From 5f6a098e6bec623b347c99e4ca562741ce6b30d9 Mon Sep 17 00:00:00 2001
From: kitos <kitos@aegis.local>
Date: Tue, 26 May 2026 18:04:51 +0200
Subject: [PATCH] fix(jira): fallback connected_as to auth email, improve 401
 error detail

- jira-test: when myself() returns empty displayName/emailAddress/name,
  fall back to the configured Atlassian auth email so 'Connected as:' is
  never empty
- jira-test: 401 error message now includes which email was used, making
  misconfigured Jira email easier to diagnose
- jira-test: missing jira_url now returns HTTP 200 {status: error} instead
  of HTTP 400, consistent with Cloudflare-safe pattern

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 backend/app/routers/system.py | 27 +++++++++++++++++++++++----
 1 file changed, 23 insertions(+), 4 deletions(-)

diff --git a/backend/app/routers/system.py b/backend/app/routers/system.py
index 35f0aba..91e5177 100644
--- a/backend/app/routers/system.py
+++ b/backend/app/routers/system.py
@@ -286,12 +286,17 @@ def test_jira_connection(
 
     Requires the admin to have a personal Jira API token configured in their
     profile settings.
+
+    Always returns HTTP 200 with a ``status`` field so Cloudflare never
+    replaces the response with its own error page.
     """
-    from app.services.jira_service import get_user_jira_client, get_jira_url
+    from app.services.jira_service import get_user_jira_client, get_jira_url, _effective_jira_email
 
     jira_url = get_jira_url(db)
     if not jira_url:
-        raise HTTPException(status_code=400, detail="Jira URL not configured.")
+        return {"status": "error", "message": "Jira URL is not configured. Set it in System Settings → Jira Configuration.", "jira_url": ""}
+
+    auth_email = _effective_jira_email(current_user)
 
     try:
         jira = get_user_jira_client(current_user, db)
@@ -301,9 +306,18 @@ def test_jira_connection(
         except Exception:
             pass
         myself = jira.myself()
+        logger.info("Jira myself() response keys: %s", list(myself.keys()) if isinstance(myself, dict) else type(myself))
+        # Use displayName → emailAddress → name → the auth email as fallback
+        connected_as = (
+            (myself.get("displayName") if isinstance(myself, dict) else None)
+            or (myself.get("emailAddress") if isinstance(myself, dict) else None)
+            or (myself.get("name") if isinstance(myself, dict) else None)
+            or auth_email
+            or "authenticated"
+        )
         return {
             "status": "ok",
-            "connected_as": myself.get("displayName") or myself.get("emailAddress", "unknown"),
+            "connected_as": connected_as,
             "jira_url": jira_url,
         }
     except Exception as exc:
@@ -317,7 +331,12 @@ def test_jira_connection(
                 "email and API token."
             )
         elif "401" in err or "Unauthorized" in err:
-            msg = "Authentication failed (401). Check your Atlassian email and API token."
+            msg = (
+                "Authentication failed (401). "
+                f"Check that the Atlassian email ({auth_email or 'not set'}) "
+                "and API token are correct. The token must be an Atlassian API token "
+                "(not your account password)."
+            )
         elif "403" in err or "Forbidden" in err:
             msg = "Access denied (403). The token may not have permission for this Jira project."
         elif "timed out" in err.lower() or "timeout" in err.lower():