Confluence is one of the leading enterprise wiki products. Its built-in feature set is already very powerful, and it can be extended with applications available in the Atlassian Marketplace. You can also write your own applications for private, internal use. Atlassian provides the atlassian-connect-express toolkit for building apps with Node.js, which reduces development time and effort. They also provide a number of sample projects for Jira and Confluence apps on Bitbucket. Unfortunately, many of these examples are obsolete or deprecated, and do not function correctly with the latest version of atlassian-connect-express or the latest release of Confluence and Jira.
Bugs Affecting Confluence Connect Blueprints
The confluence_blueprint_example application was last updated in 2019 and is currently broken. Even if the example project is updated, the webhook it uses to create a hierarchy of blueprint pages has been broken since 2018, and that bug ticket is still “gathering impact.” That bug will prevent you from creating a hierarchy of template pages when the “master” page is created. As I set out to work around these issues and build a functioning blueprint plugin, I discovered a more fundamental security flaw in the Atlassian blueprint model.
Security Issues with Atlassian Connect Blueprints
Atlassian’s documentation states, “Blueprints allow your connect add on to provide content creation templates.” An atlassian-connect-express application provides blueprints by responding to HTTPS requests from Confluence. Your application exposes static files in Atlassian’s XML-like Confluence Storage Format, and tells Confluence about the path to these files by specifying them in the
blueprints section of the
atlassian-connect.json file. Unfortunately, the HTTPS requests sent by Confluence to get the blueprint files contain no authentication or licensing information.
In other words, in order for your app to function, the blueprint files must be totally exposed to the public Internet.
How severe is this problem? On one hand, someone would have to discover your atlassian-connect.json file to get the paths to the blueprints. If you’re using a hard-to-guess domain and path to serve your application, then “security through obscurity” will help you to some extent. On the other hand, you’re exposing your intellectual property to the public Internet, and any security professional will tell you that “security through obscurity” is a poor strategy. If you are looking to make money from a paid application in the Marketplace, then you risk loss of revenue. If you have an internal application, you risk exposing any proprietary information in your templates.
Functioning Multi-Page Blueprint Apps for Confluence
I found workarounds for all of the bugs and security issues, and created a functioning proof-of-concept application that uses Atlassian Connect to provide a multi-page hierarchy of blueprint pages. The app is currently pending approval on the Atlassian Marketplace. Once it’s approved, I’ll post a link here so you can test it out.
My original plan was to use this proof-of-concept as the basis to create some paid template content for Confluence. Based on what I’ve observed in the Atlassian developer forums, there are other developers who would like to create apps that provide multi-page blueprint content. If you are interested in licensing my working blueprint code, or contracting for further development on the proof-of-concept, please contact me through my business. I am willing to work with you on affordable licensing terms if you want to use my code. Trust me, it will save you tens of hours of frustrating research and troubleshooting.