Dynamic fetch permissions

We would like to extend our Forge app’s fetch sources to include Bitbucket DC instances.
For cloud-based sources we can explicitly define these in the manifest (permissions → external → fetch → backend → ‘https://api.source.com’).
For BB DC, ideally, the user would be permitted to add and authorize custom permissions. However, this does not seem to be possible.
Our app could use a proxy, but this workaround would introduce an extra potential POF and security concern.
Is there a Forge feature/config to handle this use case and I’m just not seeing it? Or is there a recommended approach?


1 Like

Why don’t you just allow all URLs?

        - '*'

This is totally acceptable and recommended, and it shows up like this to your end users in the consent screen:

1 Like

Thanks for the response! We would prefer dynamic, so the user can control what is being accessed. But until that is implemented in forge this seems to be the best/only option.


hi all, I would also like something like the Allowlist on Confluence Data Center, where the user can define what domains are allowed. But thanks for sharing this, I was to afraid to use the all matching asterisk ^^

1 Like