Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve New-JiraSession/Invoke-JiraMethod behavior with PATs #507

Open
hmmwhatsthisdo opened this issue Mar 13, 2024 · 0 comments
Open

Improve New-JiraSession/Invoke-JiraMethod behavior with PATs #507

hmmwhatsthisdo opened this issue Mar 13, 2024 · 0 comments

Comments

@hmmwhatsthisdo
Copy link
Contributor

hmmwhatsthisdo commented Mar 13, 2024
edited

Context

Jira API authentication appears to be largely PAT-based now (both for cloud and on-prem instances).

The current state of New-JiraSession and Invoke-JiraMethod support PATs via -Headers or -Credential, but:

  • Understanding how to do this requires some level of HTTP knowledge (i.e. building an Authorization: Bearer <...> header),
  • Doesn't natively support [SecureString] tokens,
  • Doesn't work with Jira Datacenter (Basic auth is generally not recommended and will usually be mis-parsed as a local password)
  • Is generally pretty clunky.

Supporting bearer token auth natively would provide a more consistent experience.

Description

Improving PAT handling could look something like the following:

  • Add a PAT parameter (e.g. -PersonalAccessToken, with aliases -BearerToken and -Token) to New-JiraSession and Invoke-JiraMethod.
    • This is mutually exclusive with Basic auth (we'd be using Authorization: Bearer instead of Authorization: Basic), so we can enforce this with mutually exclusive parameter sets on the two functions.
  • In Invoke-JiraMethod, we:
    • Continue forwarding -Credential to Invoke-RestMethod if it's defined.
    • If a token is defined, we:
      • Pass it to Invoke-RestMethod via -Token on PS 6.0 and above (with -Authentication Bearer).
      • For PS5 and lower, we decrypt the SecureString ourselves and build the Authorization: Bearer header ourselves.
  • Use the username from the /myself endpoint when building session objects, instead of relying upon -Credential
    • PAT auth isn't guaranteed to come in as a credential, so relying on its username isn't guaranteed
    • Add some guard code to Invoke-JiraMethod and ConvertTo-JiraSession to ensure the username is always materialized

Additional Information

The one risk here is that Get-JiraSession now leaks the token we used to authenticate with in plain text. A couple of possible mitigations exist for this:

  • Add some code to ConvertTo-JiraSession to scrub auth headers
  • Extend JiraPS.Session to include a SecureString bearer token field and decrypt only as needed inside Invoke-JiraMethod
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@hmmwhatsthisdo