5f8586d707f61e52a63e14f Mon Sep 17 00:00:00 2001
From: Gary Xue <gxue@atlassian.com>
Date: Wed, 1 Jun 2022 15:32:37 +1000
Subject: [PATCH 03/11] Add unit test to jiraHostMiddleware.ts

---
 src/github/client/github-client.ts         |  2 +-
 src/github/issue.ts                        |  2 +-
 src/middleware/jirahost-middleware.test.ts | 66 ++++++++++++++++++++++
 3 files changed, 68 insertions(+), 2 deletions(-)
 create mode 100644 src/middleware/jirahost-middleware.test.ts

diff --git a/src/github/client/github-client.ts b/src/github/client/github-client.ts
index 0c5663a93c..20a842f18c 100644
--- a/src/github/client/github-client.ts
+++ b/src/github/client/github-client.ts
@@ -19,7 +19,7 @@ export class GitHubClient {
 		// baseUrl is undefined when FF is false
 		// if FF is true and the githubAppId field is empty, it is set to https://api.github.com
 		// TODO - clean this logic up once we remove the GHE_SERVER flag
-		if (baseUrl == undefined || baseUrl === 'https://api.github.com') {
+		if (baseUrl == undefined || baseUrl === "https://api.github.com") {
 			this.restApiUrl = GITHUB_CLOUD_API_BASEURL;
 			this.graphqlUrl = `${GITHUB_CLOUD_API_BASEURL}/graphql`;
 		} else {
diff --git a/src/github/issue.ts b/src/github/issue.ts
index 349f7def01..465a30ab14 100644
--- a/src/github/issue.ts
+++ b/src/github/issue.ts
@@ -1,7 +1,7 @@
 import { emitWebhookProcessedMetrics } from "utils/webhook-utils";
 import { CustomContext } from "middleware/github-webhook-middleware";
 import { WebhookPayloadIssues } from "@octokit/webhooks";
-import { GitHubIssue, GitHubIssueData } from 'interfaces/github';
+import { GitHubIssue, GitHubIssueData } from "interfaces/github";
 import { createInstallationClient } from "utils/get-github-client-config";
 
 export const issueWebhookHandler = async (context: CustomContext<WebhookPayloadIssues>, jiraClient, util, githubInstallationId: number): Promise<void> => {
diff --git a/src/middleware/jirahost-middleware.test.ts b/src/middleware/jirahost-middleware.test.ts
new file mode 100644
index 0000000000..c33c3045a7
--- /dev/null
+++ b/src/middleware/jirahost-middleware.test.ts
@@ -0,0 +1,66 @@
+import {NextFunction, Request, Response} from "express";
+import {jirahostMiddleware} from "./jirahost-middleware";
+import {verifyJiraJwtMiddleware } from "middleware/jira-jwt-middleware";
+import {postInstallUrl} from "routes/jira/jira-atlassian-connect-get";
+
+jest.mock("middleware/jira-jwt-middleware");
+const mockVerifyJiraJwtMiddleware = (verifyJiraJwtMiddleware as any) as jest.Mock<typeof verifyJiraJwtMiddleware>;
+
+//const APP_URL = 'https://github-for-jira-app.atlassian.com';
+const LEGIT_JIRA_HOST = "https://legit-jira-host.atlassian.net";
+
+describe("jirahostMiddleware", () => {
+
+	let req: Request, res: Response, next: NextFunction;
+	beforeEach(() => {
+		req = getReq();
+		res = getRes();
+		next = jest.fn();
+		mockVerifyJiraJwtMiddleware.mockImplementation(() => () => async (_, __, n) => {n()});
+	});
+
+	describe("jiraHost is provided by jira software", () => {
+		beforeEach(() => {
+			req.path = postInstallUrl;
+			req.method = "GET",
+			req.query = {xdm_e: LEGIT_JIRA_HOST}
+		});
+		it("should extract jiraHost correctly from xdm_e query", () => {
+			jirahostMiddleware(req, res, next);
+			expectJiraHostInResLocals();
+		});
+	});
+	describe("jiraHost is provided by app form post", () => {
+		beforeEach(()=>{
+			req.path = postInstallUrl;
+			req.method = "POST";
+			req.body = {jiraHost: LEGIT_JIRA_HOST}
+		});
+		it("should extract jiraHost correctly from request body", ()=>{
+			jirahostMiddleware(req, res, next);
+			expectJiraHostInResLocals();
+		});
+	});
+
+	function expectJiraHostInResLocals() {
+		expect(res.locals.jiraHost).toBe(LEGIT_JIRA_HOST);
+	}
+});
+
+function getReq(): Request {
+	return ({
+		path: "/",
+		query: {},
+		body: {},
+		addLogFields: jest.fn(),
+		session: {},
+		cookies: {}
+	} as any) as Request;
+}
+
+function getRes(): Response {
+	return ({
+		locals: {},
+		clearCookie: jest.fn()
+	} as any) as Response;
+}

From c24859fc093afd10a1fefe165dfda71f6ce919d8 Mon Sep 17 00:00:00 2001
From: Gary Xue <gxue@atlassian.com>
Date: Wed, 1 Jun 2022 15:50:48 +1000
Subject: [PATCH 04/11] add more test

---
 src/middleware/jirahost-middleware.test.ts | 40 ++++++++++++++++------
 1 file changed, 29 insertions(+), 11 deletions(-)

diff --git a/src/middleware/jirahost-middleware.test.ts b/src/middleware/jirahost-middleware.test.ts
index c33c3045a7..ea10eb0dff 100644
--- a/src/middleware/jirahost-middleware.test.ts
+++ b/src/middleware/jirahost-middleware.test.ts
@@ -2,49 +2,67 @@ import {NextFunction, Request, Response} from "express";
 import {jirahostMiddleware} from "./jirahost-middleware";
 import {verifyJiraJwtMiddleware } from "middleware/jira-jwt-middleware";
 import {postInstallUrl} from "routes/jira/jira-atlassian-connect-get";
+import {TokenType} from "~/src/jira/util/jwt";
 
 jest.mock("middleware/jira-jwt-middleware");
 const mockVerifyJiraJwtMiddleware = (verifyJiraJwtMiddleware as any) as jest.Mock<typeof verifyJiraJwtMiddleware>;
 
 //const APP_URL = 'https://github-for-jira-app.atlassian.com';
 const LEGIT_JIRA_HOST = "https://legit-jira-host.atlassian.net";
+//const TEST_JWT_TOKEN = 'TO_BE_DETERMINED';
 
 describe("jirahostMiddleware", () => {
 
 	let req: Request, res: Response, next: NextFunction;
+	let mockJwtVerificationFn;
 	beforeEach(() => {
 		req = getReq();
 		res = getRes();
 		next = jest.fn();
-		mockVerifyJiraJwtMiddleware.mockImplementation(() => () => async (_, __, n) => {n()});
+		mockJwtVerificationFn = jest.fn();
+		mockVerifyJiraJwtMiddleware.mockReturnValue(mockJwtVerificationFn);
 	});
 
+	describe('jiraHost is provided in a trusted session cookie', ()=>{
+		it('should extract jiraHost from session', ()=>{
+			req.session.jiraHost = LEGIT_JIRA_HOST;
+			jirahostMiddleware(req, res, next);
+			expect(res.locals.jiraHost).toBe(LEGIT_JIRA_HOST);
+			expect(next).toBeCalled();
+		});
+	});
 	describe("jiraHost is provided by jira software", () => {
-		beforeEach(() => {
+		it("should extract jiraHost correctly from xdm_e query", () => {
 			req.path = postInstallUrl;
 			req.method = "GET",
 			req.query = {xdm_e: LEGIT_JIRA_HOST}
-		});
-		it("should extract jiraHost correctly from xdm_e query", () => {
 			jirahostMiddleware(req, res, next);
-			expectJiraHostInResLocals();
+			expect(res.locals.jiraHost).toBe(LEGIT_JIRA_HOST);
+			expect(mockVerifyJiraJwtMiddleware).toBeCalledWith(TokenType.normal);
 		});
 	});
 	describe("jiraHost is provided by app form post", () => {
-		beforeEach(()=>{
+		it("should extract jiraHost correctly from request body", ()=>{
 			req.path = postInstallUrl;
 			req.method = "POST";
 			req.body = {jiraHost: LEGIT_JIRA_HOST}
+			jirahostMiddleware(req, res, next);
+			expect(res.locals.jiraHost).toBe(LEGIT_JIRA_HOST);
+			expect(mockVerifyJiraJwtMiddleware).toBeCalledWith(TokenType.context);
 		});
-		it("should extract jiraHost correctly from request body", ()=>{
+	});
+	describe('jiraHost is provided by cookie as temporary method', () => {
+		it("should extract jiraHost correctly from cookie and remove cookie", () => {
+			req.path = '/whatever';
+			req.method = 'GET';
+			req.cookies.jiraHost = LEGIT_JIRA_HOST;
 			jirahostMiddleware(req, res, next);
-			expectJiraHostInResLocals();
+			expect(res.locals.jiraHost).toBe(LEGIT_JIRA_HOST);
+			expect(res.clearCookie).toBeCalledWith('jiraHost');
+			expect(mockVerifyJiraJwtMiddleware).toBeCalledWith(TokenType.context);
 		});
 	});
 
-	function expectJiraHostInResLocals() {
-		expect(res.locals.jiraHost).toBe(LEGIT_JIRA_HOST);
-	}
 });
 
 function getReq(): Request {

From 2d7d745c58ac5d14034db3c7b52ebfc8327fa76d Mon Sep 17 00:00:00 2001
From: Gary Xue <gxue@atlassian.com>
Date: Wed, 1 Jun 2022 16:18:32 +1000
Subject: [PATCH 05/11] wip

---
 src/middleware/jirahost-middleware.test.ts | 42 ++++++++++++++++++++--
 1 file changed, 39 insertions(+), 3 deletions(-)

diff --git a/src/middleware/jirahost-middleware.test.ts b/src/middleware/jirahost-middleware.test.ts
index ea10eb0dff..97e2fe6cef 100644
--- a/src/middleware/jirahost-middleware.test.ts
+++ b/src/middleware/jirahost-middleware.test.ts
@@ -9,12 +9,13 @@ const mockVerifyJiraJwtMiddleware = (verifyJiraJwtMiddleware as any) as jest.Moc
 
 //const APP_URL = 'https://github-for-jira-app.atlassian.com';
 const LEGIT_JIRA_HOST = "https://legit-jira-host.atlassian.net";
-//const TEST_JWT_TOKEN = 'TO_BE_DETERMINED';
+const TEST_JWT_TOKEN = 'TO_BE_DETERMINED';
 
 describe("jirahostMiddleware", () => {
 
 	let req: Request, res: Response, next: NextFunction;
-	let mockJwtVerificationFn;
+	let mockJwtVerificationFn: jest.Mock;
+
 	beforeEach(() => {
 		req = getReq();
 		res = getRes();
@@ -24,43 +25,78 @@ describe("jirahostMiddleware", () => {
 	});
 
 	describe('jiraHost is provided in a trusted session cookie', ()=>{
+
 		it('should extract jiraHost from session', ()=>{
+
 			req.session.jiraHost = LEGIT_JIRA_HOST;
+
 			jirahostMiddleware(req, res, next);
+
 			expect(res.locals.jiraHost).toBe(LEGIT_JIRA_HOST);
 			expect(next).toBeCalled();
 		});
+
 	});
-	describe("jiraHost is provided by jira software", () => {
+
+	describe("jiraHost is provided by jira", () => {
+
 		it("should extract jiraHost correctly from xdm_e query", () => {
+
 			req.path = postInstallUrl;
 			req.method = "GET",
 			req.query = {xdm_e: LEGIT_JIRA_HOST}
+
 			jirahostMiddleware(req, res, next);
+
 			expect(res.locals.jiraHost).toBe(LEGIT_JIRA_HOST);
 			expect(mockVerifyJiraJwtMiddleware).toBeCalledWith(TokenType.normal);
 		});
+
 	});
+
 	describe("jiraHost is provided by app form post", () => {
+
 		it("should extract jiraHost correctly from request body", ()=>{
+
 			req.path = postInstallUrl;
 			req.method = "POST";
 			req.body = {jiraHost: LEGIT_JIRA_HOST}
+
 			jirahostMiddleware(req, res, next);
+
 			expect(res.locals.jiraHost).toBe(LEGIT_JIRA_HOST);
 			expect(mockVerifyJiraJwtMiddleware).toBeCalledWith(TokenType.context);
 		});
+
 	});
+
 	describe('jiraHost is provided by cookie as temporary method', () => {
+
 		it("should extract jiraHost correctly from cookie and remove cookie", () => {
+
 			req.path = '/whatever';
 			req.method = 'GET';
 			req.cookies.jiraHost = LEGIT_JIRA_HOST;
+			req.cookies.jwt = TEST_JWT_TOKEN;
+
 			jirahostMiddleware(req, res, next);
+
 			expect(res.locals.jiraHost).toBe(LEGIT_JIRA_HOST);
 			expect(res.clearCookie).toBeCalledWith('jiraHost');
+
+			const calledReq = mockJwtVerificationFn.mock.calls[0][0];
+			const calledRes = mockJwtVerificationFn.mock.calls[0][1];
+			expect(calledRes.locals.jiraHost).toBe(LEGIT_JIRA_HOST);
+			expect(calledReq.cookies.jwt).toBe(TEST_JWT_TOKEN);
 			expect(mockVerifyJiraJwtMiddleware).toBeCalledWith(TokenType.context);
+			expect(mockJwtVerificationFn).toBeCalled();
+
+			//TODO
+			expect(res.clearCookie).toBeCalledWith('jwt');
+			expect(req.session.jiraHost).toBe(LEGIT_JIRA_HOST);
+
 		});
+
 	});
 
 });

From 6d7b46b19d62772e61393ac4017195ace95feb45 Mon Sep 17 00:00:00 2001
From: Boris Gvozdev <bgvozdev@atlassian.com>
Date: Wed, 1 Jun 2022 17:14:00 +1000
Subject: [PATCH 06/11] ARC-1355: more tests

---
 src/middleware/jirahost-middleware.test.ts | 189 ++++++++++++++++++---
 1 file changed, 164 insertions(+), 25 deletions(-)

diff --git a/src/middleware/jirahost-middleware.test.ts b/src/middleware/jirahost-middleware.test.ts
index 97e2fe6cef..002c95d540 100644
--- a/src/middleware/jirahost-middleware.test.ts
+++ b/src/middleware/jirahost-middleware.test.ts
@@ -7,7 +7,6 @@ import {TokenType} from "~/src/jira/util/jwt";
 jest.mock("middleware/jira-jwt-middleware");
 const mockVerifyJiraJwtMiddleware = (verifyJiraJwtMiddleware as any) as jest.Mock<typeof verifyJiraJwtMiddleware>;
 
-//const APP_URL = 'https://github-for-jira-app.atlassian.com';
 const LEGIT_JIRA_HOST = "https://legit-jira-host.atlassian.net";
 const TEST_JWT_TOKEN = 'TO_BE_DETERMINED';
 
@@ -20,13 +19,13 @@ describe("jirahostMiddleware", () => {
 		req = getReq();
 		res = getRes();
 		next = jest.fn();
-		mockJwtVerificationFn = jest.fn();
+		mockJwtVerificationFn = jest.fn().mockImplementation((_, __, next) => next());
 		mockVerifyJiraJwtMiddleware.mockReturnValue(mockJwtVerificationFn);
 	});
 
-	describe('jiraHost is provided in a trusted session cookie', ()=>{
+	describe('jiraHost is provided in session', ()=>{
 
-		it('should extract jiraHost from session', ()=>{
+		it('should extract jiraHost from session when provided', ()=>{
 
 			req.session.jiraHost = LEGIT_JIRA_HOST;
 
@@ -36,65 +35,191 @@ describe("jirahostMiddleware", () => {
 			expect(next).toBeCalled();
 		});
 
+		it('cookie should have priority', () => {
+
+			req.cookies.jiraHost = LEGIT_JIRA_HOST;
+			req.session.jiraHost = LEGIT_JIRA_HOST + "boo";
+
+			jirahostMiddleware(req, res, next);
+
+			expect(res.locals.jiraHost).toBe(LEGIT_JIRA_HOST);
+			expect(next).toBeCalled();
+		});
+
+		it('xdm_e should have priority', () => {
+
+			configureLegitJiraReq(req);
+			req.session.jiraHost = LEGIT_JIRA_HOST + "boo";
+
+			jirahostMiddleware(req, res, next);
+
+			expect(res.locals.jiraHost).toBe(LEGIT_JIRA_HOST);
+			expect(next).toBeCalled();
+		});
+
+		it('payload should have priority', () => {
+
+			configureLegitFrontendReq(req);
+			req.session.jiraHost = LEGIT_JIRA_HOST + "boo";
+
+			jirahostMiddleware(req, res, next);
+
+			expect(res.locals.jiraHost).toBe(LEGIT_JIRA_HOST);
+			expect(next).toBeCalled();
+		});
+
 	});
 
-	describe("jiraHost is provided by jira", () => {
+	describe("jiraHost is provided by Jira", () => {
 
-		it("should extract jiraHost correctly from xdm_e query", () => {
+		beforeEach(() => {
+			configureLegitJiraReq(req);
+		});
 
-			req.path = postInstallUrl;
-			req.method = "GET",
-			req.query = {xdm_e: LEGIT_JIRA_HOST}
+		it("should extract jiraHost correctly from xdm_e query and call next()", () => {
 
 			jirahostMiddleware(req, res, next);
 
 			expect(res.locals.jiraHost).toBe(LEGIT_JIRA_HOST);
 			expect(mockVerifyJiraJwtMiddleware).toBeCalledWith(TokenType.normal);
+			expect(next).toBeCalled();
+		});
+
+		it("should not call next() when invalid", () => {
+
+			mockJwtVerificationFn.mockImplementation(() => {});
+
+			jirahostMiddleware(req, res, next);
+
+			expect(next).not.toBeCalled();
+		});
+
+		it("should not be validated and used with wrong URL", () => {
+
+			req.path = "/blah";
+
+			jirahostMiddleware(req, res, next);
+
+			expect(res.locals.jiraHost).toBeUndefined();
+			expect(mockJwtVerificationFn).not.toBeCalled();
+			expect(next).toBeCalled();
 		});
 
 	});
 
-	describe("jiraHost is provided by app form post", () => {
+	describe("jiraHost is provided by frontend in payload", () => {
 
-		it("should extract jiraHost correctly from request body", ()=>{
+		beforeEach(() => {
+			configureLegitFrontendReq(req);
+		});
 
-			req.path = postInstallUrl;
-			req.method = "POST";
-			req.body = {jiraHost: LEGIT_JIRA_HOST}
+		it("should extract jiraHost correctly from request body", ()=>{
 
 			jirahostMiddleware(req, res, next);
 
 			expect(res.locals.jiraHost).toBe(LEGIT_JIRA_HOST);
 			expect(mockVerifyJiraJwtMiddleware).toBeCalledWith(TokenType.context);
+			expect(next).toBeCalled();
+		});
+
+		it("should not call next() when not valid", ()=>{
+
+			mockJwtVerificationFn.mockImplementation(() => {});
+
+			jirahostMiddleware(req, res, next);
+
+			expect(next).not.toBeCalled();
+		});
+
+		it("should not be validated and used when wrong URL", ()=>{
+
+			req.path = "/blah";
+
+			jirahostMiddleware(req, res, next);
+
+			expect(res.locals.jiraHost).toBeUndefined();
+			expect(mockJwtVerificationFn).not.toBeCalled();
+			expect(next).toBeCalled();
 		});
 
 	});
 
 	describe('jiraHost is provided by cookie as temporary method', () => {
 
-		it("should extract jiraHost correctly from cookie and remove cookie", () => {
-
+		beforeEach(() => {
 			req.path = '/whatever';
 			req.method = 'GET';
 			req.cookies.jiraHost = LEGIT_JIRA_HOST;
 			req.cookies.jwt = TEST_JWT_TOKEN;
+		});
+
+		it("should extract jiraHost correctly from cookie, validate it and save to session", () => {
 
 			jirahostMiddleware(req, res, next);
 
 			expect(res.locals.jiraHost).toBe(LEGIT_JIRA_HOST);
-			expect(res.clearCookie).toBeCalledWith('jiraHost');
-
-			const calledReq = mockJwtVerificationFn.mock.calls[0][0];
-			const calledRes = mockJwtVerificationFn.mock.calls[0][1];
-			expect(calledRes.locals.jiraHost).toBe(LEGIT_JIRA_HOST);
-			expect(calledReq.cookies.jwt).toBe(TEST_JWT_TOKEN);
 			expect(mockVerifyJiraJwtMiddleware).toBeCalledWith(TokenType.context);
-			expect(mockJwtVerificationFn).toBeCalled();
+			expect(req.session.jiraHost).toBe(LEGIT_JIRA_HOST);
+			expect(next).toBeCalled();
+		});
+
+		it ("should be deleted from the cookies together with JWT token",  () => {
+
+			jirahostMiddleware(req, res, next);
 
-			//TODO
+			expect(res.clearCookie).toBeCalledWith('jiraHost');
 			expect(res.clearCookie).toBeCalledWith('jwt');
-			expect(req.session.jiraHost).toBe(LEGIT_JIRA_HOST);
+		});
+
+		it ("should not be saved in session and call next() when not valid",  () => {
+
+			mockJwtVerificationFn.mockImplementation(() => {});
+
+			jirahostMiddleware(req, res, next);
 
+			expect(req.session.jiraHost).toBeUndefined();
+			expect(next).not.toBeCalled();
+		});
+
+		it("xdm_e should have priority", () => {
+
+			configureLegitJiraReq(req);
+			req.cookies.jiraHost = LEGIT_JIRA_HOST + "boo";
+
+			jirahostMiddleware(req, res, next);
+
+			expect(res.locals.jiraHost).toBe(LEGIT_JIRA_HOST);
+		});
+
+		it("xdm_e should be ignored and cookie is used when wrong URL", () => {
+
+			configureLegitJiraReq(req);
+			req.path = "/whatever";
+			req.cookies.jiraHost = LEGIT_JIRA_HOST + "boo";
+
+			jirahostMiddleware(req, res, next);
+
+			expect(res.locals.jiraHost).toBe(LEGIT_JIRA_HOST + "boo");
+		});
+
+		it("POST payload should have priority", () => {
+
+			configureLegitFrontendReq(req);
+			req.cookies.jiraHost = LEGIT_JIRA_HOST + "boo";
+
+			jirahostMiddleware(req, res, next);
+
+			expect(res.locals.jiraHost).toBe(LEGIT_JIRA_HOST);
+		});
+
+		it ("should be deleted from the cookies together with JWT token even when not used",  () => {
+
+			configureLegitFrontendReq(req);
+
+			jirahostMiddleware(req, res, next);
+
+			expect(res.clearCookie).toBeCalledWith('jiraHost');
+			expect(res.clearCookie).toBeCalledWith('jwt');
 		});
 
 	});
@@ -118,3 +243,17 @@ function getRes(): Response {
 		clearCookie: jest.fn()
 	} as any) as Response;
 }
+
+function configureLegitJiraReq(req: Request) {
+	req.path = postInstallUrl;
+	req.method = "GET",
+	req.query = { xdm_e: LEGIT_JIRA_HOST }
+	req.body = {};
+}
+
+function configureLegitFrontendReq(req: Request) {
+	req.path = postInstallUrl;
+	req.method = "POST";
+	req.query = {};
+	req.body = {jiraHost: LEGIT_JIRA_HOST}
+}

From 6f986dcdaace5275a0a272040827b3f3ca272b9b Mon Sep 17 00:00:00 2001
From: Gary Xue <gxue@atlassian.com>
Date: Thu, 2 Jun 2022 10:00:55 +1000
Subject: [PATCH 07/11] minor yarn lint fix

---
 src/middleware/jirahost-middleware.test.ts | 40 +++++++++++++---------
 1 file changed, 23 insertions(+), 17 deletions(-)

diff --git a/src/middleware/jirahost-middleware.test.ts b/src/middleware/jirahost-middleware.test.ts
index 002c95d540..a7ccb8300f 100644
--- a/src/middleware/jirahost-middleware.test.ts
+++ b/src/middleware/jirahost-middleware.test.ts
@@ -8,7 +8,7 @@ jest.mock("middleware/jira-jwt-middleware");
 const mockVerifyJiraJwtMiddleware = (verifyJiraJwtMiddleware as any) as jest.Mock<typeof verifyJiraJwtMiddleware>;
 
 const LEGIT_JIRA_HOST = "https://legit-jira-host.atlassian.net";
-const TEST_JWT_TOKEN = 'TO_BE_DETERMINED';
+const TEST_JWT_TOKEN = "TO_BE_DETERMINED";
 
 describe("jirahostMiddleware", () => {
 
@@ -19,13 +19,13 @@ describe("jirahostMiddleware", () => {
 		req = getReq();
 		res = getRes();
 		next = jest.fn();
-		mockJwtVerificationFn = jest.fn().mockImplementation((_, __, next) => next());
+		mockJwtVerificationFn = jest.fn().mockImplementation((_, __, n) => n());
 		mockVerifyJiraJwtMiddleware.mockReturnValue(mockJwtVerificationFn);
 	});
 
-	describe('jiraHost is provided in session', ()=>{
+	describe("jiraHost is provided in session", ()=>{
 
-		it('should extract jiraHost from session when provided', ()=>{
+		it("should extract jiraHost from session when provided", ()=>{
 
 			req.session.jiraHost = LEGIT_JIRA_HOST;
 
@@ -35,7 +35,7 @@ describe("jirahostMiddleware", () => {
 			expect(next).toBeCalled();
 		});
 
-		it('cookie should have priority', () => {
+		it("cookie should have priority", () => {
 
 			req.cookies.jiraHost = LEGIT_JIRA_HOST;
 			req.session.jiraHost = LEGIT_JIRA_HOST + "boo";
@@ -46,7 +46,7 @@ describe("jirahostMiddleware", () => {
 			expect(next).toBeCalled();
 		});
 
-		it('xdm_e should have priority', () => {
+		it("xdm_e should have priority", () => {
 
 			configureLegitJiraReq(req);
 			req.session.jiraHost = LEGIT_JIRA_HOST + "boo";
@@ -57,7 +57,7 @@ describe("jirahostMiddleware", () => {
 			expect(next).toBeCalled();
 		});
 
-		it('payload should have priority', () => {
+		it("payload should have priority", () => {
 
 			configureLegitFrontendReq(req);
 			req.session.jiraHost = LEGIT_JIRA_HOST + "boo";
@@ -87,7 +87,9 @@ describe("jirahostMiddleware", () => {
 
 		it("should not call next() when invalid", () => {
 
-			mockJwtVerificationFn.mockImplementation(() => {});
+			mockJwtVerificationFn.mockImplementation(() => {
+				//dothing
+			});
 
 			jirahostMiddleware(req, res, next);
 
@@ -124,7 +126,9 @@ describe("jirahostMiddleware", () => {
 
 		it("should not call next() when not valid", ()=>{
 
-			mockJwtVerificationFn.mockImplementation(() => {});
+			mockJwtVerificationFn.mockImplementation(() => {
+				//donothing
+			});
 
 			jirahostMiddleware(req, res, next);
 
@@ -144,11 +148,11 @@ describe("jirahostMiddleware", () => {
 
 	});
 
-	describe('jiraHost is provided by cookie as temporary method', () => {
+	describe("jiraHost is provided by cookie as temporary method", () => {
 
 		beforeEach(() => {
-			req.path = '/whatever';
-			req.method = 'GET';
+			req.path = "/whatever";
+			req.method = "GET";
 			req.cookies.jiraHost = LEGIT_JIRA_HOST;
 			req.cookies.jwt = TEST_JWT_TOKEN;
 		});
@@ -167,13 +171,15 @@ describe("jirahostMiddleware", () => {
 
 			jirahostMiddleware(req, res, next);
 
-			expect(res.clearCookie).toBeCalledWith('jiraHost');
-			expect(res.clearCookie).toBeCalledWith('jwt');
+			expect(res.clearCookie).toBeCalledWith("jiraHost");
+			expect(res.clearCookie).toBeCalledWith("jwt");
 		});
 
 		it ("should not be saved in session and call next() when not valid",  () => {
 
-			mockJwtVerificationFn.mockImplementation(() => {});
+			mockJwtVerificationFn.mockImplementation(() => {
+				//donothing
+			});
 
 			jirahostMiddleware(req, res, next);
 
@@ -218,8 +224,8 @@ describe("jirahostMiddleware", () => {
 
 			jirahostMiddleware(req, res, next);
 
-			expect(res.clearCookie).toBeCalledWith('jiraHost');
-			expect(res.clearCookie).toBeCalledWith('jwt');
+			expect(res.clearCookie).toBeCalledWith("jiraHost");
+			expect(res.clearCookie).toBeCalledWith("jwt");
 		});
 
 	});

From e10ef258dd5da4b6ef6a8b19f4e6e571265dd119 Mon Sep 17 00:00:00 2001
From: Boris Gvozdev <bgvozdev@atlassian.com>
Date: Thu, 2 Jun 2022 10:09:33 +1000
Subject: [PATCH 08/11] ARC-1355: a few more tests

---
 src/middleware/jirahost-middleware.test.ts | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/src/middleware/jirahost-middleware.test.ts b/src/middleware/jirahost-middleware.test.ts
index a7ccb8300f..fa5bb16c2f 100644
--- a/src/middleware/jirahost-middleware.test.ts
+++ b/src/middleware/jirahost-middleware.test.ts
@@ -107,6 +107,13 @@ describe("jirahostMiddleware", () => {
 			expect(next).toBeCalled();
 		});
 
+		it("should use \"normal\" JWT token type", () => {
+
+			jirahostMiddleware(req, res, next);
+
+			expect(mockVerifyJiraJwtMiddleware).toBeCalledWith(TokenType.normal);
+		});
+
 	});
 
 	describe("jiraHost is provided by frontend in payload", () => {
@@ -146,6 +153,13 @@ describe("jirahostMiddleware", () => {
 			expect(next).toBeCalled();
 		});
 
+		it("should use \"context\" JWT token type", () => {
+
+			jirahostMiddleware(req, res, next);
+
+			expect(mockVerifyJiraJwtMiddleware).toBeCalledWith(TokenType.context);
+		});
+
 	});
 
 	describe("jiraHost is provided by cookie as temporary method", () => {
@@ -228,6 +242,13 @@ describe("jirahostMiddleware", () => {
 			expect(res.clearCookie).toBeCalledWith("jwt");
 		});
 
+		it("should use \"context\" JWT token type", () => {
+
+			jirahostMiddleware(req, res, next);
+
+			expect(mockVerifyJiraJwtMiddleware).toBeCalledWith(TokenType.context);
+		});
+
 	});
 
 });

From 9a8d091d0cce0088cc1158c2f649d740b79d0d27 Mon Sep 17 00:00:00 2001
From: Boris Gvozdev <bgvozdev@atlassian.com>
Date: Thu, 2 Jun 2022 10:38:25 +1000
Subject: [PATCH 09/11] ARC-1355: tests for cookie part in jwt

---
 src/jira/util/jwt.test.ts | 41 +++++++++++++++++++++++++++++++++++++--
 src/jira/util/jwt.ts      |  2 +-
 2 files changed, 40 insertions(+), 3 deletions(-)

diff --git a/src/jira/util/jwt.test.ts b/src/jira/util/jwt.test.ts
index 9df26132a3..535555b18a 100644
--- a/src/jira/util/jwt.test.ts
+++ b/src/jira/util/jwt.test.ts
@@ -65,10 +65,13 @@ describe("jwt", () => {
 		// we know exactly how express is going to behave
 		res = {
 			locals: {},
-			status: jest.fn().mockReturnValue(res),
-			json: jest.fn().mockReturnValue(res)
+			status: jest.fn(),
+			json: jest.fn()
 		} as any;
 
+		(res.status as Mock).mockReturnValue(res);
+		(res.json as Mock).mockReturnValue(res);
+
 		// TODO: need to remove all references to 'kabakumov' in this file, just use jiraHost instead
 		testQueryParams = {
 			xdm_e: "https://kabakumov.atlassian.net",
@@ -219,6 +222,23 @@ describe("jwt", () => {
 				};
 			};
 
+			const buildRequestWithTokenInCookie = (): any => {
+				const jwtValue = encodeSymmetric({
+					qsh: "context-qsh",
+					iss: "jira"
+				}, testSecret);
+
+				return {
+					...baseRequest,
+					query: testQueryParams,
+					method: "POST",
+					headers: {},
+					cookies: {
+						jwt: jwtValue
+					}
+				};
+			};
+
 			it("Passes if token is in header", async () => {
 				const req = buildRequestWithTokenInHeader();
 				verifySymmetricJwtTokenMiddleware(testSecret, TokenType.context, req, res, next);
@@ -226,6 +246,23 @@ describe("jwt", () => {
 				expect(next).toBeCalledTimes(1);
 			});
 
+			it("Passes if token is in cookies", async () => {
+				const req = buildRequestWithTokenInCookie();
+				verifySymmetricJwtTokenMiddleware(testSecret, TokenType.context, req, res, next);
+				expect(res.status).toHaveBeenCalledTimes(0);
+				expect(next).toBeCalledTimes(1);
+			});
+
+			it("Token in headers has priority over token in cookies", async () => {
+				const req = buildRequestWithTokenInCookie();
+				req.headers = {
+					authorization: `JWT boom`
+				}
+				verifySymmetricJwtTokenMiddleware(testSecret, TokenType.context, req, res, next);
+				expect(res.status).toHaveBeenCalledWith(401);
+				expect(next).toBeCalledTimes(0);
+			});
+
 			it("Fails if there is no token", async () => {
 				const req = buildRequestWithNoToken();
 				verifySymmetricJwtTokenMiddleware(testSecret, TokenType.context, req, res, next);
diff --git a/src/jira/util/jwt.ts b/src/jira/util/jwt.ts
index 818b7707f0..7769ebaa02 100644
--- a/src/jira/util/jwt.ts
+++ b/src/jira/util/jwt.ts
@@ -28,7 +28,7 @@ export enum TokenType {
 	context = "context"
 }
 
-export function extractJwtFromRequest(req: Request): string | undefined {
+function extractJwtFromRequest(req: Request): string | undefined {
 	const tokenInQuery = req.query?.[JWT_PARAM];
 	const tokenInBody = req.body?.[JWT_PARAM];
 	if (tokenInQuery && tokenInBody) {

From fa7a3ae03d34bc4582c178089bbdaf8fc571c727 Mon Sep 17 00:00:00 2001
From: Gary Xue <gxue@atlassian.com>
Date: Thu, 2 Jun 2022 14:38:52 +1000
Subject: [PATCH 10/11] Add feature flags to backend and update tests

---
 src/config/feature-flags.ts                |   3 +-
 src/jira/util/jwt.test.ts                  |   2 +-
 src/middleware/jirahost-middleware.test.ts | 101 +++++++++++----------
 src/middleware/jirahost-middleware.ts      |  87 ++++++++----------
 4 files changed, 96 insertions(+), 97 deletions(-)

diff --git a/src/config/feature-flags.ts b/src/config/feature-flags.ts
index ad80363dda..21c23412ea 100644
--- a/src/config/feature-flags.ts
+++ b/src/config/feature-flags.ts
@@ -30,7 +30,8 @@ export enum BooleanFlags {
 	SEND_RELATED_COMMITS_WITH_DEPLOYMENT_ENTITIES = "send-related-commits-with-deployment-entities",
 	USE_NEW_GITHUB_CLIENT_FOR_PR_TITLE = "use-new-github-client-for-pr-title",
 	RETRY_ALL_ERRORS = "retry-all-errors",
-	GHE_SERVER = "ghe_server"
+	GHE_SERVER = "ghe_server",
+	SECURE_JIRAHOST_IN_COOKIES = "secure-jirahost-in-cookies"
 }
 
 export enum StringFlags {
diff --git a/src/jira/util/jwt.test.ts b/src/jira/util/jwt.test.ts
index 535555b18a..7cc56478fb 100644
--- a/src/jira/util/jwt.test.ts
+++ b/src/jira/util/jwt.test.ts
@@ -257,7 +257,7 @@ describe("jwt", () => {
 				const req = buildRequestWithTokenInCookie();
 				req.headers = {
 					authorization: `JWT boom`
-				}
+				};
 				verifySymmetricJwtTokenMiddleware(testSecret, TokenType.context, req, res, next);
 				expect(res.status).toHaveBeenCalledWith(401);
 				expect(next).toBeCalledTimes(0);
diff --git a/src/middleware/jirahost-middleware.test.ts b/src/middleware/jirahost-middleware.test.ts
index fa5bb16c2f..21c4b8f330 100644
--- a/src/middleware/jirahost-middleware.test.ts
+++ b/src/middleware/jirahost-middleware.test.ts
@@ -1,16 +1,20 @@
-import {NextFunction, Request, Response} from "express";
-import {jirahostMiddleware} from "./jirahost-middleware";
-import {verifyJiraJwtMiddleware } from "middleware/jira-jwt-middleware";
-import {postInstallUrl} from "routes/jira/jira-atlassian-connect-get";
-import {TokenType} from "~/src/jira/util/jwt";
+import { NextFunction, Request, Response } from "express";
+import { jirahostMiddleware } from "./jirahost-middleware";
+import { verifyJiraJwtMiddleware } from "middleware/jira-jwt-middleware";
+import { postInstallUrl } from "routes/jira/jira-atlassian-connect-get";
+import { TokenType } from "~/src/jira/util/jwt";
+import { booleanFlag } from "../config/feature-flags";
 
 jest.mock("middleware/jira-jwt-middleware");
 const mockVerifyJiraJwtMiddleware = (verifyJiraJwtMiddleware as any) as jest.Mock<typeof verifyJiraJwtMiddleware>;
 
+jest.mock("../config/feature-flags");
+const mockBooleanFlag = (booleanFlag as any) as jest.Mock<typeof booleanFlag>;
+
 const LEGIT_JIRA_HOST = "https://legit-jira-host.atlassian.net";
 const TEST_JWT_TOKEN = "TO_BE_DETERMINED";
 
-describe("jirahostMiddleware", () => {
+describe("await jirahostMiddleware", () => {
 
 	let req: Request, res: Response, next: NextFunction;
 	let mockJwtVerificationFn: jest.Mock;
@@ -21,48 +25,49 @@ describe("jirahostMiddleware", () => {
 		next = jest.fn();
 		mockJwtVerificationFn = jest.fn().mockImplementation((_, __, n) => n());
 		mockVerifyJiraJwtMiddleware.mockReturnValue(mockJwtVerificationFn);
+		mockBooleanFlag.mockReturnValue(async () => true);
 	});
 
 	describe("jiraHost is provided in session", ()=>{
 
-		it("should extract jiraHost from session when provided", ()=>{
+		it("should extract jiraHost from session when provided", async ()=>{
 
 			req.session.jiraHost = LEGIT_JIRA_HOST;
 
-			jirahostMiddleware(req, res, next);
+			await jirahostMiddleware(req, res, next);
 
 			expect(res.locals.jiraHost).toBe(LEGIT_JIRA_HOST);
 			expect(next).toBeCalled();
 		});
 
-		it("cookie should have priority", () => {
+		it("cookie should have priority", async () => {
 
 			req.cookies.jiraHost = LEGIT_JIRA_HOST;
 			req.session.jiraHost = LEGIT_JIRA_HOST + "boo";
 
-			jirahostMiddleware(req, res, next);
+			await jirahostMiddleware(req, res, next);
 
 			expect(res.locals.jiraHost).toBe(LEGIT_JIRA_HOST);
 			expect(next).toBeCalled();
 		});
 
-		it("xdm_e should have priority", () => {
+		it("xdm_e should have priority", async () => {
 
 			configureLegitJiraReq(req);
 			req.session.jiraHost = LEGIT_JIRA_HOST + "boo";
 
-			jirahostMiddleware(req, res, next);
+			await jirahostMiddleware(req, res, next);
 
 			expect(res.locals.jiraHost).toBe(LEGIT_JIRA_HOST);
 			expect(next).toBeCalled();
 		});
 
-		it("payload should have priority", () => {
+		it("payload should have priority", async () => {
 
 			configureLegitFrontendReq(req);
 			req.session.jiraHost = LEGIT_JIRA_HOST + "boo";
 
-			jirahostMiddleware(req, res, next);
+			await jirahostMiddleware(req, res, next);
 
 			expect(res.locals.jiraHost).toBe(LEGIT_JIRA_HOST);
 			expect(next).toBeCalled();
@@ -76,40 +81,40 @@ describe("jirahostMiddleware", () => {
 			configureLegitJiraReq(req);
 		});
 
-		it("should extract jiraHost correctly from xdm_e query and call next()", () => {
+		it("should extract jiraHost correctly from xdm_e query and call next()", async () => {
 
-			jirahostMiddleware(req, res, next);
+			await jirahostMiddleware(req, res, next);
 
 			expect(res.locals.jiraHost).toBe(LEGIT_JIRA_HOST);
 			expect(mockVerifyJiraJwtMiddleware).toBeCalledWith(TokenType.normal);
 			expect(next).toBeCalled();
 		});
 
-		it("should not call next() when invalid", () => {
+		it("should not call next() when invalid", async () => {
 
 			mockJwtVerificationFn.mockImplementation(() => {
 				//dothing
 			});
 
-			jirahostMiddleware(req, res, next);
+			await jirahostMiddleware(req, res, next);
 
 			expect(next).not.toBeCalled();
 		});
 
-		it("should not be validated and used with wrong URL", () => {
+		it("should not be validated and used with wrong URL", async () => {
 
 			req.path = "/blah";
 
-			jirahostMiddleware(req, res, next);
+			await jirahostMiddleware(req, res, next);
 
 			expect(res.locals.jiraHost).toBeUndefined();
 			expect(mockJwtVerificationFn).not.toBeCalled();
 			expect(next).toBeCalled();
 		});
 
-		it("should use \"normal\" JWT token type", () => {
+		it("should use \"normal\" JWT token type", async () => {
 
-			jirahostMiddleware(req, res, next);
+			await jirahostMiddleware(req, res, next);
 
 			expect(mockVerifyJiraJwtMiddleware).toBeCalledWith(TokenType.normal);
 		});
@@ -122,40 +127,40 @@ describe("jirahostMiddleware", () => {
 			configureLegitFrontendReq(req);
 		});
 
-		it("should extract jiraHost correctly from request body", ()=>{
+		it("should extract jiraHost correctly from request body", async ()=>{
 
-			jirahostMiddleware(req, res, next);
+			await jirahostMiddleware(req, res, next);
 
 			expect(res.locals.jiraHost).toBe(LEGIT_JIRA_HOST);
 			expect(mockVerifyJiraJwtMiddleware).toBeCalledWith(TokenType.context);
 			expect(next).toBeCalled();
 		});
 
-		it("should not call next() when not valid", ()=>{
+		it("should not call next() when not valid", async ()=>{
 
 			mockJwtVerificationFn.mockImplementation(() => {
 				//donothing
 			});
 
-			jirahostMiddleware(req, res, next);
+			await jirahostMiddleware(req, res, next);
 
 			expect(next).not.toBeCalled();
 		});
 
-		it("should not be validated and used when wrong URL", ()=>{
+		it("should not be validated and used when wrong URL", async ()=>{
 
 			req.path = "/blah";
 
-			jirahostMiddleware(req, res, next);
+			await jirahostMiddleware(req, res, next);
 
 			expect(res.locals.jiraHost).toBeUndefined();
 			expect(mockJwtVerificationFn).not.toBeCalled();
 			expect(next).toBeCalled();
 		});
 
-		it("should use \"context\" JWT token type", () => {
+		it("should use \"context\" JWT token type", async () => {
 
-			jirahostMiddleware(req, res, next);
+			await jirahostMiddleware(req, res, next);
 
 			expect(mockVerifyJiraJwtMiddleware).toBeCalledWith(TokenType.context);
 		});
@@ -171,9 +176,9 @@ describe("jirahostMiddleware", () => {
 			req.cookies.jwt = TEST_JWT_TOKEN;
 		});
 
-		it("should extract jiraHost correctly from cookie, validate it and save to session", () => {
+		it("should extract jiraHost correctly from cookie, validate it and save to session", async () => {
 
-			jirahostMiddleware(req, res, next);
+			await jirahostMiddleware(req, res, next);
 
 			expect(res.locals.jiraHost).toBe(LEGIT_JIRA_HOST);
 			expect(mockVerifyJiraJwtMiddleware).toBeCalledWith(TokenType.context);
@@ -181,70 +186,70 @@ describe("jirahostMiddleware", () => {
 			expect(next).toBeCalled();
 		});
 
-		it ("should be deleted from the cookies together with JWT token",  () => {
+		it ("should be deleted from the cookies together with JWT token",  async () => {
 
-			jirahostMiddleware(req, res, next);
+			await jirahostMiddleware(req, res, next);
 
 			expect(res.clearCookie).toBeCalledWith("jiraHost");
 			expect(res.clearCookie).toBeCalledWith("jwt");
 		});
 
-		it ("should not be saved in session and call next() when not valid",  () => {
+		it ("should not be saved in session and call next() when not valid",  async () => {
 
 			mockJwtVerificationFn.mockImplementation(() => {
 				//donothing
 			});
 
-			jirahostMiddleware(req, res, next);
+			await jirahostMiddleware(req, res, next);
 
 			expect(req.session.jiraHost).toBeUndefined();
 			expect(next).not.toBeCalled();
 		});
 
-		it("xdm_e should have priority", () => {
+		it("xdm_e should have priority", async () => {
 
 			configureLegitJiraReq(req);
 			req.cookies.jiraHost = LEGIT_JIRA_HOST + "boo";
 
-			jirahostMiddleware(req, res, next);
+			await jirahostMiddleware(req, res, next);
 
 			expect(res.locals.jiraHost).toBe(LEGIT_JIRA_HOST);
 		});
 
-		it("xdm_e should be ignored and cookie is used when wrong URL", () => {
+		it("xdm_e should be ignored and cookie is used when wrong URL", async () => {
 
 			configureLegitJiraReq(req);
 			req.path = "/whatever";
 			req.cookies.jiraHost = LEGIT_JIRA_HOST + "boo";
 
-			jirahostMiddleware(req, res, next);
+			await jirahostMiddleware(req, res, next);
 
 			expect(res.locals.jiraHost).toBe(LEGIT_JIRA_HOST + "boo");
 		});
 
-		it("POST payload should have priority", () => {
+		it("POST payload should have priority", async () => {
 
 			configureLegitFrontendReq(req);
 			req.cookies.jiraHost = LEGIT_JIRA_HOST + "boo";
 
-			jirahostMiddleware(req, res, next);
+			await jirahostMiddleware(req, res, next);
 
 			expect(res.locals.jiraHost).toBe(LEGIT_JIRA_HOST);
 		});
 
-		it ("should be deleted from the cookies together with JWT token even when not used",  () => {
+		it ("should be deleted from the cookies together with JWT token even when not used",  async () => {
 
 			configureLegitFrontendReq(req);
 
-			jirahostMiddleware(req, res, next);
+			await jirahostMiddleware(req, res, next);
 
 			expect(res.clearCookie).toBeCalledWith("jiraHost");
 			expect(res.clearCookie).toBeCalledWith("jwt");
 		});
 
-		it("should use \"context\" JWT token type", () => {
+		it("should use \"context\" JWT token type", async () => {
 
-			jirahostMiddleware(req, res, next);
+			await jirahostMiddleware(req, res, next);
 
 			expect(mockVerifyJiraJwtMiddleware).toBeCalledWith(TokenType.context);
 		});
@@ -274,7 +279,7 @@ function getRes(): Response {
 function configureLegitJiraReq(req: Request) {
 	req.path = postInstallUrl;
 	req.method = "GET",
-	req.query = { xdm_e: LEGIT_JIRA_HOST }
+	req.query = { xdm_e: LEGIT_JIRA_HOST };
 	req.body = {};
 }
 
@@ -282,5 +287,5 @@ function configureLegitFrontendReq(req: Request) {
 	req.path = postInstallUrl;
 	req.method = "POST";
 	req.query = {};
-	req.body = {jiraHost: LEGIT_JIRA_HOST}
+	req.body = { jiraHost: LEGIT_JIRA_HOST };
 }
diff --git a/src/middleware/jirahost-middleware.ts b/src/middleware/jirahost-middleware.ts
index 0e1b45337a..4ce9b36afe 100644
--- a/src/middleware/jirahost-middleware.ts
+++ b/src/middleware/jirahost-middleware.ts
@@ -1,8 +1,9 @@
 // setup route middlewares
-import {NextFunction, Request, Response} from "express";
-import {verifyJiraJwtMiddleware} from "middleware/jira-jwt-middleware";
-import {TokenType} from "~/src/jira/util/jwt";
-import {postInstallUrl} from "routes/jira/jira-atlassian-connect-get";
+import { NextFunction, Request, Response } from "express";
+import { verifyJiraJwtMiddleware } from "middleware/jira-jwt-middleware";
+import { TokenType } from "~/src/jira/util/jwt";
+import { postInstallUrl } from "routes/jira/jira-atlassian-connect-get";
+import { booleanFlag, BooleanFlags } from "../config/feature-flags";
 
 
 const extractUnsafeJiraHost = (req: Request): string | null => {
@@ -16,14 +17,14 @@ const extractUnsafeJiraHost = (req: Request): string | null => {
 		return req.cookies.jiraHost;
 	}
 	return null;
-}
+};
 
 const detectJwtTokenType = (req: Request): TokenType => {
 	if (req.query.xdm_e) {
 		return TokenType.normal;
 	}
 	return TokenType.context;
-}
+};
 
 //
 // Updates res.locals.jiraHost based on values in the request if JWT validation is OK.
@@ -33,9 +34,16 @@ const detectJwtTokenType = (req: Request): TokenType => {
 //    fetched and JWT validation will fail.
 //
 //
-export const jirahostMiddleware = (req: Request, res: Response, next: NextFunction) => {
+export const jirahostMiddleware = async (req: Request, res: Response, next: NextFunction) => {
+
+	const isSecureJiraHostInCookies = await booleanFlag(BooleanFlags.SECURE_JIRAHOST_IN_COOKIES, false);
+	if (!isSecureJiraHostInCookies) {
+		return oldJirahostMiddleware(req, res, next);
+	}
+
 	const unsafeJiraHost = extractUnsafeJiraHost(req);
 
+
 	req.addLogFields({ jiraHost: unsafeJiraHost });
 
 	// JWT validation makes sure "res.locals.jiraHost" is legit, not the cookie value. To avoid
@@ -63,45 +71,30 @@ export const jirahostMiddleware = (req: Request, res: Response, next: NextFuncti
 		res.locals.jiraHost = req.session.jiraHost;
 		next();
 	}
+};
+
+const oldJirahostMiddleware = async (req: Request, res: Response, next: NextFunction) => {
+
+	if (req.cookies.jiraHost) {
+		// Save jirahost to secure session
+		req.session.jiraHost = req.cookies.jiraHost;
+		// delete jirahost from cookies.
+		res.clearCookie("jiraHost");
+	}
+
+	if (req.path == postInstallUrl && req.method == "GET") {
+		// Only save xdm_e query when on the GET post install url (iframe url)
+		res.locals.jiraHost = req.query.xdm_e as string;
+	} else if ((req.path == postInstallUrl && req.method != "GET") || req.path == "/jira/sync") {
+		// Only save the jiraHost from the body for specific routes that use it
+		res.locals.jiraHost = req.body?.jiraHost;
+	} else {
+		// Save jiraHost from session for any other URLs
+		res.locals.jiraHost = req.session.jiraHost;
+	}
+
+	req.addLogFields({ jiraHost: res.locals.jiraHost });
+
+	next();
 
-	//
-	//
-	// let jwtTokenType: (TokenType | null) = TokenType.context;
-	// let fromCookies = false;
-	//
-	// if (req.path == postInstallUrl && req.method == "GET") {
-	// 	// Only save xdm_e query when on the GET post install url (iframe url)
-	// 	res.locals.jiraHost = req.query.xdm_e as string;
-	// 	jwtTokenType = TokenType.normal;
-	// } else if ((req.path == postInstallUrl && req.method != "GET") || req.path == "/jira/sync") {
-	// 	// Only save the jiraHost from the body for specific routes that use it
-	// 	res.locals.jiraHost = req.body?.jiraHost;
-	// } else if (req.cookies.jiraHost) {
-	// 	res.locals.jiraHost = req.cookies.jiraHost;
-	// 	// JWT validation makes sure "res.locals.jiraHost" is legit, not the cookie value. To avoid
-	// 	// any temptation to use it later, let's remove it straight away!
-	// 	res.clearCookie("jiraHost");
-	// 	fromCookies = true;
-	// } else {
-	// 	res.locals.jiraHost = req.session.jiraHost;
-	// 	jwtTokenType = null;
-	// }
-	//
-	// req.addLogFields({ jiraHost: res.locals.jiraHost });
-	//
-	// if (jwtTokenType) {
-	// 	verifyJiraJwtMiddleware(jwtTokenType)(req, res, () => {
-	// 		// Cannot hold and rely on cookies because the issued context JWTs are short-lived
-	// 		// (enough to validate once but not enough for long-running routines)
-	// 		if (fromCookies) {
-	// 			req.session.jiraHost = res.locals.jiraHost;
-	// 		}
-	// 		// Cleaning up outside of "if" to unblock cookies if they were corrupted somehow
-	// 		// on any other successful validation (e.g. when /jira/configuration is refreshed)
-	// 		res.clearCookie("jwt");
-	// 		next();
-	// 	});
-	// } else {
-	// 	next();
-	// }
 };

From bccbaed68c157948104bdcc0bc27ec5982baa15a Mon Sep 17 00:00:00 2001
From: Gary Xue <gxue@atlassian.com>
Date: Thu, 2 Jun 2022 15:37:20 +1000
Subject: [PATCH 11/11] ARC-1355: Add feature flag to the extract jwt from
 cookie code

---
 src/jira/util/jwt.test.ts | 15 ++++++++++-----
 src/jira/util/jwt.ts      | 10 +++++++++-
 2 files changed, 19 insertions(+), 6 deletions(-)

diff --git a/src/jira/util/jwt.test.ts b/src/jira/util/jwt.test.ts
index 7cc56478fb..471b906031 100644
--- a/src/jira/util/jwt.test.ts
+++ b/src/jira/util/jwt.test.ts
@@ -6,9 +6,12 @@ import { when } from "jest-when";
 import { Request, Response } from "express";
 import Mock = jest.Mock;
 import { getLogger } from "config/logger";
+import { booleanFlag as mockBooleanFlag } from "../../config/feature-flags";
 
 jest.mock("./query-atlassian-connect-public-key");
 
+jest.mock("../../config/feature-flags");
+
 describe("jwt", () => {
 	let testQueryParams: Record<string, string>;
 	let res: Response;
@@ -91,6 +94,8 @@ describe("jwt", () => {
 			},
 			log: getLogger("jwt.test")
 		} as any;
+
+		(mockBooleanFlag as any).mockReturnValue(Promise.resolve(true));
 	});
 
 	describe("#verifySymmetricJwtTokenMiddleware", () => {
@@ -254,13 +259,13 @@ describe("jwt", () => {
 			});
 
 			it("Token in headers has priority over token in cookies", async () => {
-				const req = buildRequestWithTokenInCookie();
-				req.headers = {
-					authorization: `JWT boom`
+				const req = buildRequestWithTokenInHeader();
+				req.cookies = {
+					jwt: "JWT boom"
 				};
 				verifySymmetricJwtTokenMiddleware(testSecret, TokenType.context, req, res, next);
-				expect(res.status).toHaveBeenCalledWith(401);
-				expect(next).toBeCalledTimes(0);
+				expect(res.status).not.toBeCalled();
+				expect(next).toBeCalledTimes(1);
 			});
 
 			it("Fails if there is no token", async () => {
diff --git a/src/jira/util/jwt.ts b/src/jira/util/jwt.ts
index 7769ebaa02..e0f24dfaf9 100644
--- a/src/jira/util/jwt.ts
+++ b/src/jira/util/jwt.ts
@@ -6,6 +6,7 @@ import { NextFunction, Request, Response } from "express";
 import { envVars }  from "config/env";
 import { queryAtlassianConnectPublicKey } from "./query-atlassian-connect-public-key";
 import { includes, isEmpty } from "lodash";
+import { booleanFlag, BooleanFlags } from "../../config/feature-flags";
 
 const JWT_PARAM = "jwt";
 const AUTH_HEADER = "authorization"; // the header name appears as lower-case
@@ -28,7 +29,14 @@ export enum TokenType {
 	context = "context"
 }
 
+let secureJiraHostInCookies;
+
+
 function extractJwtFromRequest(req: Request): string | undefined {
+
+	booleanFlag(BooleanFlags.SECURE_JIRAHOST_IN_COOKIES, false)
+		.then(flag=>secureJiraHostInCookies = flag); //ignore error
+
 	const tokenInQuery = req.query?.[JWT_PARAM];
 	const tokenInBody = req.body?.[JWT_PARAM];
 	if (tokenInQuery && tokenInBody) {
@@ -47,7 +55,7 @@ function extractJwtFromRequest(req: Request): string | undefined {
 		}
 	}
 
-	if (!token) {
+	if (!token && secureJiraHostInCookies) {
 		token = req.cookies?.[JWT_PARAM];
 		if (token) {
 			req.log.info("JWT token found in cookies (last resort)");