Issue with login

HakobNalbandyan · September 10, 2021, 1:38pm

Hello,

I need some help concerning user login.
We have created some internal iOS application for our HelpDesk and have used your apis.

It was working without any issue for almost 2 years but since last week we have issue with login.
Non of our users is able to login.
Here is the request and response that we get. Got it from Xcode debug session:

▿ [Request]: POST https://betconstruct.atlassian.net/servicedesk/customer/portal/15/user/login
[Request Body]: 
os_cookie=1&os_password=********&os_username=********
[Response]: <NSHTTPURLResponse: 0x6000005bcb60> { URL: https://betconstruct.atlassian.net/servicedesk/customer/portal/15/user/login } { Status Code: 200, Headers {
    "Cache-Control" =     (
        "no-cache, no-store, no-transform"
    );
    "Content-Encoding" =     (
        gzip
    );
    "Content-Type" =     (
        "application/json;charset=UTF-8"
    );
    Date =     (
        "Fri, 10 Sep 2021 13:33:50 GMT"
    );
    Server =     (
        "AtlassianProxy/1.19.3.1"
    );
    "Set-Cookie" =     (
        "atlassian.xsrf.token=B8JE-7FT2-X5U8-LUXR_99d7bc9a39dea3a81281914f462cfd38e61d9036_lout; Path=/; Secure",
        "jsd.portal.language.anonymous=en-US; Expires=Fri, 10-Sep-2021 13:34:50 GMT; Path=/"
    );
    "Strict-Transport-Security" =     (
        "max-age=315360000; includeSubDomains; preload"
    );
    Vary =     (
        "Accept-Encoding"
    );
    "atl-traceid" =     (
        6c2aa2d615e85022
    );
    "expect-ct" =     (
        "report-uri=\"https://web-security-reports.services.atlassian.com/expect-ct-report/global-proxy\", enforce, max-age=86400"
    );
    "timing-allow-origin" =     (
        "*"
    );
    "x-arequestid" =     (
        "8e141bd6-d98e-4fc9-8bdc-b7dbfdca50af"
    );
    "x-content-type-options" =     (
        nosniff
    );
    "x-envoy-upstream-service-time" =     (
        103
    );
    "x-seraph-loginreason" =     (
        "AUTHENTICATED_FAILED"
    );
    "x-xss-protection" =     (
        "1; mode=block"
    );
} }
[Response Body]: 
{"loginSucceeded":false,"loginError":false,"communicationError":false,"elevatedSecurityCheckShown":true,"captchaFailure":false,"loginFailedByPermissions":false,"accountLocked":false}
[Result]: SUCCESS
[Timeline]: Timeline: { "Request Start Time": 652973629.397, "Initial Response Time": 652973629.903, "Request Completed Time": 652973629.906, "Serialization Completed Time": 652973629.906, "Latency": 0.506 secs, "Request Duration": 0.509 secs, "Serialization Duration": 0.000 secs, "Total Duration": 0.509 secs }
  ▿ request : Optional<URLRequest>
    ▿ some : https://betconstruct.atlassian.net/servicedesk/customer/portal/15/user/login
      ▿ url : Optional<URL>
        ▿ some : https://betconstruct.atlassian.net/servicedesk/customer/portal/15/user/login
          - _url : https://betconstruct.atlassian.net/servicedesk/customer/portal/15/user/login
      - cachePolicy : 0
      - timeoutInterval : 60.0
      - mainDocumentURL : nil
      - networkServiceType : __C.NSURLRequestNetworkServiceType
      - allowsCellularAccess : true
      ▿ httpMethod : Optional<String>
        - some : "POST"
      ▿ allHTTPHeaderFields : Optional<Dictionary<String, String>>
        ▿ some : 1 element
          ▿ 0 : 2 elements
            - key : "Content-Type"
            - value : "application/x-www-form-urlencoded"
      ▿ httpBody : Optional<Data>
        ▿ some : 66 bytes
          - count : 66
          ▿ pointer : 0x0000600002661540
            - pointerValue : 105553156511040
      - httpBodyStream : nil
      - httpShouldHandleCookies : true
      - httpShouldUsePipelining : false
  ▿ response : Optional<NSHTTPURLResponse>
    - some : <NSHTTPURLResponse: 0x6000005bcb60> { URL: https://betconstruct.atlassian.net/servicedesk/customer/portal/15/user/login } { Status Code: 200, Headers {
    "Cache-Control" =     (
        "no-cache, no-store, no-transform"
    );
    "Content-Encoding" =     (
        gzip
    );
    "Content-Type" =     (
        "application/json;charset=UTF-8"
    );
    Date =     (
        "Fri, 10 Sep 2021 13:33:50 GMT"
    );
    Server =     (
        "AtlassianProxy/1.19.3.1"
    );
    "Set-Cookie" =     (
        "atlassian.xsrf.token=B8JE-7FT2-X5U8-LUXR_99d7bc9a39dea3a81281914f462cfd38e61d9036_lout; Path=/; Secure",
        "jsd.portal.language.anonymous=en-US; Expires=Fri, 10-Sep-2021 13:34:50 GMT; Path=/"
    );
    "Strict-Transport-Security" =     (
        "max-age=315360000; includeSubDomains; preload"
    );
    Vary =     (
        "Accept-Encoding"
    );
    "atl-traceid" =     (
        6c2aa2d615e85022
    );
    "expect-ct" =     (
        "report-uri=\"https://web-security-reports.services.atlassian.com/expect-ct-report/global-proxy\", enforce, max-age=86400"
    );
    "timing-allow-origin" =     (
        "*"
    );
    "x-arequestid" =     (
        "8e141bd6-d98e-4fc9-8bdc-b7dbfdca50af"
    );
    "x-content-type-options" =     (
        nosniff
    );
    "x-envoy-upstream-service-time" =     (
        103
    );
    "x-seraph-loginreason" =     (
        "AUTHENTICATED_FAILED"
    );
    "x-xss-protection" =     (
        "1; mode=block"
    );
} }
  ▿ data : Optional<Data>
    ▿ some : 182 bytes
      - count : 182
      ▿ pointer : 0x0000600003050cc0
        - pointerValue : 105553166929088
  ▿ result : SUCCESS: {
    accountLocked = 0;
    captchaFailure = 0;
    communicationError = 0;
    elevatedSecurityCheckShown = 1;
    loginError = 0;
    loginFailedByPermissions = 0;
    loginSucceeded = 0;
}
    ▿ success : 7 elements
      ▿ 0 : 2 elements
        - key : communicationError
        - value : 0
      ▿ 1 : 2 elements
        - key : loginSucceeded
        - value : 0
      ▿ 2 : 2 elements
        - key : loginError
        - value : 0
      ▿ 3 : 2 elements
        - key : accountLocked
        - value : 0
      ▿ 4 : 2 elements
        - key : loginFailedByPermissions
        - value : 0
      ▿ 5 : 2 elements
        - key : elevatedSecurityCheckShown
        - value : 1
      ▿ 6 : 2 elements
        - key : captchaFailure
        - value : 0
  ▿ timeline : Timeline: { "Request Start Time": 652973629.397, "Initial Response Time": 652973629.903, "Request Completed Time": 652973629.906, "Serialization Completed Time": 652973629.906, "Latency": 0.506 secs, "Request Duration": 0.509 secs, "Serialization Duration": 0.000 secs, "Total Duration": 0.509 secs }
    - requestStartTime : 652973629.396795
    - initialResponseTime : 652973629.902659
    - requestCompletedTime : 652973629.905697
    - serializationCompletedTime : 652973629.905769
    - latency : 0.5058640241622925
    - requestDuration : 0.5089019536972046
    - serializationDuration : 7.200241088867188e-05
    - totalDuration : 0.5089739561080933
  ▿ _metrics : Optional<AnyObject>
    - some : (Task Interval) <_NSConcreteDateInterval: 0x60000051fc40> (Start Date) 2021-09-10 13:33:49 +0000 + (Duration) 0.508704 seconds = (End Date) 2021-09-10 13:33:49 +0000
(Redirect Count) 0
(Transaction Metrics) (Request) <NSURLRequest: 0x600000754140> { URL: https://betconstruct.atlassian.net/servicedesk/customer/portal/15/user/login }
(Response) <NSHTTPURLResponse: 0x60000059e760> { URL: https://betconstruct.atlassian.net/servicedesk/customer/portal/15/user/login } { Status Code: 200, Headers {
    "Cache-Control" =     (
        "no-cache, no-store, no-transform"
    );
    "Content-Encoding" =     (
        gzip
    );
    "Content-Type" =     (
        "application/json;charset=UTF-8"
    );
    Date =     (
        "Fri, 10 Sep 2021 13:33:50 GMT"
    );
    Server =     (
        "AtlassianProxy/1.19.3.1"
    );
    "Set-Cookie" =     (
        "atlassian.xsrf.token=B8JE-7FT2-X5U8-LUXR_99d7bc9a39dea3a81281914f462cfd38e61d9036_lout; Path=/; Secure",
        "jsd.portal.language.anonymous=en-US; Expires=Fri, 10-Sep-2021 13:34:50 GMT; Path=/"
    );
    "Strict-Transport-Security" =     (
        "max-age=315360000; includeSubDomains; preload"
    );
    Vary =     (
        "Accept-Encoding"
    );
    "atl-traceid" =     (
        6c2aa2d615e85022
    );
    "expect-ct" =     (
        "report-uri=\"https://web-security-reports.services.atlassian.com/expect-ct-report/global-proxy\", enforce, max-age=86400"
    );
    "timing-allow-origin" =     (
        "*"
    );
    "x-arequestid" =     (
        "8e141bd6-d98e-4fc9-8bdc-b7dbfdca50af"
    );
    "x-content-type-options" =     (
        nosniff
    );
    "x-envoy-upstream-service-time" =     (
        103
    );
    "x-seraph-loginreason" =     (
        "AUTHENTICATED_FAILED"
    );
    "x-xss-protection" =     (
        "1; mode=block"
    );
} }
(Fetch Start) 2021-09-10 13:33:49 +0000
(Domain Lookup Start) 2021-09-10 13:33:49 +0000
(Domain Lookup End) 2021-09-10 13:33:49 +0000
(Connect Start) 2021-09-10 13:33:49 +0000
(Secure Connection Start) 2021-09-10 13:33:49 +0000
(Secure Connection End) 2021-09-10 13:33:49 +0000
(Connect End) 2021-09-10 13:33:49 +0000
(Request Start) 2021-09-10 13:33:49 +0000
(Request End) 2021-09-10 13:33:49 +0000
(Response Start) 2021-09-10 13:33:49 +0000
(Response End) 2021-09-10 13:33:49 +0000
(Protocol Name) h2
(Proxy Connection) NO
(Reused Connection) NO
(Fetch Type) Network Load
(Request Header Bytes) 185
(Request Body Transfer Bytes) 75
(Request Body Bytes) 66
(Response Header Bytes) 577
(Response Body Transfer Bytes) 169
(Response Body Bytes) 182
(Local Address) 10.25.62.86
(Local Port) 59678
(Remote Address) 52.215.192.134
(Remote Port) 443
(TLS Protocol Version) 0x0304
(TLS Cipher Suite) 0x1301
(Cellular) NO
(Expensive) NO
(Constrained) NO
(Multipath) NO

At the same time we are able to sign in from web without any problems.
https://betconstruct.atlassian.net/servicedesk/customer/portal/15

Any help is appreciated.
Thanks in advance.

Hakob Nalbandyan

ibuchanan · September 10, 2021, 5:40pm

@HakobNalbandyan welcome to the Atlassian developer community.

I can’t really explain how it worked until last week but it shouldn’t have. The REST APIs only support basic authentication using API tokens. The debug session only includes login URLs; I don’t really know how the code was supposed to login to the web UI and then do things with the REST API. Was it using cookie-based auth?

HakobNalbandyan · September 14, 2021, 6:06am

Thanks for your response. When I am trying to open my url :

https://betconstruct.atlassian.net/servicedesk/customer/portal/15/user/login?os_username=*****&os_password=*****&os_authType=basic

with web here is what I am getting
REQUEST DENIED. Refer to https://confluence.atlassian.com/display/CLOUDKB/JIRA+and+Confluence+Cloud+os_username+and+os_password+embedded+in+URL+no+longer+available for details.

HakobNalbandyan · September 14, 2021, 6:07am

And finally here is what I found:
https://confluence.atlassian.com/cloudkb/jira-and-confluence-cloud-os_username-and-os_password-embedded-in-url-no-longer-available-872007971.html
So, I do not understand how it has work since last week. Looks we need to made changes in our sign in flow.
Also I found that cookie based authorization is also deprecated. https://developer.atlassian.com/cloud/jira/platform/jira-rest-api-cookie-based-authentication/

GagandeepSingh · September 15, 2021, 2:41am

You do realize you have leaked your credentials, right? Please change them asap!!!

HakobNalbandyan · September 15, 2021, 5:40am

Thanks.