I want to know the security limit of the Storage API Key
Assuming I install forge app call Sample at confluence site A Eg (siteA.atlassian.net)
In storage API Call I set key = my_good_key.
await storage.get('my_good_key');
Here is question
1.)
If someone in siteB install the same app Sample at confluence Eg (siteB.atlassian.net) and tries to use the same Key as mine my_good_key
Will He or She in SiteB be able to query or View my stored data in siteA;
2.) Again if someone knows my Storage Keys, can he/She be able to steal my storage data. Do I have to guide this storage keys like passwords.
3.) If SiteA and SiteB uses the same key, will be there by overriding of data or collisions
A bit of background that will help answer your questions, from https://developer.atlassian.com/platform/forge/storage/
The app storage API stores data partitioned by product and site, and is accessible only to your app.
The app storage API requires your app to have the storage:app scope.
Onto your questions:
-
An app can’t access data from a different site when it executes, i.e., when the app executes it is tied to a particular product & site and Storage API access reflects this product & site. Further, in case your example of the “Sample” app refers to the behaviour when apps have the same name, apps are distinguished by their ID and authentication clients (see next answer)
-
Knowing the storage keys isn’t enough to access the data. The storage:app scope quoted above is tied to your app’s authentication client, which is hidden within the Forge Platform and transparently injected when your app executes. Without this authentication client the data can’t be accessed
-
As I quoted, data is partitioned by app, site, and product, so the same key across sites refers to distinct data
3 Likes
Thanks for the Clearification