jira
jira copied to clipboard
pycontribs
Error message returned when username/password are incorrect is extremely misleading
Describe the bug If you try to create an authenticated client to a Atlassian-hosted (perhaps self hosted too) Jira instance and the username and/or password is wrong you'll be given a very misleading error that "Basic auth with password is not allowed on this instance":
jirashell -s https://somecompany.atlassian.net -u valid_username -p incorrect_password
Traceback (most recent call last):
File "/Users/foouser/Library/Python/3.6/bin/jirashell", line 11, in <module>
sys.exit(main())
File "/Users/foouser/Library/Python/3.6/lib/python/site-packages/jira/jirashell.py", line 255, in main
jira = JIRA(options=options, basic_auth=basic_auth, oauth=oauth)
File "/Users/foouser/Library/Python/3.6/lib/python/site-packages/jira/client.py", line 472, in __init__
si = self.server_info()
File "/Users/foouser/Library/Python/3.6/lib/python/site-packages/jira/client.py", line 2133, in server_info
j = self._get_json('serverInfo')
File "/Users/foouser/Library/Python/3.6/lib/python/site-packages/jira/client.py", line 2549, in _get_json
r = self._session.get(url, params=params)
File "/Users/foouser/Library/Python/3.6/lib/python/site-packages/jira/resilientsession.py", line 151, in get
return self.__verb('GET', url, **kwargs)
File "/Users/foouser/Library/Python/3.6/lib/python/site-packages/jira/resilientsession.py", line 147, in __verb
raise_on_error(response, verb=verb, **kwargs)
File "/Users/foouser/Library/Python/3.6/lib/python/site-packages/jira/resilientsession.py", line 57, in raise_on_error
r.status_code, error, r.url, request=request, response=r, **kwargs)
jira.exceptions.JIRAError: JiraError HTTP 403 url: https://somecompany.atlassian.net/rest/api/2/serverInfo
text: Basic auth with password is not allowed on this instance
response headers = {'Server': 'AtlassianProxy/1.15.8.1', 'Content-Type': 'text/plain', 'Strict-Transport-Security': 'max-age=315360000; includeSubDomains; preload', 'Date': 'Wed, 26 Feb 2020 20:48:23 GMT', 'ATL-TraceId': 'XXXX', 'X-XSS-Protection': '1; mode=block', 'Transfer-Encoding': 'chunked', 'X-Content-Type-Options': 'nosniff', 'Connection': 'keep-alive'}
response text = Basic auth with password is not allowed on this instance
I spent hours trying to figure out why it wasn't working thinking it was something to do with 2FA/OAuth/etc but it was just an incorrect password. I recall now falling into a similar problem over a year ago because the username wasn't in the correct format. Both times the wording of this error made me think the issue was that someone disabled static/basic password authentication.
To Reproduce Create an authenticated client connection to a Jira instance using a incorrect username and/or password. I did this with Jira shell (above) but could be done with:
from jira import JIRA
jira_server='https://somecompany.atlassian.net'
username='valid_username'
password='incorrect_password'
aj = JIRA(basic_auth=(username, password), options={'server': jira_server})
- Any additional steps or considerations that happen before or after.
Expected behavior The error should return a more accurate/less confusing error message, perhaps "Could not authentication using basic auth." or even better "Could not authentication using basic auth. Check the username/password are correct."
Stack Trace
Traceback (most recent call last):
File "/Users/foouser/fujira.py", line 6, in <module>
aj = JIRA(basic_auth=(username, password), options={'server': jira_server})
File "/Users/foouser/Library/Python/3.6/lib/python/site-packages/jira/client.py", line 472, in __init__
si = self.server_info()
File "/Users/foouser/Library/Python/3.6/lib/python/site-packages/jira/client.py", line 2133, in server_info
j = self._get_json('serverInfo')
File "/Users/foouser/Library/Python/3.6/lib/python/site-packages/jira/client.py", line 2549, in _get_json
r = self._session.get(url, params=params)
File "/Users/foouser/Library/Python/3.6/lib/python/site-packages/jira/resilientsession.py", line 151, in get
return self.__verb('GET', url, **kwargs)
File "/Users/foouser/Library/Python/3.6/lib/python/site-packages/jira/resilientsession.py", line 147, in __verb
raise_on_error(response, verb=verb, **kwargs)
File "/Users/foouser/Library/Python/3.6/lib/python/site-packages/jira/resilientsession.py", line 57, in raise_on_error
r.status_code, error, r.url, request=request, response=r, **kwargs)
jira.exceptions.JIRAError: JiraError HTTP 403 url: https://somecompany.atlassian.net/rest/api/2/serverInfo
text: Basic auth with password is not allowed on this instance
Version Information Python Interpreter: 3.6.6 jira-python: 2.0.0 OS: OSX
Additional context None
@makegofast This error message is the text response coming from the Jira API directly. You can replicate this using the requests library:
import requests
url = 'https://mycompany.atlassian.net'
headers = { "Accept": "application/json", "Content-Type": "application/json" }
username = '[email protected]'
password = 'badpassword'
r = requests.get(url, headers=headers, auth=(username,password))
print(r.text)
which prints:
Basic auth with password is not allowed on this instance
@makegofast The message is perfectly accurate as well. As of June 3rd, 2019, use of basic auth with password is indeed not allowed, you must use a token if you wish to continue using basic auth.
This applies to all Atlassian cloud instances, which is the case in your error above (you were connecting to mycompany.atlassian.net, which is a cloud instance).
Could the returned error be enhanced, maybe with "You must use a token with Basic Auth." ?
With self-hosted, Jira returns a 401, which this lib considers a recoverable error, so it tries the bad credentials 3 times before failing. In an LDAP->AD scenario, this means a user gets locked out after a single attempt if the AD lockout settings are <= 3 attempts.
I'd be thrilled with a misleading message if I could catch the exception.
