JIRA password is stored clear text in config file

[watsoncj]

Likely a blocker for many users. This password is often the same as the corporate VPN.

Storing the password in the user's keychain seems like a better option than #1.

[watsoncj]

Consider something like keytar for cross-platform keychain access.

[miguelmich]

Great idea @watsoncj, I'll use it definitively!

[decibyte]

This is definitely a show stopper for me. Let me know if there is anything I can do to help (that doesn't involve coding).

[miguelmich]

I'll be working on the implementation of this fix today hopefully there will be a new release with this hotfix today :)

[miguelmich]

@watsoncj I was working on this but then I realized that users from Linux will have to install an additional lib in order to use the CLI, I'll make a research to see if we can find a 100% node cross-platform solution.

PS: I don't know what do you guys think about this?

[valentijnscholten]

Alternative could to use OAuth, but that's more complicated and requires cooperation from the JIRA Admins. What about only having the password in memory. So don't store it, but ask it once on startup or on the first command executed?

[miguelmich]

@valentijnscholten I like that idea, I will explore more about it, what I'm thinking is since this config file is stored in the user home directory as well as the ssh keys are stored in, one would think this is a safe place, I mean, if an attacker manages to reach your home directory you're in more serious problems, but I agree that having the JIRA password stored without any obfuscation at least is concerning even for me (I don't even like seeing my passwords without the *** characters lol) on the other hand I also think that if you're not in your machine you wouldn't want to have that data stored locally, so your solution makes total sense to me.

I'll take a look at how to store recurring data in memory and if anyone else has any other better idea you're welcome to participate :)

[valentijnscholten]

Private keys are usually protected by a password which is asked for onle once on startup and then cached in memory :)

[xdhmoore]

If an attacker reaches your home directory, you have serious problems, but if your home directory contains an SSO password that gets them admin access to all of the production applications you manage, you have even more serious problems.

[iinuwa]

I don't know if Jira Server has this option, but Jira Cloud has an option to create an API token that is separate from your password. It still gives you access to all the API features that your user has access to, but it's scoped to Jira rather than all of the apps that your domain/organization credentials provide access to.

[valentijnscholten]

Api tokens were just introduced in jira server 8.14. But do not work with basic authentication. They need be sent as bearer token.

[iinuwa]

Oh, OK. My API token for Jira Cloud is working without modification to jira-cli. @valentijnscholten, are you saying that Jira Server API tokens are not working with jira-cli?