Hi,
I’ve written a simple app using the UI Kit and Forge Bridge requestJira(), part of the functionality being to add options to a custom field. It works fine for me but I have permissions to add the options. If someone who is not an admin runs the app, it seems to be using their permissions rather than the app’s permissions and they get 403 errors. Looking at the documentation for the Forge Bridge requestJira() I see no mention of how to make it authenticate as the App rather than the user. Is this possible or do I need to re-write my app to use requestJira() from Forge API which does seem to have a documented way of authenticating as app? If I can authenticate as app using the Forge Bridge requestJira(), how do I do that? All help gratefully received.
You should just be able to use .asApp() as documented here: https://developer.atlassian.com/platform/forge/apis-reference/fetch-api-product.requestjira/
Does that work for you?
However, keep in mind that this will mean that you’re giving users the ability to do something that they wouldn’t usually be able to do. That could be a security issue so be careful.
Thanks for the feedback. I wasn’t sure that would work as the documentation is referring to a requestJira function from forge API rather than forge bridge and I wasn’t sure if they were the same or not. There’s no mention of asApp() in the Forge Bridge documentation and the documentation you’ve pointed me at talks about having to use route and other things which I clearly have not needed using the Forge Bridge method. Is this just a case of the documentation being out of date? I’ll give it a try. Hopefully it will work.
I’m perfectly happy with non-admin users being able to add options to a single custom field. I think this something that Jira is by default rather too strict with, and it will save me and the other admins a considerable amount of unnecessary work.
Hi,
Sorry but I can’t make your suggestion work. If I try to follow the documentation using import api from ‘forge/bridge’; I get a module not found error for @forge/api
If I try to use .asApp() without importing api it understandably fails.
I tried to solve this by making the (I hope) educated guess that api could be imported from @forge/bridge. Unfortunately this fails and I get the following error in the console:
Uncaught Error: Cannot read properties of undefined (reading ‘asApp’)
How do I solve this? Currently I am only able to make API calls with the current user’s permissions which is never going to allow me to do what I need to.
For clarity, and in case it makes a difference, I am not using a resolver. The Forge Bridge 2 documentation said this was no longer necessary, but I’m happy to change that if I need to. It just seemed much simpler not to do so and I’m a complete novice when it comes to forge, javascript and react, though I’ve been developing for too many years with other tech stacks.
When using requestJira from the Forge Bridge API the API call is made on behalf of the user currently interacting with the app, rather than the app itself.
If you’d like to make the call on behalf of the app you’ll need to use the api.asApp().requestJira() method from the Forge API which can be invoked from the app frontend via a resolver function however as @rmassaioli mentioned that does open up a potential security vulnerability so do take care when doing so!
So yes - you would need to re-write your app to get this working.
I hope that clarifies !
If you have any further questions please let us know.
1 Like
Sorry, yes, if you want your apps bot user to do something, it has to be via your backend code. If the frontend code could do that (forge bridge), then a malicious user could make your bot user do anything the scopes allowed. So, that would be yet another security issue and we don’t allow it. You have to act as the bot user from a hosted or remote backend that you implement authorisation checks for.
Thank you very much. That has confirmed what I was starting to think was the case myself. Hopefully, I can get that working. It would be nice if the documentation was a little clearer (at least for novices like myself) but I think I have enough to be getting on with.
Sorry for the further delay, but I’m stuck again. Unfortunately this is very much a side project rather than my day job and I only get a chance a chance to work on it intermittently.
I have tried moving the API calls that need to be authenticated as the app into a resolver function but on running forge deploy I get the following error:
Error: Bundling failed: Module not found: Error: Can’t resolve ‘@forge/api’
Given that’s apparently the module I need to import in order to use asAPI(), I’m now completely stuck. How do I resolve this?
@JamesMeyerBejdl This error is raised when, though the chain of import, you end up importing some code relying on @forge/api into your frontend code.
@forge/api calls should be contained into your resolver code.
Check all your imports and find the faulty one.
Hope that help !
Is the resolver code not in the resolvers/index.js then? That’s what I’d understood, perhaps wrongly. If that’s not correct where is the code meant to go?
The error I am getting is not coming from frontend/index.jsx so I don’t believe I’ve imported anything there. The error is coming from \src\resolvers according to the error message.
The only file where I am importing anything from @forge/api is resolvers/index.js, I’ve just double checked. I also tried commenting out the include in resolvers/index.js just to make sure and that then deploys without error, but of course the app won’t work
Sounds like you might need to install the package! Try running the following command from your projects top directory:
npm install @forge/api
Once that’s done, you should be able to go ahead and run forge deploy again.
Thank you so much. That seems to have got me out of my hole. Obviously now I have to make sure the app works as intended but I least I can deploy.
I hadn’t realised a separate install was needed, in fact I thought I’d read somewhere that it was automatically included in UI Kit projects, but all good now
No worries. Some packages for example @forge/bridge are pre-installed when you build an app with the Forge CLI but in general if you’re adding a new import to your app it’s best to assume that you’ll need to install it.
So, if you come across that error again in the future you’ll know what to do!
Cheers,
Mel