Am I correct in that you’re configuring the slash command request URL directly at JIRA, and expecting the username and password embedded in the URL to authenticate with JIRA?
I’ve tested a slash command locally and can verify that the Basic Auth credentials are correctly parsed from the URL and sent by the Mattermost server. Can you post the logs from your server when running your slash command? I’m wondering if the requirement to invoke curl with --insecure might be part of the problem.
Note that even if you get this part working, you’ll only get a JSON dump back to Mattermost from JIRA, and it won’t match the expected format as described by the documentation. I suspect you’ll want to introduce your own service for proxying JIRA queries like this before long after which the authentication issue should no longer be a problem.