Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-76876

Rate limiting should be able to extract the username before authenticating when personal access token is used

XMLWordPrintable

    • Icon: Suggestion Suggestion
    • Resolution: Unresolved
    • None
    • Rate Limiting
    • None
    • We collect Jira feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

      Problem Definition

      The rate limiting plugin has a filter to identify the username from a request before authenticating the user.
      It has code to extract the username when using the following authentication strategies – see Improving instance stability with rate limiting for further details:

      • Basic auth.
      • OAuth.
      • JSESSIONID cookie.



      Personal access tokens (PAT) were introduced on Jira 8.14 as an authentication method, which is safer than basic auth – see Using Personal Access Tokens.
      The rate limiting plugin doesn't have code to extract the username before the authentication phase.

      Suggested Solution

      Implement a pre-authentication request decoder to extract the username when authentication occurs with personal access tokens (PAT).

            Unassigned Unassigned
            tmasutti Thiago Masutti
            Votes:
            3 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: