Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Creating a PR via API REST using App passwords - 401 Unauthorized error

Bernardo García
Bernardo García May 24, 2023

I want to create a PR from  curl command by sending a `POST` request to the `https://api.bitbucket.org/2.0/repositories/my-workspace/my-repository/pullrequests` endpoint

https://developer.atlassian.com/cloud/bitbucket/rest/api-group-pullrequests/#api-repositories-workspace-repo-slug-pullrequests-post

My pipeline step where the curl command is executed is:

- step:
    name: Create a PR 
    script:
      # Checkout and update the release branch
      - git checkout $BITBUCKET_BRANCH
      - git pull origin $BITBUCKET_BRANCH


      # Create a pull request via Bitbucket's REST API
      - >
        curl -v -X POST -u "$BITBUCKET_PR_APP_USERNAME:$BITBUCKET_PR_APP_PASSWORD"
        --header 'Content-Type: application/json'
        --header 'Accept: application/json'
        https://api.bitbucket.org/2.0/repositories/energyworx/ewx-intelligence/pullrequests
        --data '{
          "title": "PR",
          "source": {
            "branch": {
              "name": "'"${BITBUCKET_BRANCH}"'"
            }
          },
          "destination": {
            "branch": {
              "name": "develop"
            }
          }
        }'

For this, I've created a bitbucket app password giving the following permissions:

Untitled.png
 

And I have as a pipelines repository variables:
`BITBUCKET_PR_APP_USERNAME=create-pr`

`BITBUCKET_PR_APP_PASSWORD=<password-value>`

However I've been seeing when executing the curl command I got 401 error

THis is the verbosity output of the curl command

```

< HTTP/2 401
80
< server: envoy
81
* Authentication problem. Ignoring this.
82
< www-authenticate: Basic realm="Bitbucket.org HTTP"
83
< vary: Origin
84
< cache-control: max-age=0, no-cache, no-store, must-revalidate
85
< content-type: text/plain
86
< x-b3-traceid: def6c2c311ea3b29
87
< x-usage-output-ops: 0
88
< x-used-mesh: None
89
< x-dc-location: Micros-3
90
< strict-transport-security: max-age=31536000; includeSubDomains; preload
91
< date: Wed, 24 May 2023 10:37:47 GMT
92
< x-request-id: def6c2c311ea3b29
93
< x-usage-user-time: 0.014742
94
< x-usage-system-time: 0.000426
95
< x-served-by: 872230c0fe40
96
< expires: Wed, 24 May 2023 10:37:47 GMT
97
< x-xss-protection: 1; mode=block
98
< x-envoy-upstream-service-time: 24
99
< x-static-version: 9999a04deee1
100
< x-content-type-options: nosniff
101
< x-render-time: 0.013472795486450195
102
< x-trace-id: def6c2c311ea3b29
103
< x-usage-input-ops: 0
104
< x-frame-options: SAMEORIGIN
105
< x-version: 9999a04deee1
106
< x-request-count: 2670
107
< content-length: 0
108
<
109
{ [0 bytes data]
```

However when I use an oauth2 consumer with pull request write permissions and I create a token and I use that token as a bearer token in the header authorization to execute the above curl pull request command creation, I can create the PR, and everything goes well.  

Why using an app password account with write pull request permissions did not create the PR and the Oauth consumer did it?

Answer
Watch
Like Be the first to like this
492 views

1 answer

1 accepted

1 vote
Answer accepted
Patrik S
Patrik S
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 25, 2023

Hey @Bernardo García , and thank you for reaching out to Community!

From the app password creation screenshot you have shared, you gave the app password a label named create-pr. The label of an app password is just a way so you can remember its purpose or describe what permissions it was configured to. However, the label itself will not be used in the authentication. 

When using basic authentication for API calls, you will need to provide the following data as your credentials :

  • username : your bitbucket account username, which you can find under your account's personal settings
  • AppPassword : an app password created under your account with the required scopes of the endpoint you are doing the request.

So in this case, you will need to update the value of the pipelines environment variable BITBUCKET_PR_APP_USERNAME to be your bitbucket account username, instead of the app password label. Once the variable is updated, you can trigger your pipeline again and check if the request was successful.

Hope that helps! Let me know in case you have any questions.

Thank you, @Bernardo García !
Patrik S

View More Comments
Bernardo García
Bernardo García May 30, 2023

@Patrik S 

Thanks so much for your clarification, it was a silly confusion from my side.

I was doing this to make it work before:

- >
  ACCESS_TOKEN=$(curl -X POST -u "$oauth_client_id:$oauth_client_secret" \
      https://bitbucket.org/site/oauth2/access_token \
      -d grant_type=client_credentials | jq -r '.access_token')

  SOURCE_PAYLOAD=$(jq -n \
    --arg bb_branch "$BITBUCKET_BRANCH" \
    --arg commit_hash "$COMMIT_HASH" \
    '{ "branch": { "name": $bb_branch }, "commit": { "hash": $commit_hash } }')

  REVIEWERS_PAYLOAD=$(jq -n \
    --arg uuid1 "$PR_REVIEWER_USER_UUID_1" \
    --arg uuid2 "$PR_REVIEWER_USER_UUID_2" \
    '[{ "uuid": $uuid1 }, { "uuid": $uuid2 }]')

  curl -X POST -H "Authorization: Bearer $ACCESS_TOKEN" \
      --header 'Content-Type: application/json' \
      --header 'Accept: application/json' \
      https://api.bitbucket.org/2.0/repositories/<workspace>/<my-repo>/pullrequests \
      --data-binary "$(echo -e '{
    "title": "Merge release branch onto develop",
    "description": "This Pull Request, generated by the release pipeline,",
    "close_source_branch": false,
    "source": '"$SOURCE_PAYLOAD"',
    "destination": {
      "branch": {
        "name": "develop"
      }
    },
    "reviewers": '"$REVIEWERS_PAYLOAD"'
  }')"



On the other hand, using bitbucket app password approach is better than using an oauth consumer credentials on my pipeline to create an access token for the culr request right?

Like
Patrik S
Patrik S
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 30, 2023

Hello @Bernardo García ,

You're very welcome! 

I would say basic authentication with username:AppPassword is simpler to implement as you don't need an extra API call to get the token, but both ways you have implemented it - app password or Oauth consumer - are valid ways for authenticating the request, so at the end it's up to your preference on which approach to use.

Thank you, @Bernardo García !

Patrik S

Like
Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
DEPLOYMENT TYPE
CLOUD
PERMISSIONS LEVEL
Product Admin
TAGS
AUG Leaders

Atlassian Community Events

    See all events