bitbucket API v2 /repositories/{username}/{repo_slug}/ permissions problem

Hi

I have both buitbucket API v1 and v2 working with plain curl commands, but I run into a user configuration problem.

  • The user I am using has read permissions on the repo
  • the repo is set to private
  • and the oauth consumer has the scope repository.

With API v2

I am getting my access token (using password grant type)

curl -s -X POST -d 'grant_type=password&username=__USERNAME__&password=__PASSWORD__' --user '__USERID__:__KEY__' https://bitbucket.org/site/oauth2/access_token | jq --raw-output .access_token

I can use this token in other API calls, that return 200 and data. So I have managed to make authentication work.

curl -s -H "Authorization: bearer `curl -s -X POST -d 'grant_type=password&username=__USERNAME__&password=__PASSWORD__' --user '__USERID__:__KEY__' https://bitbucket.org/site/oauth2/access_token | jq --raw-output .access_token`" https://api.bitbucket.org/2.0/repositories/__TEAM__/ | jq .



{
"next": "https://api.bitbucket.org/2.0/repositories/__TEAM__/?page=2",
"page": 1,
"values": [
{
"description": "",
"is_private": false,


...

However when I try the same on /repositories/{username}/{repo_slug}/commits/master it fails with 401

curl -s -H "Authorization: bearer `curl -s -X POST -d 'grant_type=password&username=__USERNAME__&password=__PASSWORD__' --user '__USERID__:__KEY__' https://bitbucket.org/site/oauth2/access_token | jq --raw-output .access_token`" https://api.bitbucket.org/2.0/repositories/__TEAM__/__REPO__/commits/master | jq .

So I am wondering what could I be doing wrong here? The only thing I can think of is a configuration on the bitbucket's repo or user, but I am unclear on how to proceed.

 

With API v1

Accessing the commits with v1 works fine (so I guess permissions are ok?)

curl -s --user __USERID__:__KEY__ "https://api.bitbucket.org/1.0/repositories/__TEAM__/__REPO__/changesets/?limit=1" | jq --raw-output .

but I cannot filter the commits per branch, which makes it very hard to look for a specific branch.

1 answer

1 accepted

1 votes

Hi,

Your test of the 2.0 endpoint (using /2.0/repositories/__TEAM__/) is a little deceiving. That endpoint doesn't require authentication at all. If it's called without authentication, or with invalid credentials, it will return public repositories.

In your case, the fix should be simple. The "Bearer" in the Authorization header is case sensitive. Change it from "bearer" to "Bearer" and it will likely work.

All of that said, depending on what you're after, that isn't necessarily required. We have no plans to stop supporting Basic auth for the endpoints. The Basic auth you're using on the v1 api will work fine on a v2 api, and the oauth2 credentials will work on the v1 api. If you're writing a script that has access to your username and password anyway, and have no need to use OAuth for any other reason, feel free to keep using basic auth. It will fail if you use 2FA on your account, but that's true of both Basic auth and the password flow for OAuth2 on Bitbucket.

Indeed, the case sensitive header authentication problem, was masked by a bad test!

Suggest an answer

Log in or Join to answer
Community showcase
Piotr Plewa
Published Dec 27, 2017 in Bitbucket

Recipe: Deploying AWS Lambda functions with Bitbucket Pipelines

Bitbucket Pipelines helps me manage and automate a number of serverless deployments to AWS Lambda and this is how I do it. I'm building Node.js Lambda functions using node-lambda&nbsp...

631 views 0 4
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you
Atlassian Team Tour

Join us on the Team Tour

We're bringing product updates and pro tips on teamwork to ten cities around the world.

Save your spot