Do API tokens created after Jan 18, 2023 work?

[gautaz]

Hello,

I've recently created an Atlassian Cloud API token to test mark. Since Jan 18, 2023, API tokens are generated by using a varied length.

This is the result I'm currently getting with this token:

❯ pass company/www/atlassian.com/tokens/mark | mark --trace -p - -f README.md
2023-03-09 21:50:08.276 INFO  processing README.md
2023-03-09 21:50:08.276 TRACE loaded macro "@\\{([^}]+)\\}"
                              ├─ template: ac:link:user
                              ├─ expr: @\{([^}]+)\}
                              └─ config:
                                      Name: ${1}
2023-03-09 21:50:08.276 TRACE rest: GET /wiki/rest/api/content/?expand=ancestors%2Cversion&spaceKey=~666666666666666666666666&title=TestTitle&type=page HTTP/1.1
                              Host: company.atlassian.net
                              Authorization: Bearer XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

2023-03-09 21:50:08.276 FATAL unable to resolve page
                              └─ error while finding page "TestTitle"
                                 ├─ Get "https://company.atlassian.net/wiki/rest/api/content/?expand=ancestors%2Cversion&spaceKey=~666666666666666666666666&title=TestTitle&type=page": net/http: invalid header field value for "Authorization"
                                 └─ title: TestTitle

I already checked that the XXXX... placeholder contains the API token and the net/http: invalid header field value for "Authorization" message seems rather clear.

Has anyone else tried mark with the new tokens? Is there something else that I am doing wrong?

[joyfulrabbit]

I upgraded my Mark client to 8.8 and made some other changes. I am unable to synchronize again, now seeing one of two errors:

2023-03-13 12:55:44.202 FATAL toml: line 1 (last key "password"): expected value but found "redacted key" instead

or

2023-03-13 13:08:00.723 FATAL unable to resolve page └─ error while finding page "1pass CLI gotchas" ├─ Confluence API returned unexpected status: 401 (Unauthorized)

[joyfulrabbit]

Ahh, So I figured it out again. The ticks weren't the issue, they were a red herring. I added a username = to the file which got things working again.

curl --request GET --url 'https://dev_url .atlassian.net/wiki/rest/api/content/?expand=ancestors%2Cversion&spaceKey=<a_space_name>&title=<a_doc_name>&type=page' --user '<just my key>' --header 'Accept: application/json'
{"message":"Request rejected because issuer is either not authorized or not authorized to impersonate","status-code":401}%

vs

curl --request GET --url 'https://dev_url.atlassian.net/wiki/rest/api/content/?expand=ancestors%2Cversion&spaceKey=<a_space_name>&title=<a_doc_name>&type=page' --user '<my_user>:<my_api_key>' --header 'Accept: application/json'

{"results"

So basically, for atlassian cloud, you need to specify a username field in your config file in addition to the key in the password field. Apologies for the red herring response, I was testing multiple users in multiple environments.

[gautaz]

Hello @joyfulrabbit, thanks for the time spent.

I feel sorry but I am not sure to interpret your answer the right way. I have tested again with username:token as the password which failed. I have also tried with username:token as the user and token as the password, which also failed.

Could you please detail what should be used as the user and password parameters of the mark executable ?

[joyfulrabbit]

Hey Gautaz, I showed how the api worked for me using some curls, but that is just for folks who might be making changes in the codebase. There is a confusing amount of choice available to you here.

I'm specifying a user name and password in a config file that I call from the command line.

mark -c ~/.config/mark/wiki-cloud.cfg --space "Space" -f "/File/Path/*/.md"

wiki-cloud.cfg

username = "user@email.com"
password = "Api_key_goes_here"
base_url = "https://your-site.atlassian.net/wiki"
h1_title = true

I tested from the command line as well, without a config file. This is the minimum required for me to get it working:

mark -u user@email.com -p "api-key" --space "target_space" -f "/file/path/*.md" -b https://your_site.atlassian.net/wiki --title-from-h1

[gautaz]

@joyfulrabbit Ok, that was part of my initial tests, if I specify both the user and the API key as the password, I get the following trace:

 2023-03-14 17:12:11.233 TRACE rest: HTTP/2.0 401 Unauthorized
                              Atl-Traceid: 973baf74f625baca
                              Content-Type: text/plain
                              Date: Tue, 14 Mar 2023 16:12:11 GMT
                              Expect-Ct: report-uri="https://web-security-reports.services.atlassian.com/expect-ct-report/atlassian-proxy", max-age=86400
                              Nel: {"failure_fraction": 0.001, "include_subdomains": true, "max_age": 600, "report_to": "endpoint-1"}
                              Report-To: {"endpoints": [{"url": "https://dz8aopenkvv6s.cloudfront.net"}], "group": "endpoint-1", "include_subdomains": true, "max_age": 600}
                              Server: AtlassianEdge
                              Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
                              Vary: Accept-Encoding
                              X-Content-Type-Options: nosniff
                              X-Xss-Protection: 1; mode=block

                              Basic authentication with passwords is deprecated.  For more information, see: https://developer.atlassian.com/cloud/confluence/deprecation-notice-basic-auth/

Following what is said in #102, I removed the user parameter but that did not help either (see initial post).

Did you operate your previous tests with an Atlassian Cloud token generated after Jan 18, 2023?

[joyfulrabbit]

My token was generated 3/8/2023. I authenticated into atlassian cloud two ways using mark, and a third way using a curl statement. All show above.

You might want to start looking at how your confluence site is configured if that is an option. You should be able to auth with all 3 of the methods above.

Are you specifying the base URL as https://your-site.atlassian.net/wiki ?

Mark version 8.8.

[gautaz]

Hello @joyfulrabbit, thanks for the details and confirmation. I am in fact using a base URL that seems formatted the right way (https://company.atlassian.net/wiki).

I am using the following as my ~/.config/mark file:

base_url = "https://company.atlassian.net/wiki"
h1_title = true
h1_drop = true

(with company being my employer's company name, which is displayed when I am using confluence on my web browser)

I will ask if I can get access to the company's confluence site configuration to see if there are any knobs I can use to fix the issue on my side.

I am most probably not doing something the right way but I can't hit the nail on the head. My mark version is also 8.8 (as reported by mark --version).

[gautaz]

I am also wondering, what is the HTTP status code returned by altlassian when it cannot find a resource? Is it 401 or 404?

As I am systematically getting a 401 and as mark's documentation tells that a resource is created if it does not exist, I have inferred that the issue is due to the wrong usage of credentials but can this behavior be due to the fact that I am trying to access inexistent resources?

What if I am misunderstanding what should be used as a space key or parent title, can this lead to a 401?

[joyfulrabbit]

Gautaz Short answer; Yes.

[gautaz]

I tried again lately and I have at last succeeded in publishing a document with mark. This time I only tried the full command line version without any config file involved. I have still no idea what happened during my initial testing (most probably PEBKAC) so I will close this issue for now.