Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Next challenges

Recent achievements

  • Global
  • Personal

Recognition

  • Give kudos
  • Received
  • Given

Leaderboard

  • Global

Trophy case

Kudos (beta program)

Kudos logo

You've been invited into the Kudos (beta program) private group. Chat with others in the program, or give feedback to Atlassian.

View group

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Personal Auth Token are rejected when multiple failed password attempts, bug?

I am using Personal Authentication Tokens for my Jenkins to access the BitBucket Server and scan the repos.  Now, I found a behavior which I believe is a bug, where if you do multiple failed attempt to login and get to the point where, for security reason, bitbucket server request you to do a captcha challenge, at that moment and until you succeed the captcha, the Personal Auth Tokens are no more accepted (HTTP Error 401).  I put the below output of Jenkins when such event occurs.

In my personal view, I think this is a major security DoS hole where one could do multiple failed login attempt on a given account where Personal Auth Token are used and disable them from being valid anymore until the user realize the issue and logout/login back in.  This is not obvious for the user since he may have set the "Remember me" feature at login time causing the user to be able to access the bitbucket server tools without knowing that any tools using the Personal Auth Token are no more able to access the same tools.

ERROR: [Thu May 28 06:12:00 PDT 2020] Could not update folder level actions from source 6ccfdc2b-157a-423b-8586-feb8bf0bac40
com.cloudbees.jenkins.plugins.bitbucket.api.BitbucketRequestException: HTTP request error. Status: 401: .
HttpResponseProxy{HTTP/1.1 401  [X-AREQUESTID: *101ZR7Cx372x1027160x5, X-ASEN: SEN-8215530, WWW-Authenticate: Basic realm="Atlassian Bitbucket", vary: accept-encoding, Content-Type: application/json;charset=UTF-8, Transfer-Encoding: chunked, Date: Thu, 28 May 2020 13:12:00 GMT] org.apache.http.client.entity.DecompressingEntity@609ef33a}
	at com.cloudbees.jenkins.plugins.bitbucket.server.client.BitbucketServerAPIClient.getRequest(BitbucketServerAPIClient.java:839)
	at com.cloudbees.jenkins.plugins.bitbucket.server.client.BitbucketServerAPIClient.getRepository(BitbucketServerAPIClient.java:438)
	at com.cloudbees.jenkins.plugins.bitbucket.BitbucketSCMSource.retrieveActions(BitbucketSCMSource.java:1038)
	at jenkins.scm.api.SCMSource.fetchActions(SCMSource.java:848)
	at jenkins.branch.MultiBranchProject.computeChildren(MultiBranchProject.java:600)
	at com.cloudbees.hudson.plugins.folder.computed.ComputedFolder.updateChildren(ComputedFolder.java:277)
	at com.cloudbees.hudson.plugins.folder.computed.FolderComputation.run(FolderComputation.java:164)
	at jenkins.branch.MultiBranchProject$BranchIndexing.run(MultiBranchProject.java:1034)
	at hudson.model.ResourceController.execute(ResourceController.java:97)
	at hudson.model.Executor.run(Executor.java:428)

Step to reproduce, set up a tool that communicates with bitbucket server using Personal Auth Tokens, then run that script in a loop.  Attempt multiple failed login with bitbucket server until the security measure kicks in for captcha requirement and then do not proceed with the login.  Until you do proceed with the log in the script will start failing to obtain access to the server with HTTP Error 401.

 

0 answers

Suggest an answer

Log in or Sign up to answer
DEPLOYMENT TYPE
SERVER
VERSION
6.4
TAGS
Community showcase
Published in Bitbucket

Powering DevOps with Bitbucket Server & Data Center

Hi everyone, The Cloud team recently announced 12 new DevOps features that help developers ship better code, faster   ! While we’re all excited about the new improvements to Bitbucket ...

1,926 views 0 7
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you