feat(backend): add Bitbucket Server (Data Center) permission syncing

CHANGELOG.md

@@ -14,6 +14,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Added `wa_user_created` PostHog event fired on successful user sign-up. [#933](https://github.com/sourcebot-dev/sourcebot/pull/933)
 - Added `wa_askgh_login_wall_prompted` PostHog event fired when an unauthenticated user attempts to ask a question on Ask GitHub. [#933](https://github.com/sourcebot-dev/sourcebot/pull/933)
 - Added Bitbucket Server (Data Center) OAuth 2.0 SSO identity provider support (`provider: "bitbucket-server"`). [#934](https://github.com/sourcebot-dev/sourcebot/pull/934)
+- Added permission syncing support for Bitbucket Server (Data Center), including account-driven and repo-driven sync. [#938](https://github.com/sourcebot-dev/sourcebot/pull/938)
 
 ### Changed
 - Hide version upgrade toast for askgithub deployment (`EXPERIMENT_ASK_GH_ENABLED`). [#931](https://github.com/sourcebot-dev/sourcebot/pull/931)

docs/docs/configuration/idp.mdx

@@ -220,7 +220,8 @@ in the Bitbucket Cloud identity provider config.
 
 ### Bitbucket Server
 
-A Bitbucket Server (Data Center) connection can be used for [authentication](/docs/configuration/auth).
+A Bitbucket Server (Data Center) connection can be used for [authentication](/docs/configuration/auth) and/or [permission syncing](/docs/features/permission-syncing). This is controlled using the `purpose` field
+in the Bitbucket Server identity provider config.
 
 <Accordion title="instructions">
 <Steps>
@@ -231,6 +232,7 @@ A Bitbucket Server (Data Center) connection can be used for [authentication](/do
 
         When configuring your application:
         - Set the redirect URL to `<sourcebot_url>/api/auth/callback/bitbucket-server` (ex. https://sourcebot.coolcorp.com/api/auth/callback/bitbucket-server)
+        - If using for permission syncing, ensure the OAuth application requests the `REPO_READ` scope
 
         The result of creating the application is a `CLIENT_ID` and `CLIENT_SECRET` which you'll provide to Sourcebot.
     </Step>
@@ -247,7 +249,10 @@ A Bitbucket Server (Data Center) connection can be used for [authentication](/do
             "identityProviders": [
                 {
                     "provider": "bitbucket-server",
-                    "purpose": "sso",
+                    // "sso" for auth + perm sync, "account_linking" for only perm sync
+                    "purpose": "account_linking",
+                    // if purpose == "account_linking" this controls if a user must connect to the IdP
+                    "accountLinkingRequired": true,
                     "baseUrl": "https://bitbucket.example.com",
                     "clientId": {
                         "env": "YOUR_CLIENT_ID_ENV_VAR"

docs/docs/connections/bitbucket-data-center.mdx

@@ -68,35 +68,71 @@ If you're not familiar with Sourcebot [connections](/docs/connections/overview),
 
 ## Authenticating with Bitbucket Data Center
 
-In order to index private repositories, you'll need to provide an access token to Sourcebot via a [token](/docs/configuration/config-file#tokens).
-
-Create an access token for the desired scope (repo, project, or workspace). Visit the official [Bitbucket Data Center docs](https://confluence.atlassian.com/bitbucketserver/http-access-tokens-939515499.html)
-for more info.
-
-1. Add the `token` property to your connection config:
-
-```json
-{
-    "type": "bitbucket",
-    "deploymentType": "server",
-    "url": "https://mybitbucketdeployment.com",
-    "token": {
-        // note: this env var can be named anything. It
-        // doesn't need to be `BITBUCKET_TOKEN`.
-        "env": "BITBUCKET_TOKEN"
-    }
-    // .. rest of config ..
-}
-```
-
-2. Pass this environment variable each time you run Sourcebot:
-
-```bash
-docker run \
-    -e BITBUCKET_TOKEN=<ACCESS_TOKEN> \
-    /* additional args */ \
-    ghcr.io/sourcebot-dev/sourcebot:latest
-```
+In order to index private repositories, you'll need to provide a [HTTP Access Token](https://confluence.atlassian.com/bitbucketserver/http-access-tokens-939515499.html). Tokens can be scoped to a user account, a project, or an individual repository.
+
+<Tabs>
+    <Tab title="User account token">
+        User account tokens grant access to all repositories the user can access. Because these are tied to a specific user account, you must also set the `user` field to that user's username.
+
+        1. In Bitbucket Data Center, navigate to your profile → **Manage account** → **HTTP access tokens** and click **Create token**. Give it a name and grant it **Project read** and **Repository read** permissions.
+
+        2. Add the `user` (your Bitbucket username) and `token` properties to your connection config:
+
+        ```json
+        {
+            "type": "bitbucket",
+            "deploymentType": "server",
+            "url": "https://mybitbucketdeployment.com",
+            "user": "myusername",
+            "token": {
+                // note: this env var can be named anything. It
+                // doesn't need to be `BITBUCKET_TOKEN`.
+                "env": "BITBUCKET_TOKEN"
+            }
+            // .. rest of config ..
+        }
+        ```
+
+        3. Pass this environment variable each time you run Sourcebot:
+
+        ```bash
+        docker run \
+            -e BITBUCKET_TOKEN=<ACCESS_TOKEN> \
+            /* additional args */ \
+            ghcr.io/sourcebot-dev/sourcebot:latest
+        ```
+    </Tab>
+    <Tab title="Project / repository token">
+        Project and repository tokens are scoped to a specific project or repository.
+
+        1. In Bitbucket Data Center, navigate to the project or repository → **Settings** → **HTTP access tokens** and click **Create token**. Give it a name and grant it **Repository read** and **Project read** permissions.
+
+        2. Add the `token` property to your connection config:
+
+        ```json
+        {
+            "type": "bitbucket",
+            "deploymentType": "server",
+            "url": "https://mybitbucketdeployment.com",
+            "token": {
+                // note: this env var can be named anything. It
+                // doesn't need to be `BITBUCKET_TOKEN`.
+                "env": "BITBUCKET_TOKEN"
+            }
+            // .. rest of config ..
+        }
+        ```
+
+        3. Pass this environment variable each time you run Sourcebot:
+
+        ```bash
+        docker run \
+            -e BITBUCKET_TOKEN=<ACCESS_TOKEN> \
+            /* additional args */ \
+            ghcr.io/sourcebot-dev/sourcebot:latest
+        ```
+    </Tab>
+</Tabs>
 
 ## Troubleshooting
 If you're seeing errors like `TypeError: fetch failed` when fetching repo info, it may be that Sourcebot is refusing to connect to your self-hosted Bitbucket instance due to unrecognized SSL certs. Try setting the `NODE_TLS_REJECT_UNAUTHORIZED=0` environment variable or providing Sourcebot your certs through the `NODE_EXTRA_CA_CERTS` environment variable.

docs/snippets/schemas/v3/identityProvider.schema.mdx

@@ -850,7 +850,10 @@
           "const": "bitbucket-server"
         },
         "purpose": {
-          "const": "sso"
+          "enum": [
+            "sso",
+            "account_linking"
+          ]
         },
         "clientId": {
           "anyOf": [
@@ -919,6 +922,10 @@
             "https://bitbucket.example.com"
           ],
           "pattern": "^https?:\\/\\/[^\\s/$.?#].[^\\s]*$"
+        },
+        "accountLinkingRequired": {
+          "type": "boolean",
+          "default": false
         }
       },
       "required": [
@@ -1777,7 +1784,10 @@
           "const": "bitbucket-server"
         },
         "purpose": {
-          "const": "sso"
+          "enum": [
+            "sso",
+            "account_linking"
+          ]
         },
         "clientId": {
           "anyOf": [
@@ -1846,6 +1856,10 @@
             "https://bitbucket.example.com"
           ],
           "pattern": "^https?:\\/\\/[^\\s/$.?#].[^\\s]*$"
+        },
+        "accountLinkingRequired": {
+          "type": "boolean",
+          "default": false
         }
       },
       "required": [

docs/snippets/schemas/v3/index.schema.mdx

@@ -5390,7 +5390,10 @@
                 "const": "bitbucket-server"
               },
               "purpose": {
-                "const": "sso"
+                "enum": [
+                  "sso",
+                  "account_linking"
+                ]
               },
               "clientId": {
                 "anyOf": [
@@ -5459,6 +5462,10 @@
                   "https://bitbucket.example.com"
                 ],
                 "pattern": "^https?:\\/\\/[^\\s/$.?#].[^\\s]*$"
+              },
+              "accountLinkingRequired": {
+                "type": "boolean",
+                "default": false
               }
             },
             "required": [
@@ -6317,7 +6324,10 @@
                 "const": "bitbucket-server"
               },
               "purpose": {
-                "const": "sso"
+                "enum": [
+                  "sso",
+                  "account_linking"
+                ]
               },
               "clientId": {
                 "anyOf": [
@@ -6386,6 +6396,10 @@
                   "https://bitbucket.example.com"
                 ],
                 "pattern": "^https?:\\/\\/[^\\s/$.?#].[^\\s]*$"
+              },
+              "accountLinkingRequired": {
+                "type": "boolean",
+                "default": false
               }
             },
             "required": [