feat(bitbucket): add API token authentication support and deprecate A… (#8604)

* feat(bitbucket): add API token authentication support and deprecate App passwords

- Updated Bitbucket connection model to include `UsesApiToken` field for API token support.
- Modified connection handling in the Bitbucket API to use API tokens.
- Added migration script to update existing connections for backward compatibility.
- Updated UI to reflect changes in authentication method and provide guidance on API token usage.
- Updated documentation to inform users about the deprecation of App passwords.

* test(bitbucket): add unit tests for API token authentication and connection handling

- Introduced tests for Bitbucket connection API, validating API token and app password authentication methods.
- Added tests for connection sanitization to ensure sensitive data is handled correctly.
- Implemented tests for connection status code handling and deprecation warnings for app passwords.
- Enhanced coverage for connection merging logic and authentication setup.

Addresses #8520

* fix(lint): resolve multiple linting issues

The following issues were resolved:
- SA1006 in `server/api/shared/api_output.go`: Changed `fmt.Errorf` to `errors.Default.New` and removed unused `fmt` import.
- gofmt in `plugins/bitbucket/models/migrationscripts/20251001_add_api_token_auth.go`: Fixed trailing blank line.
- gofmt in `plugins/bitbucket/api/connection_api.go`: Corrected inconsistent tab spacing.
- confusing-results in `server/services/remote/plugin/plugin_impl.go`: Added named return parameters and resolved variable shadowing.
- ST1016 in `plugins/bitbucket/models/connection.go`: Standardized receiver name from `connection` to `bc`.
- S1009 in `plugins/github_graphql/tasks/issue_extractor.go`: Removed redundant nil check.
- superfluous-else in `impls/logruslog/init.go`: Refactored code to eliminate unnecessary else block.
- superfluous-else in `helpers/srvhelper/scope_service_helper.go`: Refactored code to eliminate unnecessary else block.

Fixes #8520

Author: spenpal

.gitignore

@@ -121,6 +121,7 @@ _debug_bin
 postgres-data/
 mysql-data/
 .docker/
+docker-compose.override.yml
 
 # config files
 local.js

backend/Makefile

@@ -29,7 +29,7 @@ all: build
 go-dep:
 	go install github.com/vektra/mockery/[email protected]
 	go install github.com/swaggo/swag/cmd/[email protected]
-	go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest
+	go install github.com/golangci/golangci-lint/cmd/golangci-lint@v1.63.4
 
 go-dev-tools:
 	# go install github.com/atombender/go-jsonschema/cmd/gojsonschema@latest

backend/helpers/srvhelper/scope_service_helper.go

@@ -268,39 +268,39 @@ func (scopeSrv *ScopeSrvHelper[C, S, SC]) getAffectedTables() ([]string, errors.
 	if err != nil {
 		return nil, err
 	}
-	if pluginModel, ok := meta.(plugin.PluginModel); !ok {
+	pluginModel, ok := meta.(plugin.PluginModel)
+	if !ok {
 		panic(errors.Default.New(fmt.Sprintf("plugin \"%s\" does not implement listing its tables", scopeSrv.pluginName)))
-	} else {
-		// Unfortunately, can't cache the tables because Python creates some tables on a per-demand basis, so such a cache would possibly get outdated.
-		// It's a rare scenario in practice, but might as well play it safe and sacrifice some performance here
-		var allTables []string
-		if allTables, err = scopeSrv.db.AllTables(); err != nil {
-			return nil, err
-		}
-		// collect raw tables
-		for _, table := range allTables {
-			if strings.HasPrefix(table, "_raw_"+scopeSrv.pluginName) {
-				tables = append(tables, table)
-			}
+	}
+	// Unfortunately, can't cache the tables because Python creates some tables on a per-demand basis, so such a cache would possibly get outdated.
+	// It's a rare scenario in practice, but might as well play it safe and sacrifice some performance here
+	var allTables []string
+	if allTables, err = scopeSrv.db.AllTables(); err != nil {
+		return nil, err
+	}
+	// collect raw tables
+	for _, table := range allTables {
+		if strings.HasPrefix(table, "_raw_"+scopeSrv.pluginName) {
+			tables = append(tables, table)
 		}
-		// collect tool tables
-		toolModels := pluginModel.GetTablesInfo()
-		for _, toolModel := range toolModels {
-			if !isScopeModel(toolModel) && hasField(toolModel, "RawDataParams") {
-				tables = append(tables, toolModel.TableName())
-			}
+	}
+	// collect tool tables
+	toolModels := pluginModel.GetTablesInfo()
+	for _, toolModel := range toolModels {
+		if !isScopeModel(toolModel) && hasField(toolModel, "RawDataParams") {
+			tables = append(tables, toolModel.TableName())
 		}
-		// collect domain tables
-		for _, domainModel := range domaininfo.GetDomainTablesInfo() {
-			// we only care about tables with RawOrigin
-			ok = hasField(domainModel, "RawDataParams")
-			if ok {
-				tables = append(tables, domainModel.TableName())
-			}
+	}
+	// collect domain tables
+	for _, domainModel := range domaininfo.GetDomainTablesInfo() {
+		// we only care about tables with RawOrigin
+		ok = hasField(domainModel, "RawDataParams")
+		if ok {
+			tables = append(tables, domainModel.TableName())
 		}
-		// additional tables
-		tables = append(tables, models.CollectorLatestState{}.TableName())
 	}
+	// additional tables
+	tables = append(tables, models.CollectorLatestState{}.TableName())
 	scopeSrv.log.Debug("Discovered %d tables used by plugin \"%s\": %v", len(tables), scopeSrv.pluginName, tables)
 	return tables, nil
 }

backend/impls/logruslog/init.go

@@ -70,11 +70,11 @@ func init() {
 	if basePath == "" {
 		basePath = "./logs"
 	}
-	if abs, err := filepath.Abs(basePath); err != nil {
-		panic(err)
-	} else {
-		basePath = filepath.Join(abs, "devlake.log")
+	abs, absErr := filepath.Abs(basePath)
+	if absErr != nil {
+		panic(absErr)
 	}
+	basePath = filepath.Join(abs, "devlake.log")
 	var err errors.Error
 	Global, err = NewDefaultLogger(inner)
 	if err != nil {

backend/plugins/bitbucket/api/blueprint_v200.go

@@ -120,7 +120,13 @@ func makeDataSourcePipelinePlanV200(
 			if err != nil {
 				return nil, err
 			}
-			cloneUrl.User = url.UserPassword(connection.Username, connection.Password)
+			// For Bitbucket API tokens, use x-token-auth as username per Bitbucket docs
+			// https://support.atlassian.com/bitbucket-cloud/docs/using-api-tokens/
+			gitUsername := connection.Username
+			if connection.UsesApiToken {
+				gitUsername = "x-bitbucket-api-token-auth"
+			}
+			cloneUrl.User = url.UserPassword(gitUsername, connection.Password)
 			stage = append(stage, &coreModels.PipelineTask{
 				Plugin: "gitextractor",
 				Options: map[string]interface{}{

backend/plugins/bitbucket/api/connection_api.go

@@ -52,12 +52,18 @@ func testConnection(ctx context.Context, connection models.BitbucketConn) (*BitB
 	}
 
 	if res.StatusCode == http.StatusUnauthorized {
-		return nil, errors.HttpStatus(http.StatusBadRequest).New("StatusUnauthorized error when testing connection")
+		return nil, errors.HttpStatus(http.StatusBadRequest).New("StatusUnauthorized error when testing connection. Please check your credentials.")
 	}
 
 	if res.StatusCode != http.StatusOK {
 		return nil, errors.HttpStatus(res.StatusCode).New("unexpected status code when testing connection")
 	}
+
+	// Log deprecation warning if using App Password (not API token)
+	if !connection.UsesApiToken {
+		basicRes.GetLogger().Warn(nil, "Bitbucket App passwords are deprecated and will be deactivated on June 9, 2026. Please migrate to API tokens.")
+	}
+
 	connection = connection.Sanitize()
 	body := BitBucketTestConnResponse{}
 	body.Success = true