1

I'm trying to create a command line client for Jira, but I don't really want to store the username/password, and I don't want to have to put in my password with every single request.

Jira says they have a cookie based API, but it doesn't look like it works the way that I think it works.

Specifically, when using Python's requests library I can only re-use the cookie if I have a Session object that I think keeps a connection to Jira.

But if I try to say, make a requests.post request and requests.get requests to the REST URL, it fails with a 401 and tells me that I'm not authenticated. OTOH, if I create a Session, I can do 

session.post(.../rest/auth/1/session)
print(session.get(.../rest/auth/1/session).status_code)

And I'll get the 200 that I expect.

I do notice that there's another cookie in the requests response headers:

atlassian.xsrf.token=SOMETHING|RANDOM|lout

but I didn't see anything about that in the documentation.

Is it possible to do this, or do I have to store the username/password if I want to break the connection in between requests?

Wayne Werner
  • 49,299
  • 29
  • 200
  • 290

2 Answers2

0

You are correct, the session is required. From the documentation:

  1. The client creates a new session for the user, via the JIRA REST API.
  2. JIRA returns a session object, which has information about the session including the session cookie. The client stores this session object.
  3. The client can now set the cookie in the header for all subsequent requests to the JIRA REST API.

In other words, the session is integral to the request, receipt and use of the cookie-based authentication token.

Also, the atlassian.xsrf.token would have been injected by atlassian to prevent cross-site forgery and hijacking of the session/cookie.

The way I see it, here are your simple-but-secure options:

  1. For every invocation of your script, use the session to request-receive-retain the cookie (and then, once all API calls are complete, let everything get discarded)
  2. Base64 encode your username and password, store it in a separate file (encrypted if you so choose), and have your script collect (and decrypt) it then place it in an authorization header. See Hiding a password in a python script (insecure obfuscation only).
Community
  • 1
  • 1
HeyZiko
  • 1,660
  • 15
  • 28
0

If you follow the goal not to authorize every time you send a request to the API, you should send (POST) your authentication requests using the cookie-based authentication /rest/auth/1/session, not Basic Auth, to get the token. You will then use that obtained token subsequently in your further requests (in the Cookie header) to the API without a need to authorize every single request.

Watch out for the important missing piece in the API documentation: you should sent the username, NOT email, to authorize in a cookie-based manner. Even though both variants work for the Basic Auth, only user works for the cookie-based authentication.

dr_dronych
  • 91
  • 4