leave out Authorization header line when using a session

[fany]

Our Jira admin complained that my automations cause lots of "logins" to our Jira, increasing the "login count" (which you can observe as Jira administrator in the User management) of the user used with each request. He suspects that this might be the cause of intermittent authentication failures we experience with other automations due to the load it imposes.

This can be avoided by not sending an Authorization header line when you have an active session and thus can rely on Cookie-based authentication. So this patch makes sure that this header line is left out when using ->new_session().

The patch I suggest also includes the changes from the pull request I initiated yesterday, because both partly affect the same lines and would cause a merge conflict when being applied independently.

– Martin

[gnustavo]

Hi Martin. I understand your concern, but I couldn't reproduce the problem here. I run a script which performs a search and gets 63 issues from our Jira. In order to do that it invokes the API more than 63 times. But It only increased my login count by one. And I used JIRA::REST 0.021 pristine.

I also run it using your patch but I couldn't see any difference.

Can you provide me a small example script with which I can trigger the problem?

[fany]

Hi Gustavo,

thank you for taking a look into my suggestion and for testing it so thoroughly!

As requested, I've written a small test script:

#!/usr/bin/env perl

use 5.02;
use Getopt::Long;                                                                                                                                                                                                                          
use JIRA::REST;

my $Constructor = 'new';
GetOptions \my %opt, 'url=s', 'issuekey=s',
  'rcc=s'   => \my %rcc,
  'session' => sub { $Constructor = 'new_session' },
  or exit 1;
$opt{$_} or die "Need -$_\n" for qw(url issuekey);

my $jira = JIRA::REST->$Constructor(
    {
        url                => $opt{url},
        rest_client_config => \%rcc,

        # username/password come from ~/.netrc
    }
);

$jira->{rest}->getUseragent->add_handler(
    request_send => sub {
        say '=== Web request: ===';
        shift->dump;
        return;
    }
);

$jira->GET("/issue/$opt{issuekey}") for 1 .. 10;

When I let this run against the JIRA in our company with the original JIRA::REST from CPAN, it increases the login count of the API user by 10; when using it with the -session option, even by 13 due to the additional requests for session handling. When using my patched version in conjunction with -session, the login count is increased only by one.

I repeated the same tests with a JIRA v8.20.2 I administer myself for a non-profit organization, with the same results.

Can you reproduce the phenomenon with this script?

[gnustavo]

Hi Martin.

I could not reproduce the same behavior as you.

I run your script on two Jira instances (both on version 8.13.13), with both the pristine version of JIRA::REST and with your patch, with and without the -session option. In all cases, the login count of my user increased by just one or two.

Since our Jiras are normally accessed through a web proxy (nginx), I even exercised your script with direct access, bypassing the proxy. But the results were the same.

I have another Jira instance which I use for testing. I'll try to upgrade it to version 8.20.3 to see if it makes a difference.

[gnustavo]

I didn't have to upgrade my test instance. I pointed your script to it and there I could see my login count increase by 10.

I suspected that one of the plugins I have installed in my production instances could be changing the behaviour. It is the API Token Authentication Jira. I disabled it temporarily on one of my production instances and run your script again. This time I could see my login count increase by 10 too.

So, I guess this is all good. I'll integrate your change on the next branch.

Thank you!

[gnustavo]

Martin, I just pushed some commits to next. I refactored your commits a bit and took the chance to make a few other changes.

I just released JIRA::REST v0.022 which should appear on CPAN shortly.

Thank you very much for your contributions.

If I botched anything, please let me know so that I can fix it. ;)