I want to create a connect or forge app in jira?The user should be able to enter his api key in the app and upon pressing a button,app fetches details from my website which corresponds to that api key.When the user clicks the button again, the app should bring the details again from my site using the api key provided previously,for this to happen the api key should be stored in a place and retrived when ever the button is pressed?How am I supposed to store this user’s api key.Is there any possibility to store the api key in securely in jira itself or should I create a seperate DB for it on my own or is there any other easier way?
You can find some information regarding this issue here: Shared responsibility model (atlassian.com)
Ensure that data is appropriately stored and read by your app.
- Ensure that sensitive security data, such as pre-shared keys, API keys, or encryption keys are not hardcoded in the source code. Secure storage, such as encrypted environment variables, should be used to supply keys at runtime.
- Ensure that keys are rotated on a regular basis. You should rotate sensitive API keys at least every 90 days.
- Encrypt data at rest for data stored within Forge app storage.
- Segregate data storage to prevent cross-tenant access. This includes Forge app storage.
@KarolGrabowski thanks for the response
If I want to create a forge app with my own database
1.Where should I store my DB
2.How can we handle the authentication for the database
3.In forge app as it is mentioned, is storage API really secure? Earlier, our issue is that storing API in app properties is not recommended as the properties can be seen if a user calls the REST API. Similarly, will the user be able to see the storage if he calls the specific API or is it really secure to be accessed by only the connect app?
@KarolGrabowski Could you kindly share any details you know about where to store the data? I have a similar use case, but the only data storage options I have found are App properties and entity properties. Is there any other way I could achieve this?
Okay… I found an alternative.
How about I store the API key as a user property and call the user key to make each request at runtime?
Would that work?