mattermost · abbas-dependable-naqvi · Jun 3, 2025 · Mar 21, 2025 · Mar 21, 2025 · Mar 21, 2025
@@ -12,9 +12,10 @@ import (
 )
 
 var atlassianConnectJSON = &Endpoint{
-	Path:    "/atlassian-connect.json",
-	Method:  http.MethodGet,
-	Execute: renderAtlassianConnectJSON,
+	Path:            "/atlassian-connect.json",
+	Method:          http.MethodGet,
+	Execute:         renderAtlassianConnectJSON,
+	IsAuthenticated: false,
 }
 
 func renderAtlassianConnectJSON(w http.ResponseWriter, r *http.Request, _ *Plugin) {

@@ -11,9 +11,10 @@ import (
 )
 
 var confluenceCloudWebhook = &Endpoint{
-	Path:    "/cloud/{event:[A-Za-z0-9_]+}",
-	Method:  http.MethodPost,
-	Execute: handleConfluenceCloudWebhook,
+	Path:            "/cloud/{event:[A-Za-z0-9_]+}",
+	Method:          http.MethodPost,
+	Execute:         handleConfluenceCloudWebhook,
+	IsAuthenticated: false,
 }
 
 func handleConfluenceCloudWebhook(w http.ResponseWriter, r *http.Request, p *Plugin) {

@@ -18,9 +18,10 @@ import (
 )
 
 var confluenceServerWebhook = &Endpoint{
-	Path:    "/server/webhook",
-	Method:  http.MethodPost,
-	Execute: handleConfluenceServerWebhook,
+	Path:            "/server/webhook",
+	Method:          http.MethodPost,
+	Execute:         handleConfluenceServerWebhook,
+	IsAuthenticated: false,
 }
 
 func handleConfluenceServerWebhook(w http.ResponseWriter, r *http.Request, p *Plugin) {
@@ -119,7 +120,13 @@ func handleConfluenceServerWebhook(w http.ResponseWriter, r *http.Request, p *Pl
 
 		notification.SendConfluenceNotifications(eventData, event.Event, p.BotUserID)
 	} else {
-		event := serializer.ConfluenceServerEventFromJSON(r.Body)
+		event, err := serializer.ConfluenceServerEventFromJSON(r.Body)
+		if err != nil {
+			p.client.Log.Error("Error occurred while unmarshalling Confluence server webhook payload", "error", err)
+			http.Error(w, err.Error(), http.StatusInternalServerError)
+			return
+		}
+
 		go service.SendConfluenceNotifications(event, event.Event)
 	}
 

@@ -17,9 +17,10 @@ import (
 )
 
 type Endpoint struct {
-	Path    string
-	Method  string
-	Execute func(w http.ResponseWriter, r *http.Request, p *Plugin)
+	Path            string
+	Method          string
+	Execute         func(w http.ResponseWriter, r *http.Request, p *Plugin)
+	IsAuthenticated bool
 }
 
 // Endpoints is a map of endpoint key to endpoint object
@@ -50,12 +51,26 @@ func (p *Plugin) InitAPI() *mux.Router {
 	s := r.PathPrefix("/api/v1").Subrouter()
 	for _, endpoint := range Endpoints {
 		handler := endpoint.Execute
+		if endpoint.IsAuthenticated {
+			s.HandleFunc(endpoint.Path, p.checkAuth(p.wrapHandler(handler))).Methods(endpoint.Method)
+		}
 		s.HandleFunc(endpoint.Path, p.wrapHandler(handler)).Methods(endpoint.Method)
 	}
 
 	return r
 }
 
+func (p *Plugin) checkAuth(handler http.HandlerFunc) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		userID := r.Header.Get(config.HeaderMattermostUserID)
+		if userID == "" {
+			http.Error(w, "Not authorized", http.StatusUnauthorized)
+			return
+		}
+		handler(w, r)
+	}
+}
+
 // wrapHandler ensures the plugin is passed to the handler
 func (p *Plugin) wrapHandler(handler func(http.ResponseWriter, *http.Request, *Plugin)) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {

@@ -13,9 +13,10 @@ import (
 )
 
 var editChannelSubscription = &Endpoint{
-	Path:    "/{channelID:[A-Za-z0-9]+}/subscription/{type:[A-Za-z_]+}",
-	Method:  http.MethodPut,
-	Execute: handleEditChannelSubscription,
+	Path:            "/{channelID:[A-Za-z0-9]+}/subscription/{type:[A-Za-z_]+}",
+	Method:          http.MethodPut,
+	Execute:         handleEditChannelSubscription,
+	IsAuthenticated: true,
 }
 
 const subscriptionEditSuccess = "Your subscription has been edited successfully."

@@ -10,9 +10,10 @@ import (
 )
 
 var getChannelSubscription = &Endpoint{
-	Path:    "/{channelID:[A-Za-z0-9]+}/subscription",
-	Method:  http.MethodGet,
-	Execute: handleGetChannelSubscription,
+	Path:            "/{channelID:[A-Za-z0-9]+}/subscription",
+	Method:          http.MethodGet,
+	Execute:         handleGetChannelSubscription,
+	IsAuthenticated: true,
 }
 
 func handleGetChannelSubscription(w http.ResponseWriter, r *http.Request, _ *Plugin) {

@@ -5,8 +5,6 @@ import (
 	"net/http"
 	"strings"
 
-	"github.com/pkg/errors"
-
 	"github.com/mattermost/mattermost-plugin-confluence/server/config"
 	"github.com/mattermost/mattermost-plugin-confluence/server/service"
 	"github.com/mattermost/mattermost-plugin-confluence/server/store"
@@ -15,21 +13,16 @@ import (
 )
 
 var autocompleteGetChannelSubscriptions = &Endpoint{
-	Path:    "/autocomplete/GetChannelSubscriptions",
-	Method:  http.MethodGet,
-	Execute: handleGetChannelSubscriptions,
+	Path:            "/autocomplete/GetChannelSubscriptions",
+	Method:          http.MethodGet,
+	Execute:         handleGetChannelSubscriptions,
+	IsAuthenticated: true,
 }
 
 func handleGetChannelSubscriptions(w http.ResponseWriter, r *http.Request, _ *Plugin) {
-	mattermostUserID := r.Header.Get("Mattermost-User-Id")
-	if mattermostUserID == "" {
-		_, _ = respondErr(w, http.StatusUnauthorized, errors.New("not authorized"))
-		return
-	}
-
 	pluginConfig := config.GetConfig()
 	if pluginConfig.ServerVersionGreaterthan9 {
-		conn, err := store.LoadConnection(pluginConfig.ConfluenceURL, mattermostUserID)
+		conn, err := store.LoadConnection(pluginConfig.ConfluenceURL, r.Header.Get(config.HeaderMattermostUserID))
 		if err != nil {
 			if strings.Contains(err.Error(), "not found") {
 				out := []model.AutocompleteListItem{}

@@ -9,19 +9,22 @@ const (
 )
 
 var userConnect = &Endpoint{
-	Path:    routeUserConnect,
-	Method:  http.MethodGet,
-	Execute: httpOAuth2Connect,
+	Path:            routeUserConnect,
+	Method:          http.MethodGet,
+	Execute:         httpOAuth2Connect,
+	IsAuthenticated: true,
 }
 
 var userConnectComplete = &Endpoint{
-	Path:    routeUserComplete,
-	Method:  http.MethodGet,
-	Execute: httpOAuth2Complete,
+	Path:            routeUserComplete,
+	Method:          http.MethodGet,
+	Execute:         httpOAuth2Complete,
+	IsAuthenticated: true,
 }
 
 var userConnectionInfo = &Endpoint{
-	Path:    routeUserConnectionInfo,
-	Method:  http.MethodGet,
-	Execute: httpGetUserInfo,
+	Path:            routeUserConnectionInfo,
+	Method:          http.MethodGet,
+	Execute:         httpGetUserInfo,
+	IsAuthenticated: true,
 }
@@ -15,9 +15,10 @@ import (
 const subscriptionSaveSuccess = "Your subscription has been saved."
 
 var saveChannelSubscription = &Endpoint{
-	Path:    "/{channelID:[A-Za-z0-9]+}/subscription/{type:[A-Za-z_]+}",
-	Method:  http.MethodPost,
-	Execute: handleSaveSubscription,
+	Path:            "/{channelID:[A-Za-z0-9]+}/subscription/{type:[A-Za-z_]+}",
+	Method:          http.MethodPost,
+	Execute:         handleSaveSubscription,
+	IsAuthenticated: true,
 }
 
 func handleSaveSubscription(w http.ResponseWriter, r *http.Request, _ *Plugin) {

@@ -174,12 +174,14 @@ type ConfluenceServerWebhookPayload struct {
 	Space     SpacePayload   `json:"space"`
 }
 
-func ConfluenceServerEventFromJSON(data io.Reader) *ConfluenceServerEvent {
+func ConfluenceServerEventFromJSON(data io.Reader) (*ConfluenceServerEvent, error) {
 	var confluenceServerEvent ConfluenceServerEvent
 	if err := json.NewDecoder(data).Decode(&confluenceServerEvent); err != nil {
 		config.Mattermost.LogError("Unable to decode JSON for ConfluenceServerEvent.", "Error", err.Error())
+		return nil, err
 	}
-	return &confluenceServerEvent
+
+	return &confluenceServerEvent, nil
 }
 
 func (e *ConfluenceServerEvent) GetUserDisplayName(withLink bool) string {

@@ -31,13 +31,7 @@ func httpOAuth2Connect(w http.ResponseWriter, r *http.Request, p *Plugin) {
 	}
 
 	isAdmin := IsAdmin(w, r)
-
-	mattermostUserID := r.Header.Get("Mattermost-User-Id")
-	if mattermostUserID == "" {
-		_, _ = respondErr(w, http.StatusUnauthorized,
-			errors.New("not authorized"))
-		return
-	}
+	mattermostUserID := r.Header.Get(config.HeaderMattermostUserID)
 
 	instanceURL := config.GetConfig().GetConfluenceBaseURL()
 	if instanceURL == "" {
@@ -95,12 +89,6 @@ func httpOAuth2Complete(w http.ResponseWriter, r *http.Request, p *Plugin) {
 		return
 	}
 
-	mattermostUserID := r.Header.Get(config.HeaderMattermostUserID)
-	if mattermostUserID == "" {
-		http.Error(w, "not authorized", http.StatusUnauthorized)
-		return
-	}
-
 	instanceURL := config.GetConfig().GetConfluenceBaseURL()
 	if instanceURL == "" {
 		http.Error(w, "missing confluence base url", http.StatusInternalServerError)
@@ -109,7 +97,7 @@ func httpOAuth2Complete(w http.ResponseWriter, r *http.Request, p *Plugin) {
 
 	isAdmin := IsAdmin(w, r)
 
-	cuser, mmuser, err := p.CompleteOAuth2(mattermostUserID, code, state, instanceURL, isAdmin)
+	cuser, mmuser, err := p.CompleteOAuth2(r.Header.Get(config.HeaderMattermostUserID), code, state, instanceURL, isAdmin)
 	if err != nil {
 		http.Error(w, err.Error(), http.StatusInternalServerError)
 		return
@@ -317,13 +305,7 @@ func httpGetUserInfo(w http.ResponseWriter, r *http.Request, p *Plugin) {
 		return
 	}
 
-	mattermostUserID := r.Header.Get("Mattermost-User-Id")
-	if mattermostUserID == "" {
-		_, _ = respondErr(w, http.StatusUnauthorized,
-			errors.New("not authorized"))
-		return
-	}
-
+	mattermostUserID := r.Header.Get(config.HeaderMattermostUserID)
 	serverVersionGreaterThan9 := config.GetConfig().ServerVersionGreaterthan9
 
 	if !serverVersionGreaterThan9 {