Hi,
We’re currently migrating our Forge apps to Node 20.x runtimes, as the sandbox runtime has been deprecated for some time. The new runtime brings new developer responsibilities, specifically:
- Your app must not persist customer data or sensitive content in a global state, in memory or on disk, between subsequent invocations.
(as stated in the Legacy Runtime Migration documentation)
We’re using the Forge Async Events API for long-running tasks in our app, which provides a queue to handle these tasks. However, these queues need to be globally defined.
We’re unsure about the implications of submitting a job with customer data as payload to a queue. From our understanding, this is equivalent to storing the data in memory, as it may not be processed immediately. We’re wondering:
- Should we avoid sending customer payload to the queue and instead save the payload (e.g., in Forge storage) and send only the identifier as payload?
- Is it acceptable to have customer data as payload in the queue, as Atlassian takes care of preventing data leakage (similar to Forge storage)?
A related question is: Does Atlassian ensure that queue events are customer-specific, even though the runtime is no longer sandboxed?
Best regards,
Jason