I’m having trouble posting comments to JIRA issues through their REST API using HTTParty in Ruby.
When I try to add a comment to an existing issue, I keep running into authentication errors. The main problem is getting this error message:
XSRF Security Token Missing
I’ve been trying different approaches to solve this. First, I attempted using the standard REST API endpoint for comments, but that didn’t seem to work with my JIRA version. Then I tried to copy the same HTTP request that gets sent when someone adds a comment through the web interface.
I’m including what I think are the right authentication tokens (the alt_token and jsession values), but something isn’t working correctly. The issue might be with how HTTParty is sending the headers compared to what the browser sends.
Is there a way to debug and see exactly what headers HTTParty is actually sending to the server? I’m using the :headers parameter but I can’t verify if they’re being transmitted properly. Any suggestions for troubleshooting this XSRF token issue would be really helpful.
I encountered a similar XSRF token issue with JIRA’s REST API in the past. Typically, this arises when the wrong endpoint is used; for posting comments, you should utilize /rest/api/2/issue/{issueIdOrKey}/comment, instead of mimicking web requests. To debug HTTParty requests, tools like ngrok can help, or you could check server logs if available. Additionally, incorporating debug_output STDOUT in your HTTParty call will reveal the details of the request being sent. Ensure you are applying basic authentication with your JIRA credentials, as the standard API does not necessitate XSRF tokens when authenticated correctly via username/password or API tokens, which is a more consistent and reliable method than using session tokens from the browser.
The XSRF token error usually indicates you’re mixing session-based authentication with API calls, which creates conflicts. I ran into this exact problem when trying to extract session cookies from browser requests instead of using proper API authentication. Switch to using API tokens or basic authentication with your JIRA username and password - this bypasses the XSRF requirement entirely. For HTTParty debugging, add debug_output $stderr to your request options and you’ll see the raw HTTP traffic. Also make sure you’re setting the Content-Type header to application/json when posting comment data. The session-based approach you’re attempting works inconsistently because JIRA expects different security tokens depending on how the session was established.
sounds like your mixing browser auth with api calls which wont work. try using basic auth instead - just pass your jira username/password directly in the httparty request. the xsrf stuff is only needed for browser sessions, not api calls