Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Is handle_401 in JiraCookieAuth in jira/client.py 2.0.0 broken?

Matt Collins
Matt Collins
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
February 20, 2019

I'm assuming it's there to handle expired cookies. On a 401 return code it immediately trys re-establishing a session. If your login is actually incorrect or unauthorized and you're using basic mode auth it seems to result in an endless loop.

 

I have a simple patch for it applied to my codebase that will break recursion by only trying once more after a 401, in case reauth is required, and will accept a 401 as legitimate on the first attempt when instantiating the session.

Is my understanding about its purpose correct? If so, I'll put in a pull request.


def __init__(self, session, _get_session, auth):
  self._session = session
  self._get_session = _get_session
  self.__auth = auth
  # First 401 is real. Others are cookie expiry.
  self.__401 = True

def handle_401(self, response, **kwargs):
  if response.status_code != 401:
    self.__401 = False
    return response

  # If this is a 401, retry in case cookie expired.
  # prevent looping on 401s when we're actually unauth'd
  if self.__401:
    return response

  self.__401 = True
  self.init_session()
  response = self.process_original_request(response.request.copy())
  self.__401 = False
  return response

 

Answer
Watch
Like Be the first to like this
485 views

1 answer

0 votes
Matt Collins
Matt Collins
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
February 20, 2019

Further update, given it seems to be a hack due to Atlassian cloud sometimes returning 401 erroneously - we're on prem. Patched resilientsession.py as follows in addition to the above to only treat 401s as recoverable if we're connecting to an atlassian url. I still think thats potentially high risk - you're retrying an auth failure that may lock accounts if it's for example due to incorrect password - but it fixes my problem bu removing this code from our JIRA on prem connects while leaving the package the same for cloud users.

 

  if hasattr(response, 'status_code'):
    if response.status_code in [502, 503, 504]:
      msg = "%s %s" % (response.status_code, response.reason)
    elif response.status_code == 401 and re.match(r'.*\.atlassian\.net$', url, 
                                                  flags=re.IGNORECASE|re.MULTILINE):
      # 401 UNAUTHORIZED still randomly returned by Atlassian Cloud as of 2017-01-16
      # This is a risky hack. A true 401 unauthorized may lock an account due to
      # failed logins. Do we really want to do this?
      msg = "%s %s" % (response.status_code, response.reason)
    elif not (response.status_code == 200 and
      len(response.content) == 0 and
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Notice at Collection Terms Security