As a Bitbucket Server admin I was surprised on the limited options for securing HTTPS. We want to have HTTPS on an internet facing domain and both HTTPS and SSH on an internal domain. For browser traffic we use SAML authentication (requiring a plugin) to secure users over the net using Multi-factor Auth. The expectation was that we can restrict HTTPS CLI users to requiring a Personal Access Token, ergo enforcing that a user must use a secure browser session to obtain the PAT before getting a shot at the CLI.
However, it seems basic auth still works on HTTPS (no token required). Surely this is a security flaw. We are left with only switching off the CLI over HTTPS... or is there a way to run the HTTPS for CLI on a different port to the browser traffic? Either way, not really liking the lack of settings in this space. Of course this comes about as the git cli can't support SAML tokens.
Does anyone have any insight into this issue?
