Skip to content

feat(bitbucket): add API token authentication support and deprecate A… #8604

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Nov 3, 2025
Merged

feat(bitbucket): add API token authentication support and deprecate A… #8604

merged 4 commits into from
Nov 3, 2025

Conversation

@spenpal
Copy link
Contributor

@spenpal spenpal commented Oct 6, 2025
edited
Loading

Bitbucket API Token Authentication Support

Summary

This PR adds support for Bitbucket API tokens as an authentication method for the Bitbucket plugin, in response to Atlassian's deprecation timeline for App passwords (creation discontinued September 9, 2025; all deactivated June 9, 2026).

Key Changes:

  • Backend: Added UsesApiToken boolean field to track authentication type (both use HTTP Basic Auth with username:credential format)
  • Frontend: Custom authentication component with radio selection between "API Token (Recommended)" and "App Password (Deprecated)"
  • Migration: Automatic backward compatibility for existing App password connections (usesApiToken = false by default)
  • UX: Deprecation warnings in UI and logs, dynamic username guidance (email for API tokens vs. username for App passwords)
  • Documentation: Updated onboarding guide with API token creation instructions and required scopes

Authentication Details:

  • Both methods use HTTP Basic Auth (NOT Bearer tokens)
  • API tokens require Atlassian account email as username
  • App passwords require Bitbucket username
  • Default for new connections: API Token

Testing:

  • 26 unit tests added (13 model, 11 API, 2 migration)
  • All tests passing
  • Backward compatible with existing connections

Does this close any open issues?

Closes #8520

Screenshots

Onboarding Connection Form (API Token - Default)
image

  • Shows deprecation message on the side, warning users about the June 9, 2026 deactivation date.

New Connection Form (From Config-UI)
image

Other Information

Migration Path

  • Existing users: Connections continue working with App passwords; deprecation warnings guide migration to API tokens
  • New users: Default to API tokens (recommended method)
  • Zero breaking changes: All existing connections preserved

Required API Token Scopes

  • read:account - Required to view users profiles
  • read:issue:bitbucket - View your issues
  • read:pipeline:bitbucket - View your pipelines
  • read:project:bitbucket - View your projects
  • read:pullrequest:bitbucket - View your pull requests
  • read:repository:bitbucket - View your repositories
  • read:runner:bitbucket - View your workspaces/repositories' runners
  • read:user:bitbucket - View user info (required for connection test)
  • read:workspace:bitbucket - View your workspaces
screencapture-id-atlassian-manage-profile-security-api-tokens-2025-10-06-11_13_53

spenpal added 2 commits October 6, 2025 02:41
@spenpal
feat(bitbucket): add API token authentication support and deprecate A…
4b4a6f4 
…pp passwords

- Updated Bitbucket connection model to include `UsesApiToken` field for API token support.
- Modified connection handling in the Bitbucket API to use API tokens.
- Added migration script to update existing connections for backward compatibility.
- Updated UI to reflect changes in authentication method and provide guidance on API token usage.
- Updated documentation to inform users about the deprecation of App passwords.
@spenpal
test(bitbucket): add unit tests for API token authentication and conn…
00827f0 
…ection handling

- Introduced tests for Bitbucket connection API, validating API token and app password authentication methods.
- Added tests for connection sanitization to ensure sensitive data is handled correctly.
- Implemented tests for connection status code handling and deprecation warnings for app passwords.
- Enhanced coverage for connection merging logic and authentication setup.

Addresses apache#8520
@dosubot dosubot bot added size:XXL This PR changes 1000+ lines, ignoring generated files. component/plugins This issue or PR relates to plugins needs-cherrypick-v1.0 pr-type/feature-development This PR is to develop a new feature labels Oct 6, 2025
@spenpal spenpal mentioned this pull request Oct 6, 2025
Merged
@akuna-jamie-cox
Copy link

FWIW I'm very keen to have this. Bitbucket have stopped allowing app passwords since September 9, so the bitbucket cloud integration effectively won't work for new users until the API token feature is available. Thanks for doing this!

klesh
klesh reviewed Oct 24, 2025
View reviewed changes
Copy link
Contributor

@klesh klesh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!
Nice work.
Can you reolve the conflict so I can merge it? Thanks.

spenpal and others added 2 commits October 29, 2025 15:45
@spenpal
fix(lint): resolve multiple linting issues
2a62b3c 
The following issues were resolved:
- SA1006 in `server/api/shared/api_output.go`: Changed `fmt.Errorf` to `errors.Default.New` and removed unused `fmt` import.
- gofmt in `plugins/bitbucket/models/migrationscripts/20251001_add_api_token_auth.go`: Fixed trailing blank line.
- gofmt in `plugins/bitbucket/api/connection_api.go`: Corrected inconsistent tab spacing.
- confusing-results in `server/services/remote/plugin/plugin_impl.go`: Added named return parameters and resolved variable shadowing.
- ST1016 in `plugins/bitbucket/models/connection.go`: Standardized receiver name from `connection` to `bc`.
- S1009 in `plugins/github_graphql/tasks/issue_extractor.go`: Removed redundant nil check.
- superfluous-else in `impls/logruslog/init.go`: Refactored code to eliminate unnecessary else block.
- superfluous-else in `helpers/srvhelper/scope_service_helper.go`: Refactored code to eliminate unnecessary else block.

Fixes apache#8520
@spenpal
Merge branch 'main' into refactor/apache#8520-bitbucket-api-token
ea1bb8a
@spenpal
Copy link
Contributor Author

spenpal commented Oct 29, 2025

@klesh I resolved the linting issues and the merge conflict.

Should we still wait till @petkostas's PR #8599 is merged, before merging this one?

@klesh
Copy link
Contributor

klesh commented Oct 30, 2025

@klesh I resolved the linting issues and the merge conflict.

Should we still wait till @petkostas's PR #8599 is merged, before merging this one?

Does the PR depend on #8599 to work properly?

@spenpal
Copy link
Contributor Author

spenpal commented Oct 30, 2025
edited
Loading

@klesh No, it doesn't.

I figured it's a matter of responsibility. Upgrading from Go 1.22 --> 1.24 linting rules would probs require me to change my code.

So, should that responsibility fall on me, or on @petkostas?

@dosubot dosubot bot mentioned this pull request Oct 31, 2025
Open
3 tasks
@klesh
Copy link
Contributor

klesh commented Nov 3, 2025

@spenpal Aah, I see. In this case, we should merge your PR first, as we are unsure when #8599 will be ready. Regarding the linting issue, it can wait.

@klesh klesh merged commit 9ec6714 into apache:main Nov 3, 2025
11 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@klesh klesh klesh approved these changes

Assignees

No one assigned

Labels

component/plugins This issue or PR relates to plugins needs-cherrypick-v1.0 pr-type/feature-development This PR is to develop a new feature size:XXL This PR changes 1000+ lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Refactor][Bitbucket] Support Bitbucket API tokens in place of App passwords

3 participants

@spenpal @akuna-jamie-cox @klesh