Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

"Search for issues using JQL (GET)" does not return status 401

André_Antunes_da_Cunha
André_Antunes_da_Cunha
Contributor
April 12, 2020

Hello,

The "Search for issues using JQL (GET)" REST API does not seem to return status 401 when requests are made without authentication credentials.

The documentation, which seems exactly the same for both v2 and v3, seem in contradiction about this, stating both that "This operation can be accessed anonymously" and also listing 401 as a possible response "Returned if the authentication credentials are incorrect or missing". This does not appear to be true.

 

Documentation for "GET /rest/api/2/search":

Documentation for "GET /rest/api/3/search":

 

Currently, I could only test with v2. The following JQL was used as a simple test:

  • JQL: "project = PROJECT_NAME"
  • https://<JiraServer>/rest/api/2/search?jql=project%20%3D%20PROJECT_NAME

And the results:

  • Without credentials (status 400):
    Response headers include: "X-AUSERNAME: anonymous"
    Data:
    {"errorMessages":["The value 'PROJECT_NAME' does not exist for the field 'project'."],"errors":{}}
  • With credentials (status 200):
    Response headers include: "X-AUSERNAME: <my_username>"
    Data:
    {"expand":"schema,names","startAt":0,"maxResults":50,"total":1234,"issues":[<the_expected_issues>]}

 

Note that the response data for the status 400 is very misleading, stating that "'PROJECT_NAME' does not exist" when in fact is does exist and is correctly retrieved when authenticated, as can be seen in the status 200 response data.

 

Is there a way to make "GET /rest/api/2/search" return a 401 when not authenticated? Or even better, only when requesting something not available to "anonymous". That would be really helpful.

 

Currently, "GET /rest/api/2/search" seems to always return status 400 for any kind of error, no matter if it was a JQL/syntax problem or an authentication issue. This is really unhelpful.

 

Because of this, an additional request to "myself" (which successfully returns status 401 when not authenticated) has to be performed every time to check whether the user is authenticated or not. Quite frustrating.

 

Thank you and best regards,
André Antunes da Cunha

Answer
Watch
Like Esteban Balcarcel likes this
980 views

2 answers

0 votes
Mehmet A _Bloompeak_
Mehmet A _Bloompeak_
Atlassian Partner
April 13, 2020

Hi @André_Antunes_da_Cunha ,

There seems to be no way to return 401, I tried with POST api but same result. It might be a bug of the Rest API.

Or it is not a bug, it is a security feature. The rest API hides the information of whether the project name given in the jql exists or not.

View More Comments
André_Antunes_da_Cunha
André_Antunes_da_Cunha
Contributor
April 13, 2020

Hello @Mehmet A _Bloompeak_, thank you for replying!

Since the documentation states that status 401 is a valid response status for this request, I also agree that this really looks like a bug of the REST API indeed.

Or it is not a bug, it is a security feature. The rest API hides the information of whether the project name given in the jql exists or not.

But still, why not then just returning status 401 when the credentials are missing just like it is documented? This way it would even prevent that bogus "'PROJECT_NAME' does not exist" when in fact is does exist.

Having to make a separate request just to check whether the authentication is valid or not is really sad, and still that is currently the only way to tell JQL syntax errors apart from insufficient permissions (since they are both returning status 400).

Like
Mehmet A _Bloompeak_
Mehmet A _Bloompeak_
Atlassian Partner
April 15, 2020

Hi @André_Antunes_da_Cunha ,

But still, why not then just returning status 401 when the credentials are missing just like it is documented? This way it would even prevent that bogus "'PROJECT_NAME' does not exist" when in fact is does exist.

Because the search api returns public tickets as well. If your Jira instance has public tickets which can be accessed by anonymous users, rest api returns them even if there is no credentials provided. Returning 400 means, there is no ticket available for anonymous user.

Like
André_Antunes_da_Cunha
André_Antunes_da_Cunha
Contributor
April 15, 2020

Hello @Mehmet A _Bloompeak_,

I agree with your point; the problem here is the service ambiguity. Currently, receiving status 400 can actually mean two very different things: 1. "there are no tickets available for anonymous user" (as you said) and 2. a syntax error (for example with the following JQL: "projekt = PROJECT_NAME"). This is very unhelpful.

Still, current behavior does not correspond to the documentation, which states that status 401 is "Returned if the authentication credentials are incorrect or missing" because, in fact, status 401 is currently not returned when credentials are missing.

Like # people like this
Reply
0 votes
Jack Nolddor _Sweet Bananas_
Jack Nolddor _Sweet Bananas_
Atlassian Partner
April 12, 2020

Hi

This can be because in Cloud basic authentication with username and password has been replaced by basic authentication with email address and API Token:

Atlassian has introduced support for API tokens for all Atlassian Cloud sites as a replacement for basic authentication requests that previously used a password or primary credential for an Atlassian account, as well as cookie-based authentication.

Basic authentication with passwords and cookie-based authentication are now deprecated and will be removed in 2019 in accordance with the Atlassian REST API policy.

 

Please replace username and password with email address and API Token and let us know if this solves the issue. 

 

Cheers,
Nolddor

View More Comments
André_Antunes_da_Cunha
André_Antunes_da_Cunha
Contributor
April 12, 2020

Please replace username and password with email address and API Token and let us know if this solves the issue.

Hello Nolddor, thank you for your reply!

Perhaps my post was not clear enough, I expect "https://<JiraServer>/rest/api/2/search?jql=project%20%3D%20PROJECT_NAME" to return status 401 when not authenticated/insufficient privileges/missing credentials, just as documented that status 401 is "Returned if the authentication credentials are incorrect or missing".

That was meant to include when credentials are not provided, so there is no username or password to replace anywhere.

Like
André_Antunes_da_Cunha
André_Antunes_da_Cunha
Contributor
April 12, 2020

*My reply seemed to disappear, so I am writing it again below*

Hello Nolddor, thank you for your reply!

Please replace username and password with email address and API Token and let us know if this solves the issue.

Perhaps the post does not properly explain this part of the issue. As the documentation states, it is expected to receive a status 401 "Returned if the authentication credentials are incorrect or missing". Emphasis to the "or missing" part.

So, in this context, there are no username or password to replace because they are intentionally not provided.

In other words, given the example in the post, whenever requesting "https://<JiraServer>/rest/api/2/search?jql=project%20%3D%20PROJECT_NAME" without any credentials provided, a status 401 should be returned, but instead a status 400 with a misleading response data is actually returned.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
TAGS
AUG Leaders

Atlassian Community Events

    See all events