feat(backend): add Bitbucket Server permission syncing

Adds account-driven and repo-driven permission sync support for
Bitbucket Server (Data Center), mirroring the existing GitHub,
GitLab, and Bitbucket Cloud implementations.

- Extend BitbucketServerIdentityProviderConfig to support
  purpose: "account_linking" and accountLinkingRequired field
- Request REPO_READ OAuth scope when permission syncing is enabled
- Add bitbucket-server token refresh support via /rest/oauth2/latest/token
- Add bitbucketServer/bitbucket-server to permission sync constants
- Add getReposForAuthenticatedBitbucketServerUser and
  getUserPermissionsForServerRepo to bitbucket.ts
- Add bitbucket-server branch to accountPermissionSyncer
- Add bitbucketServer branch to repoPermissionSyncer
- Update docs to reflect new account_linking purpose support

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: brendan-kellam

docs/docs/configuration/idp.mdx

@@ -220,7 +220,8 @@ in the Bitbucket Cloud identity provider config.
 
 ### Bitbucket Server
 
-A Bitbucket Server (Data Center) connection can be used for [authentication](/docs/configuration/auth).
+A Bitbucket Server (Data Center) connection can be used for [authentication](/docs/configuration/auth) and/or [permission syncing](/docs/features/permission-syncing). This is controlled using the `purpose` field
+in the Bitbucket Server identity provider config.
 
 <Accordion title="instructions">
 <Steps>
@@ -231,6 +232,7 @@ A Bitbucket Server (Data Center) connection can be used for [authentication](/do
 
         When configuring your application:
         - Set the redirect URL to `<sourcebot_url>/api/auth/callback/bitbucket-server` (ex. https://sourcebot.coolcorp.com/api/auth/callback/bitbucket-server)
+        - If using for permission syncing, ensure the OAuth application requests the `REPO_READ` scope
 
         The result of creating the application is a `CLIENT_ID` and `CLIENT_SECRET` which you'll provide to Sourcebot.
     </Step>
@@ -247,7 +249,10 @@ A Bitbucket Server (Data Center) connection can be used for [authentication](/do
             "identityProviders": [
                 {
                     "provider": "bitbucket-server",
-                    "purpose": "sso",
+                    // "sso" for auth + perm sync, "account_linking" for only perm sync
+                    "purpose": "account_linking",
+                    // if purpose == "account_linking" this controls if a user must connect to the IdP
+                    "accountLinkingRequired": true,
                     "baseUrl": "https://bitbucket.example.com",
                     "clientId": {
                         "env": "YOUR_CLIENT_ID_ENV_VAR"

docs/snippets/schemas/v3/identityProvider.schema.mdx

@@ -850,7 +850,10 @@
           "const": "bitbucket-server"
         },
         "purpose": {
-          "const": "sso"
+          "enum": [
+            "sso",
+            "account_linking"
+          ]
         },
         "clientId": {
           "anyOf": [
@@ -919,6 +922,10 @@
             "https://bitbucket.example.com"
           ],
           "pattern": "^https?:\\/\\/[^\\s/$.?#].[^\\s]*$"
+        },
+        "accountLinkingRequired": {
+          "type": "boolean",
+          "default": false
         }
       },
       "required": [
@@ -1777,7 +1784,10 @@
           "const": "bitbucket-server"
         },
         "purpose": {
-          "const": "sso"
+          "enum": [
+            "sso",
+            "account_linking"
+          ]
         },
         "clientId": {
           "anyOf": [
@@ -1846,6 +1856,10 @@
             "https://bitbucket.example.com"
           ],
           "pattern": "^https?:\\/\\/[^\\s/$.?#].[^\\s]*$"
+        },
+        "accountLinkingRequired": {
+          "type": "boolean",
+          "default": false
         }
       },
       "required": [

docs/snippets/schemas/v3/index.schema.mdx

@@ -5390,7 +5390,10 @@
                 "const": "bitbucket-server"
               },
               "purpose": {
-                "const": "sso"
+                "enum": [
+                  "sso",
+                  "account_linking"
+                ]
               },
               "clientId": {
                 "anyOf": [
@@ -5459,6 +5462,10 @@
                   "https://bitbucket.example.com"
                 ],
                 "pattern": "^https?:\\/\\/[^\\s/$.?#].[^\\s]*$"
+              },
+              "accountLinkingRequired": {
+                "type": "boolean",
+                "default": false
               }
             },
             "required": [
@@ -6317,7 +6324,10 @@
                 "const": "bitbucket-server"
               },
               "purpose": {
-                "const": "sso"
+                "enum": [
+                  "sso",
+                  "account_linking"
+                ]
               },
               "clientId": {
                 "anyOf": [
@@ -6386,6 +6396,10 @@
                   "https://bitbucket.example.com"
                 ],
                 "pattern": "^https?:\\/\\/[^\\s/$.?#].[^\\s]*$"
+              },
+              "accountLinkingRequired": {
+                "type": "boolean",
+                "default": false
               }
             },
             "required": [

packages/backend/src/bitbucket.ts

@@ -379,7 +379,7 @@ export function cloudShouldExcludeRepo(repo: BitbucketRepository, config: Bitbuc
     return false;
 }
 
-function createBitbucketServerClient(url: string, user: string | undefined, token: string | undefined): BitbucketClient {
+export function createBitbucketServerClient(url: string, user: string | undefined, token: string | undefined): BitbucketClient {
     const authorizationString = (() => {
         // If we're not given any credentials we return an empty auth string. This will only work if the project/repos are public
         if(!user && !token) {
@@ -653,4 +653,97 @@ export const getReposForAuthenticatedBitbucketCloudUser = async (
     return permissions
         .filter(p => p.repository?.uuid != null)
         .map(p => ({ uuid: p.repository!.uuid as string }));
+};
+
+/**
+ * Returns the IDs of all repositories accessible to the authenticated Bitbucket Server user.
+ * Used for account-driven permission syncing.
+ *
+ * @see https://developer.atlassian.com/server/bitbucket/rest/v906/api-group-repository/#api-rest-api-latest-repos-get
+ */
+export const getReposForAuthenticatedBitbucketServerUser = async (
+    client: BitbucketClient,
+): Promise<Array<{ id: string }>> => {
+    const repos = await getPaginatedServer<{ id: number }>(
+        `/rest/api/1.0/repos` as ServerGetRequestPath,
+        async (url, start) => {
+            const response = await client.apiClient.GET(url, {
+                params: {
+                    query: {
+                        permission: 'REPO_READ',
+                        limit: 100,
+                        start,
+                    },
+                },
+            });
+            const { data, error } = response;
+            if (error) {
+                throw new Error(`Failed to fetch Bitbucket Server repos for authenticated user: ${JSON.stringify(error)}`);
+            }
+            return data;
+        }
+    );
+
+    return repos.map(r => ({ id: String(r.id) }));
+};
+
+/**
+ * Returns the user IDs of users who have been explicitly granted permission on a Bitbucket Server repository
+ * at the repo level (direct grants) or project level (inherited by all repos in the project).
+ *
+ * @note This does NOT include users who have access via groups. As a result, permission syncing
+ * may under-grant access for instances that rely heavily on group-level permissions. Those users
+ * will still gain access through account-driven syncing (accountPermissionSyncer).
+ *
+ * @see https://developer.atlassian.com/server/bitbucket/rest/v906/api-group-repository/#api-rest-api-latest-projects-projectkey-repos-reposlug-permissions-users-get
+ * @see https://developer.atlassian.com/server/bitbucket/rest/v906/api-group-project/#api-rest-api-latest-projects-projectkey-permissions-users-get
+ */
+export const getUserPermissionsForServerRepo = async (
+    client: BitbucketClient,
+    projectKey: string,
+    repoSlug: string,
+): Promise<Array<{ userId: string }>> => {
+    const userIdSet = new Set<string>();
+
+    // Fetch repo-level permissions
+    const repoUsers = await getPaginatedServer<{ user: { id: number } }>(
+        `/rest/api/1.0/projects/${projectKey}/repos/${repoSlug}/permissions/users` as ServerGetRequestPath,
+        async (url, start) => {
+            const response = await client.apiClient.GET(url, {
+                params: { query: { limit: 100, start } },
+            });
+            const { data, error } = response;
+            if (error) {
+                throw new Error(`Failed to fetch repo-level permissions for ${projectKey}/${repoSlug}: ${JSON.stringify(error)}`);
+            }
+            return data;
+        }
+    );
+    for (const entry of repoUsers) {
+        if (entry.user?.id != null) {
+            userIdSet.add(String(entry.user.id));
+        }
+    }
+
+    // Fetch project-level permissions (inherited by all repos in the project)
+    const projectUsers = await getPaginatedServer<{ user: { id: number } }>(
+        `/rest/api/1.0/projects/${projectKey}/permissions/users` as ServerGetRequestPath,
+        async (url, start) => {
+            const response = await client.apiClient.GET(url, {
+                params: { query: { limit: 100, start } },
+            });
+            const { data, error } = response;
+            if (error) {
+                throw new Error(`Failed to fetch project-level permissions for ${projectKey}: ${JSON.stringify(error)}`);
+            }
+            return data;
+        }
+    );
+    for (const entry of projectUsers) {
+        if (entry.user?.id != null) {
+            userIdSet.add(String(entry.user.id));
+        }
+    }
+
+    return Array.from(userIdSet).map(userId => ({ userId }));
 };

packages/backend/src/constants.ts

@@ -8,12 +8,14 @@ export const PERMISSION_SYNC_SUPPORTED_CODE_HOST_TYPES: CodeHostType[] = [
     'github',
     'gitlab',
     'bitbucketCloud',
+    'bitbucketServer',
 ];
 
 export const PERMISSION_SYNC_SUPPORTED_IDENTITY_PROVIDERS: IdentityProviderType[] = [
     'github',
     'gitlab',
     'bitbucket-cloud',
+    'bitbucket-server',
 ];
 
 export const REPOS_CACHE_DIR = path.join(env.DATA_CACHE_DIR, 'repos');

packages/backend/src/ee/accountPermissionSyncer.ts

@@ -14,7 +14,7 @@ import {
     getOAuthScopesForAuthenticatedUser as getGitLabOAuthScopesForAuthenticatedUser,
     getProjectsForAuthenticatedUser,
 } from "../gitlab.js";
-import { createBitbucketCloudClient, getReposForAuthenticatedBitbucketCloudUser } from "../bitbucket.js";
+import { createBitbucketCloudClient, createBitbucketServerClient, getReposForAuthenticatedBitbucketCloudUser, getReposForAuthenticatedBitbucketServerUser } from "../bitbucket.js";
 import { Settings } from "../types.js";
 import { setIntervalAsync } from "../utils.js";
 
@@ -288,6 +288,32 @@ export class AccountPermissionSyncer {
                     }
                 });
 
+                repos.forEach(repo => aggregatedRepoIds.add(repo.id));
+            } else if (account.provider === 'bitbucket-server') {
+                if (!accessToken) {
+                    throw new Error(`User '${account.user.email}' does not have a Bitbucket Server OAuth access token associated with their account. Please re-authenticate with Bitbucket Server to refresh the token.`);
+                }
+
+                // @hack: we don't have a way of identifying specific identity providers in the config file.
+                // Instead, we'll use the first Bitbucket Server connection's URL as the base URL.
+                const baseUrl = Array.from(Object.values(config.connections ?? {}))
+                    .find(connection => connection.type === 'bitbucket' && connection.deploymentType === 'server')?.url;
+
+                if (!baseUrl) {
+                    throw new Error(`No Bitbucket Server connection URL found in config for account ${account.id}`);
+                }
+
+                const client = createBitbucketServerClient(baseUrl, /* user = */ undefined, accessToken);
+                const serverRepos = await getReposForAuthenticatedBitbucketServerUser(client);
+                const serverRepoIds = serverRepos.map(r => r.id);
+
+                const repos = await this.db.repo.findMany({
+                    where: {
+                        external_codeHostType: 'bitbucketServer',
+                        external_id: { in: serverRepoIds },
+                    }
+                });
+
                 repos.forEach(repo => aggregatedRepoIds.add(repo.id));
             }
 

packages/backend/src/ee/repoPermissionSyncer.ts

@@ -7,7 +7,7 @@ import { Redis } from 'ioredis';
 import { PERMISSION_SYNC_SUPPORTED_CODE_HOST_TYPES } from "../constants.js";
 import { createOctokitFromToken, getRepoCollaborators, GITHUB_CLOUD_HOSTNAME } from "../github.js";
 import { createGitLabFromPersonalAccessToken, getProjectMembers } from "../gitlab.js";
-import { createBitbucketCloudClient, getExplicitUserPermissionsForCloudRepo } from "../bitbucket.js";
+import { createBitbucketCloudClient, createBitbucketServerClient, getExplicitUserPermissionsForCloudRepo, getUserPermissionsForServerRepo } from "../bitbucket.js";
 import { repoMetadataSchema } from "@sourcebot/shared";
 import { Settings } from "../types.js";
 import { getAuthCredentialsForRepo, setIntervalAsync } from "../utils.js";
@@ -292,6 +292,36 @@ export class RepoPermissionSyncer {
                     // this is a partial sync.
                     isPartialSync: true,
                 }
+            } else if (repo.external_codeHostType === 'bitbucketServer') {
+                if (!repo.displayName) {
+                    throw new Error(`Repo ${id} does not have a displayName`);
+                }
+
+                const [projectKey, repoSlug] = repo.displayName.split('/');
+                const hostUrl = credentials.hostUrl;
+
+                if (!hostUrl) {
+                    throw new Error(`No host URL found for Bitbucket Server repo ${id}`);
+                }
+
+                // @note: This covers users with direct repo-level and project-level permissions.
+                // Users with access only via groups are NOT captured here. Those users will
+                // still gain access through account-driven syncing (accountPermissionSyncer).
+                const client = createBitbucketServerClient(hostUrl, /* user = */ undefined, credentials.token);
+                const users = await getUserPermissionsForServerRepo(client, projectKey, repoSlug);
+                const userIds = users.map(u => u.userId);
+
+                const accounts = await this.db.account.findMany({
+                    where: {
+                        provider: 'bitbucket-server',
+                        providerAccountId: { in: userIds },
+                    }
+                });
+
+                return {
+                    accountIds: accounts.map(account => account.id),
+                    isPartialSync: true,
+                }
             }
 
             return {

packages/schemas/src/v3/identityProvider.schema.ts

@@ -849,7 +849,10 @@ const schema = {
           "const": "bitbucket-server"
         },
         "purpose": {
-          "const": "sso"
+          "enum": [
+            "sso",
+            "account_linking"
+          ]
         },
         "clientId": {
           "anyOf": [
@@ -918,6 +921,10 @@ const schema = {
             "https://bitbucket.example.com"
           ],
           "pattern": "^https?:\\/\\/[^\\s/$.?#].[^\\s]*$"
+        },
+        "accountLinkingRequired": {
+          "type": "boolean",
+          "default": false
         }
       },
       "required": [
@@ -1776,7 +1783,10 @@ const schema = {
           "const": "bitbucket-server"
         },
         "purpose": {
-          "const": "sso"
+          "enum": [
+            "sso",
+            "account_linking"
+          ]
         },
         "clientId": {
           "anyOf": [
@@ -1845,6 +1855,10 @@ const schema = {
             "https://bitbucket.example.com"
           ],
           "pattern": "^https?:\\/\\/[^\\s/$.?#].[^\\s]*$"
+        },
+        "accountLinkingRequired": {
+          "type": "boolean",
+          "default": false
         }
       },
       "required": [

packages/schemas/src/v3/identityProvider.type.ts

@@ -334,7 +334,7 @@ export interface BitbucketCloudIdentityProviderConfig {
 }
 export interface BitbucketServerIdentityProviderConfig {
   provider: "bitbucket-server";
-  purpose: "sso";
+  purpose: "sso" | "account_linking";
   clientId:
     | {
         /**
@@ -365,4 +365,5 @@ export interface BitbucketServerIdentityProviderConfig {
    * The URL of the Bitbucket Server/Data Center host.
    */
   baseUrl: string;
+  accountLinkingRequired?: boolean;
 }