1. Wombats Avatar Wombats
  2. Marketplace
  3. API Tokens for Jira
  4. Issues

We want to disable the API Tokens which were never used and expired ones

Issue #55 resolved
shashikanth.budidha created an issue

Hi Team,

We need to remove unused and expired API tokens to address a security issue. We have identified around 100 such tokens. Could you please suggest a straightforward method to remove these tokens?

We understand that we can switch to the users who created them and revoke the tokens, but we are looking for a simpler process.

This ticket is marked as critical due to the security concerns, and we request that this be expedited

Thanks,

Shashi

Comments (14)

  1. Roma Bubyakin

    Hello @shashikanth.budidha ,

    Thank you for reaching out.

    You can do it directly on the DB level… (AO_5D4005_TOKEN table) and it will work.
    However, as with any direct requests on the DB, it’s not safe, straightforward, and recommended.

    Seems that tokens management become more popular (+Issue #54).
    We will extend an administrative page so that admins can manage all users' tokens. We will do it shortly.

    It would be much better if you could provide your requirements.
    It will help us fulfill exactly your needs.

    Regards, Roman

  2. shashikanth.budidha reporter

    Hi Bubyakin,

    Our requirement is simple, we want to revoke all the tokens which were expired and never used.

    Is there any ETA for administrative page?

    Thanks,

    Shashi

  4. shashikanth.budidha reporter

    Hi Bubyakin,

    Thank you for the update.

    Just to check, once you roll out administrative page, can we revoke token from administrative page?

    Additionally,

    We have observed one scenario where few users account has been removed from Jira, but their PATs still came in the list that we pulled via DB query. So, we are looking for a DB query which can help us in removing this kind of PATs as well.

    Thanks,

    Shashi

  5. shashikanth.budidha reporter

    We have feedback and clarifications requested

    1. For time being while we are doing the cleanups, we would like to to stop the creation of new API tokens but without impacting the existing API tokens. Do we have any method for that?
    2. Is there any rule that we can set default expiry for all the tokens that are created?
    3. We follow Jira LTS versions and current version is 9.12.12, could you please confirm that new plugin version which has admirative page compatible with our Jira version.

  6. Roma Bubyakin

    Thank you a lot. It’s a valuable input for us.

    We will try to release as much as possible from the requested features. If something will require more time we will just postpone that feature to the next release.

    P.S. it wil work for 9.12.12

  7. shashikanth.budidha reporter

    Hi Bubyakin,

    We are looking answers for below

    1. For time being while we are doing the cleanups, we would like to to stop the creation of new API tokens but without impacting the existing API tokens. Do we have any method for that?
    2. Is there any rule that we can set default expiry for all the tokens that are created?

    Thanks,

    Shashi

  8. Roma Bubyakin

    Hi Shashi,

    No, it’s not yet possible, but we will implement it soon.

    First priority is the Admin page, and the second priority these two features.

    Regards, Roman

  9. shashikanth.budidha reporter

    Hi Bubyakin,

    I have one more question,

    In Jira, we can create PATs with inbuilt feature. How this add-on is different that inbuilt feature? What are the advantages this offers over inbuilt feature?

    Thanks,

    Shashi

  10. Roma Bubyakin

    Hi Shashi,

    Our app was created years before Atlassian introduced it into DC applications.
    Nevertheless, 200+ clients use our apps for PATs.

    We are responsive and are open to introducing requests from our customers.

    As for now, you can forbid passwords (only tokens allowed) for all REST API requests.
    Tomorrow Administration page will be released.

    Next week, the following settings will be released:

    • Prevention of token creation
    • Default, minimum, and maximum expiration time limits

    We also have plans to add

    • granular permissions for each token (e.g. only read operation, or operation with issues)
    • invocation monitoring for evaluating the server load of each integration

    However, nobody asked that yet, so we are not 100% sure if it would be useful.
    If you find granular permissions or monitoring useful, just let us know.

    Regards, Roman

  11. Roma Bubyakin

    Hi Shashi,

    This is to update you on the topic.
    It’s on the way, but due to an additional QA process, it will be released on Monday.

    Regards, Roman

  12. Roma Bubyakin

    Hello @shashikanth.budidha

    We have released the Administration page. Feel free to update v1.5.0

    The next step would be to increase options on the configuration page.

    Regards,
    Roman

  13. Roma Bubyakin

    Hello @shashikanth.budidha

    We have released the Configuration page with the required parameters. Feel free to update v1.6.0

    If you need anything else, please get in touch with us 💛💙

    Regards,
    Roman

  15. Log in to comment
Assignee
Type
task
Priority
critical
Status
resolved
Votes
0
Watchers
1