Multi-Page Blueprints for Confluence

A free demo app is available in the Atlassian Marketplace which supports multi-page blueprints for Confluence. This app works around numerous bugs in the official Atlassian blueprint tutorials and a key Atlassian API bug.

Background on Confluence

Confluence is one of the leading enterprise wiki products. Its built-in feature set is already very powerful, and it can be extended with applications available in the Atlassian Marketplace. You can also write your own applications for private, internal use. Atlassian provides the atlassian-connect-express toolkit for building apps with Node.js, which reduces development time and effort. They also provide a number of sample projects for Jira and Confluence apps on Bitbucket. Unfortunately, many of these examples are obsolete or deprecated, and do not function correctly with the latest version of atlassian-connect-express or the latest release of Confluence and Jira.

Bugs Affecting Confluence Connect Blueprints

The confluence_blueprint_example application was last updated in 2019 and is currently broken. Even if the example project is updated, the webhook it uses to create a hierarchy of blueprint pages has been broken since 2018, and that bug ticket is still “gathering impact.” That bug will prevent you from creating a hierarchy of template pages when the “master” page is created. As I set out to work around these issues and build a functioning blueprint plugin, I discovered a more fundamental security flaw in the Atlassian blueprint model.

Security Issues with Atlassian Connect Blueprints

Atlassian’s documentation states, “Blueprints allow your connect add on to provide content creation templates.” An atlassian-connect-express application provides blueprints by responding to HTTPS requests from Confluence. Your application exposes static files in Atlassian’s XML-like Confluence Storage Format, and tells Confluence about the path to these files by specifying them in the blueprints section of the atlassian-connect.json file. Unfortunately, the HTTPS requests sent by Confluence to get the blueprint files contain no authentication or licensing information.

In other words, in order for your app to function, the blueprint files must be totally exposed to the public Internet.

How severe is this problem? On one hand, someone would have to discover your atlassian-connect.json file to get the paths to the blueprints. If you’re using a hard-to-guess domain and path to serve your application, then “security through obscurity” will help you to some extent. On the other hand, you’re exposing your intellectual property to the public Internet, and any security professional will tell you that “security through obscurity” is a poor strategy. If you are looking to make money from a paid application in the Marketplace, then you risk loss of revenue. If you have an internal application, you risk exposing any proprietary information in your templates.

Functioning Multi-Page Blueprints for Confluence

I found workarounds for all of the bugs and security issues, and created a functioning proof-of-concept application using Atlassian Connect. The demo application is available for free on the Atlassian Marketplace and provides multi-page blueprints for Confluence. The app currently has almost 50 installations, so there is definitely some interest in this topic. If you are interested in licensing my working blueprint code, or contracting for further development on the proof-of-concept, please reach out to me via one of the following options:

I am willing to work with you on affordable licensing terms if you want to use my code. Believe me–starting with my codebase will save you many hours of frustrating research and troubleshooting!

Leave a Comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.