Uploaded image for project: 'Jira Platform Cloud'
  1. Jira Platform Cloud
  2. JRACLOUD-82932

Misleading 200 status code when using incorrect credentials in REST API calls

XMLWordPrintable

    • 1
    • 7

    • Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

      Issue Summary

      if you call the Jira Cloud REST API endpoints with wrong credentials you get status 200 (OK) with empty response.

      Steps to Reproduce

      curl -u user:WRONGTOKEN -X GET "https://<your site name>.atlassian.net/rest/api/3/issue/createmeta"

      Observe 200 in response instead of 401:

      {"expand":"projects","projects":[]}

      Expected Results

      Response with 401 status code

      Actual Results

      Response with 200 status code

      Workaround

      If you expand the headers you can see that the authentication failed:

      curl -D- -u user:WRONGTOKEN -X GET "https://<your site name>.atlassian.net/rest/api/3/issue/createmeta"

HTTP/2 200 
date: Thu, 16 Nov 2023 11:11:56 GMT
[..removed..]
x-seraph-loginreason: AUTHENTICATED_FAILED
[...removed...]
atl-traceid: 5ca64d54a9a44c7fb3f7498588389e9a
[...]

{"expand":"projects","projects":[]}

       

       

          Form Name

            [JRACLOUD-82932] Misleading 200 status code when using incorrect credentials in REST API calls

            Anusha Rutnam added a comment -

            This issue recently came up in a related bug: JRACLOUD-82405 – /rest/api/2/user/search REST calls return 200 with no body using wrong API token causing confusions

            The above ticket was closed as "Not a bug" for the reasons described here:
             

            This is the expected behaviour for accessing any Jira Rest endpoint that allows anonymous access. When an endpoint is called with a username and a wrong token, the authentication fails. As a result, Jira treats this user as an unauthenticated user, essentially anonymous user. Since this particular endpoint ` /rest/api/2/user/search` accepts anonymous access, the call proceeds successfully with 200 status code despite authentication failure. The empty result indicates no user matching the search query that are visible to the anonymous user.

            Thus, this is not a bug, but an intended behaviour of Jira. If you would like this behaviour to be changed, you can submit a feature request.

             

            Rather than close this ticket, I am going to change it to a Suggestion.

            Anusha Rutnam added a comment - This issue recently came up in a related bug: JRACLOUD-82405 – /rest/api/2/user/search REST calls return 200 with no body using wrong API token causing confusions The above ticket was closed as "Not a bug" for the reasons described here:   This is the expected behaviour for accessing any Jira Rest endpoint that allows anonymous access. When an endpoint is called with a username and a wrong token, the authentication fails. As a result, Jira treats this user as an unauthenticated user, essentially anonymous user. Since this particular endpoint ` /rest/api/2/user/search` accepts anonymous access, the call proceeds successfully with 200 status code despite authentication failure. The empty result indicates no user matching the search query that are visible to the anonymous user. Thus, this is not a bug, but an intended behaviour of Jira. If you would like this behaviour to be changed, you can submit a feature request.   Rather than close this ticket, I am going to change it to a Suggestion.

              Unassigned Unassigned
              dbonotto Dario B
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated: