Uploaded image for project: 'Bitbucket Server'
  1. Bitbucket Server
  2. BSERV-12178

adding one extra character to the Personal access token still allow the REST API call to succeed

    XMLWordPrintable

    Details

      Description

      Summary

      Using personal access tokens to Basic authenticate against REST API endpoints, we notice that adding one character in the end is considering the token as valid.

      When we add more than one character the token is considered invalid and the IncorrectPasswordAuthenticationException is thrown.

      Steps to Reproduce

      1. Create a personal access token
      2. call a REST API endpoint such as /rest/api/1.0/admin/users
      3. choose basic authentication via access token.
      4. At first use the exact access token and make the call
      5. Then, add one character to the end of that token and make the call again.
      6. Then, add more one character (so now we have two extra characters) and make the call again.

      Expected Results

      • Once the token is changed by adding one or more characters we expect the authentication to fail.

      Actual Results

      • adding one character does not affect the authentication and the call succeeds.
      • adding more than one character the call fails.

      Workaround

      Currently, we don't have a workaround to apply on this case.

        Attachments

          Activity

            People

            Assignee:
            mgoyal2@atlassian.com Manish
            Reporter:
            fabbes Fares Abbes
            Votes:
            1 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: