Image placeholder security

Hi everyone,

The documentation on image placeholder from dynamic context (https://developer.atlassian.com/cloud/confluence/modules/image-placeholder/) states that
“all the macro parameters will be passed as query parameters to the request. You can use these parameters to dynamically generate the placeholder image.”.
Is there also a way to also make this url secure ? The JWT token doesn’t look like it’s being passed in.
Anyone knows of a way to achieve that ?

Hi mihai,

Authenticated calls to collect the image placeholder aren’t currently supported in Confluence Connect. It’s been raised as a feature request in our backlog (CE-24), so please go ahead and vote for it and add a comment about your use case.

Cheers,
Kate

Hi Kate and thank you for the response.

I’ve voted on that feature request.
Our use case is very similar to the one described by the Lucidchart Add-On.

So, I guess there are two workarounds, both with disadvantages:

  1. holding the customerId as a macro parameter and bypassing auth, like described in the mentioned ticket. This one has the big minus of reduced security (ex: once someone has seen - or less likely, guessed - that url it will be forever accessible, regardless of new space/document/etc restrictions )

  2. instead of creating a simple macro to attach the external diagram/image, we could create a custom content entry linked to that macro, custom content that holds a copy of that external image as it was when the macro was inserted.
    This one has the problem of getting out of sync once that external diagram was modified outside confluence.

Yes, unfortunately no workaround for this properly fills the gap. In the past I’ve seen another vendor implementing it using the first workaround you mentioned, and obfuscating the URL.