mistyping password does not give Authentication Failed error.

[jaybuff]

Awesome, Jira gives you an HTTP 200 when you provide bad u/p:

HTTP/1.1 200 OK
Transfer-Encoding: chunked
Cache-Control: no-cache, no-store, no-transform
Content-Type: application/json;charset=UTF-8
Date: Thu, 19 Feb 2015 00:53:58 GMT
Server: Apache-Coyote/1.1
X-Arequestid: 53x17037965x1
X-Asen: SEN-2062203
X-Asessionid: 14tags9
X-Ausername: jaybuff
X-Content-Type-Options: nosniff
X-Seraph-Loginreason: AUTHENTICATION_DENIED

fd
{"self":"https://issues.apache.org/jira/rest/api/latest/user?username=jaybuff","name":"jaybuff","loginInfo":{"failedLoginCount":12,"loginCount":240,"lastFailedLoginTime":"2015-02-19T00:53:59.600+0000","previousLoginTime":"2015-02-19T00:09:15.895+0000"}}
0

[coryb]

Interesting, probably depends on auth type on the jira server. When I run jira login with a bogus password I get a 403 with X-Authentication-Denied-Reason header set.

I suppose we can look for 200's with X-Seraph-Loginreason: AUTHENTICATION_DENIED header.

-Cory

[jaybuff]

From https://confluence.atlassian.com/display/JIRA043/JIRA+REST+API+%28Alpha%29+Tutorial#JIRARESTAPI%28Alpha%29Tutorial-CAPTCHAs

When you get an error response from JIRA, you can check for the presence of an
X-Seraph-LoginReason header in the response, which will contain more information. A value of
AUTHENTICATION_DENIED means the application rejected the login without even checking the
password, which most commonly indicates that JIRA's CAPTCHA feature has been triggered.

[coryb]

cool, just updated the code to detect the header. Thanks.
-Cory

[coryb]

fixed this a while ago, closing.