jira-cli icon indicating copy to clipboard operation
jira-cli copied to clipboard

Published 20 hours ago verified publisher icon foxythemes

JIRA password is stored clear text in config file

Open watsoncj opened this issue 6 years ago • 12 comments

Likely a blocker for many users. This password is often the same as the corporate VPN.

Storing the password in the user's keychain seems like a better option than #1.

watsoncj avatar Feb 28 '18 17:02 watsoncj

Consider something like keytar for cross-platform keychain access.

watsoncj avatar Feb 28 '18 17:02 watsoncj

Great idea @watsoncj, I'll use it definitively!

miguelmich avatar Feb 28 '18 18:02 miguelmich

This is definitely a show stopper for me. Let me know if there is anything I can do to help (that doesn't involve coding).

decibyte avatar Mar 13 '18 15:03 decibyte

I'll be working on the implementation of this fix today hopefully there will be a new release with this hotfix today :)

miguelmich avatar Mar 13 '18 15:03 miguelmich

@watsoncj I was working on this but then I realized that users from Linux will have to install an additional lib in order to use the CLI, I'll make a research to see if we can find a 100% node cross-platform solution.

PS: I don't know what do you guys think about this?

miguelmich avatar Mar 14 '18 03:03 miguelmich

Alternative could to use OAuth, but that's more complicated and requires cooperation from the JIRA Admins. What about only having the password in memory. So don't store it, but ask it once on startup or on the first command executed?

valentijnscholten avatar Jul 27 '18 12:07 valentijnscholten

@valentijnscholten I like that idea, I will explore more about it, what I'm thinking is since this config file is stored in the user home directory as well as the ssh keys are stored in, one would think this is a safe place, I mean, if an attacker manages to reach your home directory you're in more serious problems, but I agree that having the JIRA password stored without any obfuscation at least is concerning even for me (I don't even like seeing my passwords without the *** characters lol) on the other hand I also think that if you're not in your machine you wouldn't want to have that data stored locally, so your solution makes total sense to me.

I'll take a look at how to store recurring data in memory and if anyone else has any other better idea you're welcome to participate :)

miguelmich avatar Jul 30 '18 13:07 miguelmich

Private keys are usually protected by a password which is asked for onle once on startup and then cached in memory :)

valentijnscholten avatar Jul 30 '18 14:07 valentijnscholten

If an attacker reaches your home directory, you have serious problems, but if your home directory contains an SSO password that gets them admin access to all of the production applications you manage, you have even more serious problems.

xdhmoore avatar Jul 25 '19 05:07 xdhmoore

I don't know if Jira Server has this option, but Jira Cloud has an option to create an API token that is separate from your password. It still gives you access to all the API features that your user has access to, but it's scoped to Jira rather than all of the apps that your domain/organization credentials provide access to.

iinuwa avatar Dec 17 '20 22:12 iinuwa

Api tokens were just introduced in jira server 8.14. But do not work with basic authentication. They need be sent as bearer token.

valentijnscholten avatar Dec 17 '20 22:12 valentijnscholten

Oh, OK. My API token for Jira Cloud is working without modification to jira-cli. @valentijnscholten, are you saying that Jira Server API tokens are not working with jira-cli?

iinuwa avatar Jan 03 '21 06:01 iinuwa