Skip to content

[feature] SC-166737/improve app proxy security by restricting where token replacements can go #97

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
HappyPaul55 wants to merge 2 commits into
base: main
Choose a base branch
from
Open

[feature] SC-166737/improve app proxy security by restricting where token replacements can go #97

HappyPaul55 wants to merge 2 commits into from

Conversation

@HappyPaul55
Copy link
Contributor

@HappyPaul55 HappyPaul55 commented Nov 19, 2025

This pull request updates the proxy configuration in manifest.json to support dynamic injection of authentication settings for Atlassian API requests. The main change is the addition of the settingsInjection field, which allows sensitive credentials and tokens to be injected into request headers or bodies as needed for different endpoints.

Proxy configuration enhancements:

  • Added settingsInjection for the https://auth.atlassian.com/.* endpoint, enabling injection of client_id and client_secret into the request body, and api_token into the header.
  • Updated the https://(.*).atlassian.net/.* and https://api.atlassian.com/.* endpoints to support injection of api_key and username into request headers via the new settingsInjection field.

@HappyPaul55 HappyPaul55 requested a review from Copilot November 19, 2025 11:37
@HappyPaul55 HappyPaul55 requested a review from a team as a code owner November 19, 2025 11:37
Copilot AI reviewed Nov 19, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR enhances the proxy configuration security by introducing the settingsInjection field to restrict where sensitive authentication settings can be injected. The changes limit token and credential replacements to specific headers or body fields for each Atlassian API endpoint, reducing potential security vulnerabilities.

Key changes:

  • Added settingsInjection configuration for three Atlassian endpoints to control where credentials can be injected
  • Reordered proxy whitelist entries (moved auth.atlassian.com to the top)
  • Restricted credential injection to specific locations (headers or body) per endpoint

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@github-actions
Copy link

github-actions bot commented Nov 19, 2025
edited
Loading

Build for commit 40a09b7 deployed to: https://jira-pr-97.ci.next.deskprodemo.com

URLs:
https://jira-pr-97.ci.next.deskprodemo.com/horizon-ui/app

@HappyPaul55
Update manifest.json
40a09b7 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@HappyPaul55