h3. Issue Summary
When using the open-source [Jira Python library|https://github.com/pycontribs/jira] to make REST API calls to Jira, if [cookie-based authentication|https://jira.readthedocs.io/examples.html#cookie-based-authentication] is used then Jira’s rate limits will be bypassed. This can result in significant performance impacts due to the inability to limit scripted API requests.
This is reproducible on Data Center: yes
h3. Steps to Reproduce
{noformat}
import jira
myjira = jira.JIRA(‘https://JIRA_BASE_URL/’,auth=(‘USERNAME’,‘PASSWORD’))
print(myjira.projects()){noformat}
h3. Expected Results
Rate limiting works as configured.
h3. Actual Results
Rate limiting has no effect.
The Jira logs show that the requests made by Python are being treated as UI requests due to the presence of both the JSESSIONID and atlassian.xsrf.token cookies, which then bypasses rate limiting:
{noformat}
2023-07-06 07:31:30,825+0000 http-nio-8080-exec-21 TRACE anonymous 123x456x7 sessionid 1.2.3.4 /rest/api/2/project [c.a.r.internal.filter.RateLimitFilter] Checking if rate limiting logic needs to be applied to user request: [/rest/api/2/project]
2023-07-06 07:31:30,825+0000 http-nio-8080-exec-21 TRACE anonymous 123x456x7 sessionid 1.2.3.4 /rest/api/2/project [c.a.r.internal.requesthandler.DefaultRateLimitUiRequestHandler] All request headers: [[host, user-agent, accept, accept-encoding, cache-control, content-type, cookie, x-atlassian-token, x-forwarded-for, x-forwarded-host, x-forwarded-port, x-forwarded-proto, x-forwarded-server, x-real-ip]], UI headers: [{}] (count: 0), UI cookies [{JSESSIONID=[FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF], atlassian.xsrf.token=[FFFF-FFFF-FFFF-FFFF_ffffffffffffffffffffffffffffffffffffffff_lin]}] (count: 2), is UI request: [true]
2023-07-06 07:31:30,825+0000 http-nio-8080-exec-21 TRACE anonymous 123x456x7 sessionid 1.2.3.4 /rest/api/2/project [c.a.r.internal.requesthandler.DefaultRateLimitUiRequestHandler] Authorization: no header found
2023-07-06 07:31:30,825+0000 http-nio-8080-exec-21 TRACE anonymous 123x456x7 sessionid 1.2.3.4 /rest/api/2/project [c.a.r.internal.filter.RateLimitFilter] Request has passed rate limiting - continuing on…
{noformat}
h3. Workaround
Configure the Jira Python library to use [token-based authentication|https://jira.readthedocs.io/examples.html#jira-self-hosted-incl-jira-server-data-center] instead of [cookie-based authentication|https://jira.readthedocs.io/examples.html#cookie-based-authentication] - however, this requires the active cooperation of the user running the Python script.
Vendor | Product | Version | CPE |
---|---|---|---|
atlassian | jira_data_center | * | cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:* |