Hai all,
I am trying to create a third party integration application in JIRA which is need to show in jira issue contents page. I will explain my requirements. Based on my requirements, kindly tell your suggestions.
I need to get API key from the user after installation of the app from atlassian marketplace and need to store the api key securely without using own DB to make some third party API requests.
Need to perform API request using the API key that i stored and show the response data in jira issue contents page.
These are my requirements. To accomplish my requirements, which option is better(connect app or forge app).
At this stage, for any new app development, I would strongly advise you to go with forge.
The only caveat to take into consideration is that forge its still actively being developed and lacks some of the features available to developers using connect.
As such, it might be possible that down the road you will find yourself in need of features that are missing in forge. At that point you might need to reconsider.
Hopefully, given the speed of development by the forge team, you will not have to wait long for feature parity and you’ll never have to question your choice.
Hai @remie Thanks for your reply. I am also chose the same option that you said. Now i am searching how to store an api key securely without using own db. If you have any idea in this case, kindly tell your suggestion.
Hai @danielwester Thanks for your reply. It is suggest that not to store confidential data in app properties and entity properties. that’s why i move to forge to get any feature that is missing in connect. Now i have one doubt. Can i store api key in user properties?
If it’s possible,
Is it safe to store api key in user properties?
shall i retrieve logged in user’s user properties while page loading?
If you want to use Forge, you could possibly create and store a key using a secure environment variable (forge variables:set --encrypt myCryptoKey cryptoSecret) and then use this to encrypt/decrypt data that could be stored using the Forge storage API.
Hai @dmorrow Thanks for your reply. Is it possible to store user credentials securely with forge. can you please send any reference document to do that?
EDIT: I misunderstood @dmorrow message. He was referring to how you can securely store encryption keys that can be used to encrypt data that you want to store in Forge Storage API.
— please ignore this
I think the goal in this case is to allow the storage of a per user / per instance API key / personal access token to a 3rd party service. Or alternatively a OAuth refreshToken that would allow the app to access that 3rd party service on their behalve. So it’s not a known secret from the vendor, but something that the user would provide. Using forge variables:set is not really scalable in this scenario
Hai @remie@dmorrow
What about to encrypt the API key and split the private key and the encrypted token into two different locations (private key into user properties and the encrypted token into DB) that way it can be more secure by making sure only the app has access to both the locations. Is this efficient to my requirements? Is it possible to do like this?
I don’t have any option. That’s why i chose to use own DB.
