Details
-
Bug
-
Status: Done
-
Minor
-
Resolution: Done
-
5.4.28
-
None
-
None
-
Sprint 44
-
0
Description
There seems to be an unwanted interaction between Secure Login and Script Runner. The problem is that an infinite number of empty message boxes are generated on our PIN validation mask. This only happens if Script Runner is installed.
In the default configuration, Secure Login does not enforce the second-factor authentication for REST services, as in B2B communication it would not be possible for the caller to generate a TOTP PIN. So by default, /rest/ is on the context whitelist.
If you remove /rest/ from the whitelist. Normally that should not be a problem. As soon as the user logged in and validated his/her PIN, REST is working as expected.
If Script Runner is installed, it seems to call any REST service, while the user is still on our PIN validation dialog. The calls run into an error and these empty dialog boxes are generated by Script Runner.
Steps to reproduce:
- Install Secure Login Secure Login (2FA) - Jira 2.3.2.6 from the Atlassian Marketplace
- Go to the 2FA Configuration
- Activate the plugin with the default configuration
- Save the configuration
- Go back to the Jira Dashboard
- Register the Mobile Authenticator
- Process through the PIN validation
- Go back to the 2FA Configuration
- Replace "/rest/" with "/rest/gadget/1.0/login" in the context whitelist
- Save the configuration
- Logout
- Log in again
- The empty message dialogs show up on the PIN validation dialog
