-
Suggestion
-
Resolution: Unresolved
-
None
-
None
Problem Definition
The rate limiting plugin has a filter to identify the username from a request before authenticating the user.
It has code to extract the username when using the following authentication strategies – see Improving instance stability with rate limiting for further details:
- Basic auth.
- OAuth.
- JSESSIONID cookie.
Personal access tokens (PAT) were introduced on Jira 8.14 as an authentication method, which is safer than basic auth – see Using Personal Access Tokens.
The rate limiting plugin doesn't have code to extract the username before the authentication phase.
Suggested Solution
Implement a pre-authentication request decoder to extract the username when authentication occurs with personal access tokens (PAT).
- is related to
-
JSWSERVER-21473 Rate limiting does not work for Cookie based authorization
- Gathering Interest