fix(worker): guard against anonymous Bitbucket Server token fallback in account permission sync (#998)

* fix(worker): guard against anonymous Bitbucket Server token fallback in account permission sync

Bitbucket Server instances with anonymous access enabled silently treat
expired/invalid OAuth tokens as anonymous rather than returning a 401.
This caused account-driven permission syncing to receive an empty repo
list (200 OK) and wipe all AccountToRepoPermission records.

Added isBitbucketServerUserAuthenticated() which calls
/rest/api/1.0/profile/recent/repos — an endpoint that always requires
authentication even when anonymous access is enabled — to detect this
condition before fetching repos. Also added explicit throws for
unsupported provider/code host types instead of silently returning
empty results.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* chore: update CHANGELOG for #998

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* nit

* feedback

---------

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: brendan-kellam

CHANGELOG.md

@@ -10,6 +10,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
 - Added generated OpenAPI documentation for the public search, repo, and file browsing API surface. [#996](https://github.com/sourcebot-dev/sourcebot/pull/996)
 
+### Fixed
+- [EE] Fixed account-driven permission sync silently wiping all Bitbucket Server repository permissions when the OAuth token expires on instances with anonymous access enabled. [#998](https://github.com/sourcebot-dev/sourcebot/pull/998)
+
 ## [4.15.5] - 2026-03-12
 
 ### Added

packages/backend/src/bitbucket.ts

@@ -701,11 +701,30 @@ export const getReposForAuthenticatedBitbucketCloudUser = async (
  * Returns the IDs of all repositories accessible to the authenticated Bitbucket Server user.
  * Used for account-driven permission syncing.
  *
- * @see https://developer.atlassian.com/server/bitbucket/rest/v906/api-group-repository/#api-rest-api-latest-repos-get
+ * @see https://developer.atlassian.com/server/bitbucket/rest/v906/api-group-repository/#api-api-latest-repos-get
  */
 export const getReposForAuthenticatedBitbucketServerUser = async (
     client: BitbucketClient,
 ): Promise<Array<{ id: string }>> => {
+
+    /**
+     * @note We need to explicitly check if the user is authenticated here because
+     * /rest/api/1.0/repos?permission=REPO_READ will return an empty list if the
+     * following conditions are met:
+     * 1. Anonymous access is enabled via `feature.public.access`
+     * 2. The token is expired or invalid.
+     * 
+     * This check ensures we will not hit this condition and instead fail with a
+     * explicit error.
+     *
+     * @see https://developer.atlassian.com/server/bitbucket/rest/v906/api-group-repository/#api-api-latest-repos-get
+     * @see https://confluence.atlassian.com/bitbucketserver/configuration-properties-776640155.html
+     */
+    const isAuthenticated = await isBitbucketServerUserAuthenticated(client);
+    if (!isAuthenticated) {
+        throw new Error(`Bitbucket Server authentication check failed. The OAuth token may be expired and the server may be treating the request as anonymous. Please re-authenticate with Bitbucket Server.`);
+    }
+
     const repos = await fetchWithRetry(() => getPaginatedServer<{ id: number }>(
         `/rest/api/1.0/repos` as ServerGetRequestPath,
         async (url, start) => {
@@ -761,4 +780,29 @@ export const getUserPermissionsForServerRepo = async (
     return repoUsers
         .filter(entry => entry.user?.id != null)
         .map(entry => ({ userId: String(entry.user.id) }));
+};
+
+/**
+ * Returns true if the Bitbucket Server client is authenticated as a real user,
+ * false if the token is expired, invalid, or the request is being treated as anonymous.
+ */
+export const isBitbucketServerUserAuthenticated = async (
+    client: BitbucketClient,
+): Promise<boolean> => {
+    try {
+        const { error, response } = await client.apiClient.GET(`/rest/api/1.0/profile/recent/repos` as ServerGetRequestPath, {});
+        if (error) {
+            if (response.status === 401 || response.status === 403) {
+                return false;
+            }
+            throw new Error(`Unexpected error when verifying Bitbucket Server authentication status: ${JSON.stringify(error)}`);
+        }
+        return true;
+    } catch (e: any) {
+        // Handle the case where openapi-fetch throws directly for auth errors
+        if (e?.status === 401 || e?.status === 403) {
+            return false;
+        }
+        throw e;
+    }
 };

packages/backend/src/ee/accountPermissionSyncer.ts

@@ -330,6 +330,8 @@ export class AccountPermissionSyncer {
                 });
 
                 repos.forEach(repo => aggregatedRepoIds.add(repo.id));
+            } else {
+                throw new Error(`Unsupported code host type: ${account.provider}`);
             }
 
             return Array.from(aggregatedRepoIds);

packages/backend/src/ee/repoPermissionSyncer.ts

@@ -338,9 +338,7 @@ export class RepoPermissionSyncer {
                 }
             }
 
-            return {
-                accountIds: [],
-            }
+            throw new Error(`Unsupported code host type: ${repo.external_codeHostType}`);
         })();
 
         await this.db.$transaction([