From c79f478362cc8046d237d9dfcc6e10fa6c0cbb93 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Filip=20Tron=C3=AD=C4=8Dek?= Date: Fri, 13 Sep 2024 09:16:59 +0200 Subject: [PATCH] Reduce required Bitbucket scopes (#20195) --- .../typescript-common/src/auth-providers.ts | 5 +---- .../bitbucket-server-auth-provider.ts | 4 ++-- .../bitbucket-server-oauth-scopes.ts | 2 +- .../server/src/bitbucket/bitbucket-oauth-scopes.ts | 13 ++----------- components/server/src/user/token-service.ts | 2 +- 5 files changed, 7 insertions(+), 19 deletions(-) diff --git a/components/public-api/typescript-common/src/auth-providers.ts b/components/public-api/typescript-common/src/auth-providers.ts index ce2baa69f649c0..61d05d348dd7c0 100644 --- a/components/public-api/typescript-common/src/auth-providers.ts +++ b/components/public-api/typescript-common/src/auth-providers.ts @@ -37,7 +37,7 @@ export namespace GitHubScope { export namespace BitbucketOAuthScopes { // https://confluence.atlassian.com/bitbucket/oauth-on-bitbucket-cloud-238027431.html - /** Read user info like name, e-mail adresses etc. */ + /** Read user info like name, e-mail addresses etc. */ export const ACCOUNT_READ = "account"; /** Access repo info, clone repo over https, read and write issues */ export const REPOSITORY_READ = "repository"; @@ -47,8 +47,6 @@ export namespace BitbucketOAuthScopes { export const PULL_REQUEST_READ = "pullrequest"; /** Create, comment and merge pull requests */ export const PULL_REQUEST_WRITE = "pullrequest:write"; - /** Create, list web hooks */ - export const WEBHOOK = "webhook"; export const ALL = [ ACCOUNT_READ, @@ -56,7 +54,6 @@ export namespace BitbucketOAuthScopes { REPOSITORY_WRITE, PULL_REQUEST_READ, PULL_REQUEST_WRITE, - WEBHOOK, ]; export const DEFAULT = ALL; diff --git a/components/server/src/bitbucket-server/bitbucket-server-auth-provider.ts b/components/server/src/bitbucket-server/bitbucket-server-auth-provider.ts index 7817cbefd02a96..c5cc61f60710ed 100644 --- a/components/server/src/bitbucket-server/bitbucket-server-auth-provider.ts +++ b/components/server/src/bitbucket-server/bitbucket-server-auth-provider.ts @@ -63,7 +63,7 @@ export class BitbucketServerAuthProvider extends GenericAuthProvider { try { const username = await this.api.currentUsername(accessToken); const userProfile = await this.api.getUserProfile(accessToken, username); - const avatarUrl = await this.api.getAvatarUrl(username); + const avatarUrl = this.api.getAvatarUrl(username); return { authUser: { // e.g. 105 @@ -74,7 +74,7 @@ export class BitbucketServerAuthProvider extends GenericAuthProvider { name: userProfile.displayName!, avatarUrl, }, - currentScopes: BitbucketServerOAuthScopes.ALL, + currentScopes: BitbucketServerOAuthScopes.Requirements.DEFAULT, }; } catch (error) { log.error(`(${this.strategyName}) Reading current user info failed`, error, { error }); diff --git a/components/server/src/bitbucket-server/bitbucket-server-oauth-scopes.ts b/components/server/src/bitbucket-server/bitbucket-server-oauth-scopes.ts index a4f4c13b6639d7..529f25d56289ca 100644 --- a/components/server/src/bitbucket-server/bitbucket-server-oauth-scopes.ts +++ b/components/server/src/bitbucket-server/bitbucket-server-oauth-scopes.ts @@ -23,6 +23,6 @@ export namespace BitbucketServerOAuthScopes { /** * Minimal required permission. */ - DEFAULT: ALL, + DEFAULT: [PUBLIC_REPOS, REPO_READ, REPO_WRITE], }; } diff --git a/components/server/src/bitbucket/bitbucket-oauth-scopes.ts b/components/server/src/bitbucket/bitbucket-oauth-scopes.ts index 6ad908c44a0def..b8795f2f120b44 100644 --- a/components/server/src/bitbucket/bitbucket-oauth-scopes.ts +++ b/components/server/src/bitbucket/bitbucket-oauth-scopes.ts @@ -7,7 +7,7 @@ // https://confluence.atlassian.com/bitbucket/oauth-on-bitbucket-cloud-238027431.html export namespace BitbucketOAuthScopes { - /** Read user info like name, e-mail adresses etc. */ + /** Read user info like name, e-mail addresses etc. */ export const ACCOUNT_READ = "account"; /** Access repo info, clone repo over https, read and write issues */ export const REPOSITORY_READ = "repository"; @@ -17,17 +17,8 @@ export namespace BitbucketOAuthScopes { export const PULL_REQUEST_READ = "pullrequest"; /** Create, comment and merge pull requests */ export const PULL_REQUEST_WRITE = "pullrequest:write"; - /** Create, list web hooks */ - export const WEBHOOK = "webhook"; - export const ALL = [ - ACCOUNT_READ, - REPOSITORY_READ, - REPOSITORY_WRITE, - PULL_REQUEST_READ, - PULL_REQUEST_WRITE, - WEBHOOK, - ]; + export const ALL = [ACCOUNT_READ, REPOSITORY_READ, REPOSITORY_WRITE, PULL_REQUEST_READ, PULL_REQUEST_WRITE]; export const Requirements = { /** diff --git a/components/server/src/user/token-service.ts b/components/server/src/user/token-service.ts index 1ba7459c47dd44..dcaee31e9b88f8 100644 --- a/components/server/src/user/token-service.ts +++ b/components/server/src/user/token-service.ts @@ -95,7 +95,7 @@ export class TokenService implements TokenProvider { const doOpportunisticRefresh = !!authProvider.requiresOpportunisticRefresh && authProvider.requiresOpportunisticRefresh(); if (!doOpportunisticRefresh) { - // No opportunistic refresh? Update reserveation and we are done. + // No opportunistic refresh? Update reservation and we are done. await updateReservation(tokenEntry.uid, token, requestedLifetimeDate); reportScmTokenRefreshRequest(host, opportunisticRefresh, "still_valid"); return token;