I have a connect app in the Atlassian app marketplace that is failing the JWT authentication vulnerability scanner. Below is a sample of the vulnerability description from the security scanner;

Vulnerability Description
The EcoScanner check, Authentication of Application Resources, for Connect Security Requirements Tester has reported the following issue:

• One or more endpoints returned a <400 status code without authentication information. This may indicate that your app is not performing authentication and authorization checks.

• JWT token used by the scanner is a fake JWT generated for testing purposes.

• Note: If you think authentication is absolutely not required on reported endpoints, please raise a review on the vulnerability ticket raised and Atlassian EcoAppSec team will take a look.

My app is a Ruby on Rails app. I have tried to create a method that checks for a valid jwt token in all post requests to my app. I then use this method in my webhook endpoints. Yet, that has not solved the jwt authentication vulnerability issue. How do I fix that ?

def check_jwt(user)
  authorization_header = request.headers['Authorization']

  # Ensure the Authorization header exists and starts with "JWT "
  if authorization_header&.start_with?('JWT ')
    jwt_token = authorization_header[4..-1]
    shared_secret = user.shared_secret

    begin
      decoded_token = JWT.decode(jwt_token, shared_secret, true, algorithm: 'HS256')
      rescue JWT::DecodeError => e
      render json: { error: 'Unauthorized' }, status: :unauthorized
      raise e # Raise an exception to halt further execution
   end

   # Continue processing with the decoded token
   # ...
   else
     render json: { error: 'Unauthorized' }, status: :unauthorized
     raise JWT::DecodeError, 'Missing or invalid Authorization header' # Raise an exception to halt further execution
   end

end