Hi, I would like to propose another solution to the problem that most of the marketplace vendors have, i.e. authorization of the custom endpoints in ac-express and ac-spring-boot frameworks. However, it would require Atlassian help.
I have described it here
What we really need is a secure way to check whether our endpoint is called by a user with the same roles that are defined by conditions used in connect modules in atlassian-connect, i.e. user_is_admin, user_is_project_admin, user_is_logged_in.
Basically, we want to restrict our endpoints in the same way we restrict access to the pages/panels where they are supposed to be used.
We could have that information in a token received by AP.context.getToken(). This token is sent to app’s server anyway and it contains context claims already, e.g. issueId, accountId, etc. This token is decoded on server side, context claim would need to be exposed by ac-express, ac-spring-boot, but this is already happening: [ACSPRING-88] - Ecosystem Jira
It would be secure and wouldn’t force us to declare scopes that we don’t need, what is more it, calls to mypermission would no longer be needed. Right now, most vendors avoids securing their endpoints being afraid that it will impact apps performance. 1 more call to Jira on each endpoint. You could say permissions can be cached, but that solves 1 problem and at the same time introduces many more.