Error message returned when username/password are incorrect is extremely misleading

[makegofast]

Describe the bug
If you try to create an authenticated client to a Atlassian-hosted (perhaps self hosted too) Jira instance and the username and/or password is wrong you'll be given a very misleading error that "Basic auth with password is not allowed on this instance":

jirashell -s https://somecompany.atlassian.net -u valid_username -p incorrect_password
Traceback (most recent call last):
  File "/Users/foouser/Library/Python/3.6/bin/jirashell", line 11, in <module>
    sys.exit(main())
  File "/Users/foouser/Library/Python/3.6/lib/python/site-packages/jira/jirashell.py", line 255, in main
    jira = JIRA(options=options, basic_auth=basic_auth, oauth=oauth)
  File "/Users/foouser/Library/Python/3.6/lib/python/site-packages/jira/client.py", line 472, in __init__
    si = self.server_info()
  File "/Users/foouser/Library/Python/3.6/lib/python/site-packages/jira/client.py", line 2133, in server_info
    j = self._get_json('serverInfo')
  File "/Users/foouser/Library/Python/3.6/lib/python/site-packages/jira/client.py", line 2549, in _get_json
    r = self._session.get(url, params=params)
  File "/Users/foouser/Library/Python/3.6/lib/python/site-packages/jira/resilientsession.py", line 151, in get
    return self.__verb('GET', url, **kwargs)
  File "/Users/foouser/Library/Python/3.6/lib/python/site-packages/jira/resilientsession.py", line 147, in __verb
    raise_on_error(response, verb=verb, **kwargs)
  File "/Users/foouser/Library/Python/3.6/lib/python/site-packages/jira/resilientsession.py", line 57, in raise_on_error
    r.status_code, error, r.url, request=request, response=r, **kwargs)
jira.exceptions.JIRAError: JiraError HTTP 403 url: https://somecompany.atlassian.net/rest/api/2/serverInfo
	text: Basic auth with password is not allowed on this instance


	response headers = {'Server': 'AtlassianProxy/1.15.8.1', 'Content-Type': 'text/plain', 'Strict-Transport-Security': 'max-age=315360000; includeSubDomains; preload', 'Date': 'Wed, 26 Feb 2020 20:48:23 GMT', 'ATL-TraceId': 'XXXX', 'X-XSS-Protection': '1; mode=block', 'Transfer-Encoding': 'chunked', 'X-Content-Type-Options': 'nosniff', 'Connection': 'keep-alive'}
	response text = Basic auth with password is not allowed on this instance

I spent hours trying to figure out why it wasn't working thinking it was something to do with 2FA/OAuth/etc but it was just an incorrect password. I recall now falling into a similar problem over a year ago because the username wasn't in the correct format. Both times the wording of this error made me think the issue was that someone disabled static/basic password authentication.

To Reproduce
Create an authenticated client connection to a Jira instance using a incorrect username and/or password. I did this with Jira shell (above) but could be done with:

from jira import JIRA

jira_server='https://somecompany.atlassian.net'
username='valid_username'
password='incorrect_password'
aj = JIRA(basic_auth=(username, password), options={'server': jira_server})

1. Any additional steps or considerations that happen before or after.

Expected behavior
The error should return a more accurate/less confusing error message, perhaps "Could not authentication using basic auth." or even better "Could not authentication using basic auth. Check the username/password are correct."

Stack Trace

Traceback (most recent call last):
  File "/Users/foouser/fujira.py", line 6, in <module>
    aj = JIRA(basic_auth=(username, password), options={'server': jira_server})
  File "/Users/foouser/Library/Python/3.6/lib/python/site-packages/jira/client.py", line 472, in __init__
    si = self.server_info()
  File "/Users/foouser/Library/Python/3.6/lib/python/site-packages/jira/client.py", line 2133, in server_info
    j = self._get_json('serverInfo')
  File "/Users/foouser/Library/Python/3.6/lib/python/site-packages/jira/client.py", line 2549, in _get_json
    r = self._session.get(url, params=params)
  File "/Users/foouser/Library/Python/3.6/lib/python/site-packages/jira/resilientsession.py", line 151, in get
    return self.__verb('GET', url, **kwargs)
  File "/Users/foouser/Library/Python/3.6/lib/python/site-packages/jira/resilientsession.py", line 147, in __verb
    raise_on_error(response, verb=verb, **kwargs)
  File "/Users/foouser/Library/Python/3.6/lib/python/site-packages/jira/resilientsession.py", line 57, in raise_on_error
    r.status_code, error, r.url, request=request, response=r, **kwargs)
jira.exceptions.JIRAError: JiraError HTTP 403 url: https://somecompany.atlassian.net/rest/api/2/serverInfo
	text: Basic auth with password is not allowed on this instance

Version Information
Python Interpreter: 3.6.6
jira-python: 2.0.0
OS: OSX

Additional context
None

[csullivannet]

@makegofast This error message is the text response coming from the Jira API directly. You can replicate this using the requests library:

import requests
url = 'https://mycompany.atlassian.net'
headers = { "Accept": "application/json", "Content-Type": "application/json" }
username = 'christopher.sullivan@mycompany.com'
password = 'badpassword'
r = requests.get(url, headers=headers, auth=(username,password))
print(r.text)

which prints:
Basic auth with password is not allowed on this instance

[csullivannet]

@makegofast The message is perfectly accurate as well. As of June 3rd, 2019, use of basic auth with password is indeed not allowed, you must use a token if you wish to continue using basic auth.

This applies to all Atlassian cloud instances, which is the case in your error above (you were connecting to mycompany.atlassian.net, which is a cloud instance).

[egeland]

Could the returned error be enhanced, maybe with "You must use a token with Basic Auth." ?

[XanaDublaKublaConch]

With self-hosted, Jira returns a 401, which this lib considers a recoverable error, so it tries the bad credentials 3 times before failing. In an LDAP->AD scenario, this means a user gets locked out after a single attempt if the AD lockout settings are <= 3 attempts.

I'd be thrilled with a misleading message if I could catch the exception.