nits w/ authentication

Author: brendan-kellam

packages/backend/src/bitbucket.ts

@@ -1,5 +1,5 @@
-import { createBitbucketCloudClient } from "@coderabbitai/bitbucket/cloud";
-import { createBitbucketServerClient } from "@coderabbitai/bitbucket/server";
+import { createBitbucketCloudClient as createBitbucketCloudClientBase } from "@coderabbitai/bitbucket/cloud";
+import { createBitbucketServerClient as createBitbucketServerClientBase } from "@coderabbitai/bitbucket/server";
 import { BitbucketConnectionConfig } from "@sourcebot/schemas/v3/bitbucket.type";
 import type { ClientOptions, ClientPathsWithMethod } from "openapi-fetch";
 import { createLogger } from "@sourcebot/shared";
@@ -36,10 +36,10 @@ interface BitbucketClient {
     shouldExcludeRepo: (repo: BitbucketRepository, config: BitbucketConnectionConfig) => boolean;
 }
 
-type CloudAPI = ReturnType<typeof createBitbucketCloudClient>;
+type CloudAPI = ReturnType<typeof createBitbucketCloudClientBase>;
 type CloudGetRequestPath = ClientPathsWithMethod<CloudAPI, "get">;
 
-type ServerAPI = ReturnType<typeof createBitbucketServerClient>;
+type ServerAPI = ReturnType<typeof createBitbucketServerClientBase>;
 type ServerGetRequestPath = ClientPathsWithMethod<ServerAPI, "get">;
 
 type CloudPaginatedResponse<T> = {
@@ -70,8 +70,8 @@ export const getBitbucketReposFromConfig = async (config: BitbucketConnectionCon
     }
 
     const client = config.deploymentType === 'server' ? 
-        serverClient(config.url!, config.user, token) : 
-        cloudClient(config.user, token);
+        createBitbucketServerClient(config.url!, config.user, token) : 
+        createBitbucketCloudClient(config.user, token);
 
     let allRepos: BitbucketRepository[] = [];
     let allWarnings: string[] = [];
@@ -104,11 +104,10 @@ export const getBitbucketReposFromConfig = async (config: BitbucketConnectionCon
     };
 }
 
-function cloudClient(user: string | undefined, token: string | undefined): BitbucketClient {
-
+export function createBitbucketCloudClient(user: string | undefined, token: string | undefined): BitbucketClient {
     const authorizationString = 
         token
-        ? !user || user == "x-token-auth"
+        ? (!user || user === "x-token-auth")
             ? `Bearer ${token}`
             : `Basic ${Buffer.from(`${user}:${token}`).toString('base64')}`
         : undefined;
@@ -121,7 +120,7 @@ function cloudClient(user: string | undefined, token: string | undefined): Bitbu
         },
     };
 
-    const apiClient = createBitbucketCloudClient(clientOptions);
+    const apiClient = createBitbucketCloudClientBase(clientOptions);
     var client: BitbucketClient = {
         deploymentType: BITBUCKET_CLOUD,
         token: token,
@@ -380,7 +379,7 @@ export function cloudShouldExcludeRepo(repo: BitbucketRepository, config: Bitbuc
     return false;
 }
 
-function serverClient(url: string, user: string | undefined, token: string | undefined): BitbucketClient {
+function createBitbucketServerClient(url: string, user: string | undefined, token: string | undefined): BitbucketClient {
     const authorizationString = (() => {
         // If we're not given any credentials we return an empty auth string. This will only work if the project/repos are public
         if(!user && !token) {
@@ -402,7 +401,7 @@ function serverClient(url: string, user: string | undefined, token: string | und
         },
     };
 
-    const apiClient = createBitbucketServerClient(clientOptions);
+    const apiClient = createBitbucketServerClientBase(clientOptions);
     var client: BitbucketClient = {
         deploymentType: BITBUCKET_SERVER,
         token: token,
@@ -604,22 +603,14 @@ export function serverShouldExcludeRepo(repo: BitbucketRepository, config: Bitbu
  * @see https://developer.atlassian.com/cloud/bitbucket/rest/api-group-repositories/#api-repositories-workspace-repo-slug-permissions-config-users-get
  */
 export const getExplicitUserPermissionsForCloudRepo = async (
+    client: BitbucketClient,
     workspace: string,
     repoSlug: string,
-    token: string | undefined,
 ): Promise<Array<{ accountId: string }>> => {
-    const apiClient = createBitbucketCloudClient({
-        baseUrl: BITBUCKET_CLOUD_API,
-        headers: {
-            Accept: "application/json",
-            ...(token ? { Authorization: `Bearer ${token}` } : {}),
-        },
-    });
-
     const path = `/repositories/${workspace}/${repoSlug}/permissions-config/users` as CloudGetRequestPath;
 
     const users = await getPaginatedCloud<CloudRepositoryUserPermission>(path, async (p, query) => {
-        const response = await apiClient.GET(p, {
+        const response = await client.apiClient.GET(p, {
             params: {
                 path: { workspace, repo_slug: repoSlug },
                 query,
@@ -644,20 +635,12 @@ export const getExplicitUserPermissionsForCloudRepo = async (
  * @see https://developer.atlassian.com/cloud/bitbucket/rest/api-group-repositories/#api-user-permissions-repositories-get
  */
 export const getReposForAuthenticatedBitbucketCloudUser = async (
-    accessToken: string,
+    client: BitbucketClient,
 ): Promise<Array<{ uuid: string }>> => {
-    const apiClient = createBitbucketCloudClient({
-        baseUrl: BITBUCKET_CLOUD_API,
-        headers: {
-            Accept: "application/json",
-            Authorization: `Bearer ${accessToken}`,
-        },
-    });
-
     const path = `/user/permissions/repositories` as CloudGetRequestPath;
 
     const permissions = await getPaginatedCloud<CloudRepositoryPermission>(path, async (p, query) => {
-        const response = await apiClient.GET(p, {
+        const response = await client.apiClient.GET(p, {
             params: { query },
         });
         const { data, error } = response;

packages/backend/src/ee/accountPermissionSyncer.ts

@@ -14,7 +14,7 @@ import {
     getOAuthScopesForAuthenticatedUser as getGitLabOAuthScopesForAuthenticatedUser,
     getProjectsForAuthenticatedUser,
 } from "../gitlab.js";
-import { getReposForAuthenticatedBitbucketCloudUser } from "../bitbucket.js";
+import { createBitbucketCloudClient, getReposForAuthenticatedBitbucketCloudUser } from "../bitbucket.js";
 import { Settings } from "../types.js";
 import { setIntervalAsync } from "../utils.js";
 
@@ -273,7 +273,10 @@ export class AccountPermissionSyncer {
                     throw new Error(`User '${account.user.email}' does not have a Bitbucket Cloud OAuth access token associated with their account. Please re-authenticate with Bitbucket Cloud to refresh the token.`);
                 }
 
-                const bitbucketRepos = await getReposForAuthenticatedBitbucketCloudUser(accessToken);
+                // @note: we don't pass a user here since we want to use a bearer token
+                // for authentication.
+                const client = createBitbucketCloudClient(/* user = */ undefined, accessToken)
+                const bitbucketRepos = await getReposForAuthenticatedBitbucketCloudUser(client);
                 const bitbucketRepoUuids = bitbucketRepos.map(repo => repo.uuid);
 
                 const repos = await this.db.repo.findMany({

packages/backend/src/ee/repoPermissionSyncer.ts

@@ -7,10 +7,11 @@ import { Redis } from 'ioredis';
 import { PERMISSION_SYNC_SUPPORTED_CODE_HOST_TYPES } from "../constants.js";
 import { createOctokitFromToken, getRepoCollaborators, GITHUB_CLOUD_HOSTNAME } from "../github.js";
 import { createGitLabFromPersonalAccessToken, getProjectMembers } from "../gitlab.js";
-import { getExplicitUserPermissionsForCloudRepo } from "../bitbucket.js";
+import { createBitbucketCloudClient, getExplicitUserPermissionsForCloudRepo } from "../bitbucket.js";
 import { repoMetadataSchema } from "@sourcebot/shared";
 import { Settings } from "../types.js";
 import { getAuthCredentialsForRepo, setIntervalAsync } from "../utils.js";
+import { BitbucketConnectionConfig } from "@sourcebot/schemas/v3/index.type";
 
 type RepoPermissionSyncJob = {
     jobId: string;
@@ -238,6 +239,13 @@ export class RepoPermissionSyncer {
 
                 return accounts.map(account => account.id);
             } else if (repo.external_codeHostType === 'bitbucketCloud') {
+                const config = credentials.connectionConfig as BitbucketConnectionConfig | undefined;
+                if (!config) {
+                    throw new Error(`No connection config found for repo ${id}`);
+                }
+
+                const client = createBitbucketCloudClient(config.user, credentials.token);
+
                 const parsedMetadata = repoMetadataSchema.safeParse(repo.metadata);
                 const bitbucketCloudMetadata = parsedMetadata.success ? parsedMetadata.data.codeHostMetadata?.bitbucketCloud : undefined;
                 if (!bitbucketCloudMetadata) {
@@ -253,7 +261,7 @@ export class RepoPermissionSyncer {
                 // but there may be a delay of up to `experiment_userDrivenPermissionSyncIntervalMs` before
                 // they see the repository in Sourcebot.
                 // @see: https://developer.atlassian.com/cloud/bitbucket/rest/api-group-repositories/#api-repositories-workspace-repo-slug-permissions-config-users-get
-                const users = await getExplicitUserPermissionsForCloudRepo(workspace, repoSlug, credentials.token);
+                const users = await getExplicitUserPermissionsForCloudRepo(client, workspace, repoSlug);
                 const userAccountIds = users.map(u => u.accountId);
 
                 const accounts = await this.db.account.findMany({

packages/backend/src/types.ts

@@ -1,4 +1,5 @@
 import { Connection, Repo, RepoToConnection } from "@sourcebot/db";
+import { ConnectionConfig } from "@sourcebot/schemas/v3/connection.type";
 import { Settings as SettingsSchema } from "@sourcebot/schemas/v3/index.type";
 
 export type Settings = Required<SettingsSchema>;
@@ -19,4 +20,8 @@ export type RepoAuthCredentials = {
     token: string;
     cloneUrlWithToken?: string;
     authHeader?: string;
+    /** The connection that configured the
+     * credentials for this repo.
+     */
+    connectionConfig?: ConnectionConfig;
 }

packages/backend/src/utils.ts

@@ -145,6 +145,7 @@ export const getAuthCredentialsForRepo = async (repo: RepoWithConnections, logge
                             password: token,
                         }
                     ),
+                    connectionConfig: config,
                 }
             }
         } else if (connection.connectionType === 'gitlab') {
@@ -161,6 +162,7 @@ export const getAuthCredentialsForRepo = async (repo: RepoWithConnections, logge
                             password: token
                         }
                     ),
+                    connectionConfig: config,
                 }
             }
         } else if (connection.connectionType === 'gitea') {
@@ -176,6 +178,7 @@ export const getAuthCredentialsForRepo = async (repo: RepoWithConnections, logge
                             password: token
                         }
                     ),
+                    connectionConfig: config,
                 }
             }
         } else if (connection.connectionType === 'bitbucket') {
@@ -193,6 +196,7 @@ export const getAuthCredentialsForRepo = async (repo: RepoWithConnections, logge
                             password: token
                         }
                     ),
+                    connectionConfig: config,
                 }
             }
         } else if (connection.connectionType === 'azuredevops') {
@@ -223,6 +227,7 @@ export const getAuthCredentialsForRepo = async (repo: RepoWithConnections, logge
                                 password: token
                             }
                         ),
+                        connectionConfig: config,
                     }
                 }
             }