Is it possible to use the Authorize API to secure a webtrigger module? I’ve attempted the following and receive an error indicating that Authentication is not initialized. The two webtrigger examples provided in the documentation seem dangerous in that they expose functionality to completely anonymous clients.
const canAssign = await authorize().onJiraIssue(issueKey).canAssign()
Isn’t the whole purpose of the Webtrigger to enable communication with Forge from an external source? As such there is no authentication context available. If you want to “secure” the call, you will need to add some form of API key verification yourself.
I’m not aware of any documentation regarding the purpose of the webtrigger module. Its possible that you are correct but the purpose I’m pursuing does not involve an external system with its own user base. I I’d like to hear from the Forge team whether there is, or will be, support for the use case I’m pursuing. Although I have more intended usage, my use case is common for testing scheduled triggers and would minimally be useful there. I’ll also mention that my usage could help enable complex interactions with Jira Automation which could be quite valuable.
Hi @AdamKarl ,
Each webtrigger is created in the context of a unique combination of module key, app, site, product and Forge environment. There is, however, no real user in context when a webtrigger executes and since the authorize API validates the current user’s permission, it doesn’t make sense when used within a webtrigger.
There is a feature request to provide Web triggers with authentication or authorization, but unfortunately it does not appear to be roadmapped.
You may also like to take a look at Forge’s shared responsibility model which indicates developers have more responsibilities to ensure webtrigger code is secure than other parts of Forge code.
Thank you for the definitive response