FYI: Forge migration allows running any Connect app as licenced

Forge
1

There is a quirk in the way Connect to Forge migration works, that allows you run any Connect marketplace app without licensing. As far as I can tell.

TLDR: If your app is Connect only, it can be run without a license. Afaik this will be ‘fixed’ once your app is a “Forge” app (Connect on Forge is enought), as you then the manifest is private.

Steps to Reproduce

  1. Go to the marketplace and find a app that has a Get the descriptor file at the end. E.g. Atlassian Marketplace . Copy the URL the descriptor points to.

  2. Use the connect-to-forge utility (https://www.npmjs.com/package/@atlassian/connect-to-forge) to create a Forge descriptor for the app. Eg: npx @atlassian/connect-to-forge@latest --type confluence --url https://marketplace.atlassian.com/download/apps/1228981/version/1001016/descriptor

  3. Register that app: forge register. Give it a name when prompted.

  4. Deploy the app to staging: forge deploy -e staging

  5. Install the app to your own site with forge, eg: forge install --license active --product confluence --site https://my-site.atlassian.net/ --environment staging

  6. The app runs now, without any license ever passed to it.

  7. In the Connect back-end, the &lic=active is set to true. Unless the app does extra license checks, it looks like a licensed app for the Connect back-end.

What I didn’t check is what the licenses REST endpoints do return. So, if your app check more that the &lic= parameter with license REST endpoints, it might be immune.

PS: I might overlooked something and it doesn’t work in practice =)

17 Likes
2

If they bother to fix that loophole, here’s another…

Promo codes no longer list an entitlement number in the vendor dashboard which makes it difficult (impossible?) to trace who has used a code.

Additionally you’re likely finding yourself having to issue multiple promo codes because:

Please note that with the new billing engine, promo codes are considered “used” as soon as they are applied to a quote and the quote is saved—even if the quote is not finalized or processed by the customer. For single-use promo codes, once they have been applied to a quote, they cannot be reused on another quote, and a new code will be required.

So I imagine vendors are issuing excessive numbers of promo codes and then not being able to trace their use. What could go wrong.

I contacted Atlassian about this and they couldn’t care less:

I understand how the current behavior around promo codes may seem unexpected compared to the previous billing system. However, I want to clarify that this is not a bug… This is the intended functionality of the new system.

1 Like