-
Suggestion
-
Resolution: Unresolved
-
None
-
None
-
4
-
18
-
Problem Definition
When a user authentication is locked due to multiple failed attempts, the Jira administrator needs to access the user administration page to reset the failed auth count and disable captcha.
Suggested Solution
Create a REST API method to reset the failed login count of a specified user.
Workaround
As a workaround the administrator can call the same requests Jira uses on the UI.
In these examples we were using curl, but you would be able to run similar requests on any coding language or on REST API clients, such as Postman.
When secure administrator session (websudo) is disabled, you can use the following example.
####### # Adjust some variables ####### JIRA_ADMIN_USERNAME=admin JIRA_ADMIN_PASSWORD=admin JIRA_BASE_URL=https://my.company.com/jira TARGET_USER=user001 ####### # Check if captcha is required for the target user ####### curl -s -u ${JIRA_ADMIN_USERNAME}:${JIRA_ADMIN_PASSWORD} \ -H 'X-Atlassian-Token: no-check' \ ${JIRA_BASE_URL}'/secure/admin/user/ViewUser.jspa?name='${TARGET_USER} \ | grep "CAPTCHA required at next login" ####### # Reset the failed login count for the target user. # A 302 HTTP status response is the expected output. ####### curl -o /dev/null -s -w "%{http_code}\n" -u ${JIRA_ADMIN_USERNAME}:${JIRA_ADMIN_PASSWORD} \ -H 'X-Atlassian-Token: no-check' \ ${JIRA_BASE_URL}'/secure/admin/user/ResetFailedLoginCount.jspa?&name='${TARGET_USER}
When secure administrator session (websudo) is enabled, you can use the following example which requires extra steps.
####### # Adjust some variables ####### JIRA_ADMIN_USERNAME=admin JIRA_ADMIN_PASSWORD=admin JIRA_BASE_URL=https://my.company.com/jira TARGET_USER=user001 JIRA_COOKIES=jiracookies.txt JIRA_HEADER="X-Atlassian-Token: no-check" ####### # Get session cookies that will be reused on the next steps. # The expected output is the HTTP status 200. ####### curl -o /dev/null -s -w "%{http_code}\n" -c "${JIRA_COOKIES}" -H "${JIRA_HEADER}" \ -u ${JIRA_ADMIN_USERNAME}:${JIRA_ADMIN_PASSWORD} ${JIRA_BASE_URL}'/rest/auth/1/session' ####### # Authenticate as an administrator (websudo). # The expected output is the HTTP status 302. ####### curl -o /dev/null -si -w "%{http_code}\n" -c "${JIRA_COOKIES}" -b "${JIRA_COOKIES}" \ -H "${JIRA_HEADER}" -d "webSudoPassword=${JIRA_ADMIN_PASSWORD}" \ ${JIRA_BASE_URL}'/secure/admin/WebSudoAuthenticate.jspa' \ -d "os_cookie=true" -d "webSudoIsPost=false" -d "authenticate=Confirm" ####### # Check if captcha is required for the target user # The expected output from the curl command is the HTTP status 200. # If the target user has captcha enabled, then the grep command will show an output. Otherwise, it will be empty. ####### curl -XGET -s -w "%{http_code}\n" -b "${JIRA_COOKIES}" -H "${JIRA_HEADER}" \ -d "os_cookie=true" -d "webSudoIsPost=true" --output output.html \ ${JIRA_BASE_URL}'/secure/admin/user/ViewUser.jspa?name='${TARGET_USER} grep "CAPTCHA required at next login" output.html ####### # Reset failed login count for the target user. # The expected output is the HTTP status 302. ####### curl -o /dev/null -XGET -s -w "%{http_code}\n" -b "${JIRA_COOKIES}" -H "${JIRA_HEADER}" \ -d "os_cookie=true" -d "webSudoIsPost=true" \ ${JIRA_BASE_URL}'/secure/admin/user/ResetFailedLoginCount.jspa?name='${TARGET_USER} ####### # Delete the file with the session cookies. ####### rm -f ${JIRA_COOKIES}